diff --git a/blacklist.conf b/blacklist.conf index 8c4f9b1..68741f4 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -1458,3 +1458,4 @@ bd0abfa8ca1dab85e9cedbf1988e5b4e53c67584 # Documentation only fd933c00ebe220060e66fb136a7050a242456566 # Documentation only 39323c64b8a95d10ddc66dc815dd14efdddf6777 # Documentation only 84029fd04c201a4c7e0b07ba262664900f47c6f5 # changes limit semantics, fixes noncritical case, see bsc#1164094 +6df19872d881641e6394f93ef2938cffcbdae5bb # arm 32bit only diff --git a/patches.suse/0001-KVM-fix-spectrev1-gadgets.patch b/patches.suse/0001-KVM-fix-spectrev1-gadgets.patch new file mode 100644 index 0000000..ae7515a --- /dev/null +++ b/patches.suse/0001-KVM-fix-spectrev1-gadgets.patch @@ -0,0 +1,133 @@ +Patch-mainline: v5.1-rc6 +Git-commit: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c +From: Paolo Bonzini +Date: Thu, 11 Apr 2019 11:16:47 +0200 +Subject: [PATCH] KVM: fix spectrev1 gadgets +References: bsc#1164705 + +These were found with smatch, and then generalized when applicable. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/lapic.c | 4 +++- + include/linux/kvm_host.h | 10 ++++++---- + virt/kvm/irqchip.c | 5 +++-- + virt/kvm/kvm_main.c | 6 ++++-- + 4 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 991fdf7fc17f..9bf70cf84564 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -133,6 +133,7 @@ static inline bool kvm_apic_map_get_logical_dest(struct kvm_apic_map *map, + if (offset <= max_apic_id) { + u8 cluster_size = min(max_apic_id - offset + 1, 16U); + ++ offset = array_index_nospec(offset, map->max_apic_id + 1); + *cluster = &map->phys_map[offset]; + *mask = dest_id & (0xffff >> (16 - cluster_size)); + } else { +@@ -838,7 +839,8 @@ static inline bool kvm_apic_map_get_dest_lapic(struct kvm *kvm, + if (irq->dest_id > map->max_apic_id) { + *bitmap = 0; + } else { +- *dst = &map->phys_map[irq->dest_id]; ++ u32 dest_id = array_index_nospec(irq->dest_id, map->max_apic_id + 1); ++ *dst = &map->phys_map[dest_id]; + *bitmap = 1; + } + return true; +diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h +index 9d55c63db09b..640a03642766 100644 +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -484,10 +485,10 @@ static inline struct kvm_io_bus *kvm_get_bus(struct kvm *kvm, enum kvm_bus idx) + + static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i) + { +- /* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu, in case +- * the caller has read kvm->online_vcpus before (as is the case +- * for kvm_for_each_vcpu, for example). +- */ ++ int num_vcpus = atomic_read(&kvm->online_vcpus); ++ i = array_index_nospec(i, num_vcpus); ++ ++ /* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu. */ + smp_rmb(); + return kvm->vcpus[i]; + } +@@ -571,6 +572,7 @@ void kvm_put_kvm(struct kvm *kvm); + + static inline struct kvm_memslots *__kvm_memslots(struct kvm *kvm, int as_id) + { ++ as_id = array_index_nospec(as_id, KVM_ADDRESS_SPACE_NUM); + return srcu_dereference_check(kvm->memslots[as_id], &kvm->srcu, + lockdep_is_held(&kvm->slots_lock) || + !refcount_read(&kvm->users_count)); +diff --git a/virt/kvm/irqchip.c b/virt/kvm/irqchip.c +index 3547b0d8c91e..79e59e4fa3dc 100644 +--- a/virt/kvm/irqchip.c ++++ b/virt/kvm/irqchip.c +@@ -144,18 +144,19 @@ static int setup_routing_entry(struct kvm *kvm, + { + struct kvm_kernel_irq_routing_entry *ei; + int r; ++ u32 gsi = array_index_nospec(ue->gsi, KVM_MAX_IRQ_ROUTES); + + /* + * Do not allow GSI to be mapped to the same irqchip more than once. + * Allow only one to one mapping between GSI and non-irqchip routing. + */ +- hlist_for_each_entry(ei, &rt->map[ue->gsi], link) ++ hlist_for_each_entry(ei, &rt->map[gsi], link) + if (ei->type != KVM_IRQ_ROUTING_IRQCHIP || + ue->type != KVM_IRQ_ROUTING_IRQCHIP || + ue->u.irqchip.irqchip == ei->irqchip.irqchip) + return -EINVAL; + +- e->gsi = ue->gsi; ++ e->gsi = gsi; + e->type = ue->type; + r = kvm_set_routing_entry(kvm, e, ue); + if (r) +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 55fe8e20d8fd..dc8edc97ba85 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2982,12 +2982,14 @@ static int kvm_ioctl_create_device(struct kvm *kvm, + struct kvm_device_ops *ops = NULL; + struct kvm_device *dev; + bool test = cd->flags & KVM_CREATE_DEVICE_TEST; ++ int type; + int ret; + + if (cd->type >= ARRAY_SIZE(kvm_device_ops_table)) + return -ENODEV; + +- ops = kvm_device_ops_table[cd->type]; ++ type = array_index_nospec(cd->type, ARRAY_SIZE(kvm_device_ops_table)); ++ ops = kvm_device_ops_table[type]; + if (ops == NULL) + return -ENODEV; + +@@ -3002,7 +3004,7 @@ static int kvm_ioctl_create_device(struct kvm *kvm, + dev->kvm = kvm; + + mutex_lock(&kvm->lock); +- ret = ops->create(dev, cd->type); ++ ret = ops->create(dev, type); + if (ret < 0) { + mutex_unlock(&kvm->lock); + kfree(dev); +-- +2.16.4 + diff --git a/patches.suse/0002-KVM-x86-Protect-x86_decode_insn-from-Spectre-v1-L1TF.patch b/patches.suse/0002-KVM-x86-Protect-x86_decode_insn-from-Spectre-v1-L1TF.patch new file mode 100644 index 0000000..032f55a --- /dev/null +++ b/patches.suse/0002-KVM-x86-Protect-x86_decode_insn-from-Spectre-v1-L1TF.patch @@ -0,0 +1,58 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 3c9053a2cae7ba2ba73766a34cea41baa70f57f7 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:41 -0800 +Subject: [PATCH] KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks +References: bsc#1164705 + +This fixes a Spectre-v1/L1TF vulnerability in x86_decode_insn(). +kvm_emulate_instruction() (an ancestor of x86_decode_insn()) is an exported +symbol, so KVM should treat it conservatively from a security perspective. + +Fixes: 045a282ca415 ("KVM: emulator: implement fninit, fnstsw, fnstcw") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/emulate.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index e9833e345a5c..2d4faefe8dd4 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -24,6 +24,7 @@ + #include "kvm_cache_regs.h" + #include + #include ++#include + #include + #include + +@@ -5200,10 +5201,15 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len) + } + break; + case Escape: +- if (ctxt->modrm > 0xbf) +- opcode = opcode.u.esc->high[ctxt->modrm - 0xc0]; +- else ++ if (ctxt->modrm > 0xbf) { ++ size_t size = ARRAY_SIZE(opcode.u.esc->high); ++ u32 index = array_index_nospec( ++ ctxt->modrm - 0xc0, size); ++ ++ opcode = opcode.u.esc->high[index]; ++ } else { + opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7]; ++ } + break; + case InstrDual: + if ((ctxt->modrm >> 6) == 3) +-- +2.16.4 + diff --git a/patches.suse/0003-KVM-x86-Protect-kvm_hv_msr_-get-set-_crash_data-from.patch b/patches.suse/0003-KVM-x86-Protect-kvm_hv_msr_-get-set-_crash_data-from.patch new file mode 100644 index 0000000..6518be2 --- /dev/null +++ b/patches.suse/0003-KVM-x86-Protect-kvm_hv_msr_-get-set-_crash_data-from.patch @@ -0,0 +1,62 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 8618793750071d66028584a83ed0b4fa7eb4f607 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:42 -0800 +Subject: [PATCH] KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from + Spectre-v1/L1TF attacks +References: bsc#1164712 + +This fixes Spectre-v1/L1TF vulnerabilities in kvm_hv_msr_get_crash_data() +and kvm_hv_msr_set_crash_data(). +These functions contain index computations that use the +(attacker-controlled) MSR number. + +Fixes: e7d9513b60e8 ("kvm/x86: added hyper-v crash msrs into kvm hyperv context") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/hyperv.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c +index b255b9e865e5..4df1c965bf1a 100644 +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -753,11 +753,12 @@ static int kvm_hv_msr_get_crash_data(struct kvm_vcpu *vcpu, + u32 index, u64 *pdata) + { + struct kvm_hv *hv = &vcpu->kvm->arch.hyperv; ++ size_t size = ARRAY_SIZE(hv->hv_crash_param); + +- if (WARN_ON_ONCE(index >= ARRAY_SIZE(hv->hv_crash_param))) ++ if (WARN_ON_ONCE(index >= size)) + return -EINVAL; + +- *pdata = hv->hv_crash_param[index]; ++ *pdata = hv->hv_crash_param[array_index_nospec(index, size)]; + return 0; + } + +@@ -796,11 +797,12 @@ static int kvm_hv_msr_set_crash_data(struct kvm_vcpu *vcpu, + u32 index, u64 data) + { + struct kvm_hv *hv = &vcpu->kvm->arch.hyperv; ++ size_t size = ARRAY_SIZE(hv->hv_crash_param); + +- if (WARN_ON_ONCE(index >= ARRAY_SIZE(hv->hv_crash_param))) ++ if (WARN_ON_ONCE(index >= size)) + return -EINVAL; + +- hv->hv_crash_param[index] = data; ++ hv->hv_crash_param[array_index_nospec(index, size)] = data; + return 0; + } + +-- +2.16.4 + diff --git a/patches.suse/0004-KVM-x86-Refactor-picdev_write-to-prevent-Spectre-v1-.patch b/patches.suse/0004-KVM-x86-Refactor-picdev_write-to-prevent-Spectre-v1-.patch new file mode 100644 index 0000000..fbfaf8f --- /dev/null +++ b/patches.suse/0004-KVM-x86-Refactor-picdev_write-to-prevent-Spectre-v1-.patch @@ -0,0 +1,48 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 14e32321f3606e4b0970200b6e5e47ee6f1e6410 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:43 -0800 +Subject: [PATCH] KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF + attacks +References: bsc#1164727 + +This fixes a Spectre-v1/L1TF vulnerability in picdev_write(). +It replaces index computations based on the (attacked-controlled) port +number with constants through a minor refactoring. + +Fixes: 85f455f7ddbe ("KVM: Add support for in-kernel PIC emulation") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/i8259.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/i8259.c b/arch/x86/kvm/i8259.c +index 8b38bb4868a6..629a09ca9860 100644 +--- a/arch/x86/kvm/i8259.c ++++ b/arch/x86/kvm/i8259.c +@@ -460,10 +460,14 @@ static int picdev_write(struct kvm_pic *s, + switch (addr) { + case 0x20: + case 0x21: ++ pic_lock(s); ++ pic_ioport_write(&s->pics[0], addr, data); ++ pic_unlock(s); ++ break; + case 0xa0: + case 0xa1: + pic_lock(s); +- pic_ioport_write(&s->pics[addr >> 7], addr, data); ++ pic_ioport_write(&s->pics[1], addr, data); + pic_unlock(s); + break; + case 0x4d0: +-- +2.16.4 + diff --git a/patches.suse/0005-KVM-x86-Protect-ioapic_read_indirect-from-Spectre-v1.patch b/patches.suse/0005-KVM-x86-Protect-ioapic_read_indirect-from-Spectre-v1.patch new file mode 100644 index 0000000..67fe331 --- /dev/null +++ b/patches.suse/0005-KVM-x86-Protect-ioapic_read_indirect-from-Spectre-v1.patch @@ -0,0 +1,61 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 8c86405f606ca8508b8d9280680166ca26723695 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:44 -0800 +Subject: [PATCH] KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF + attacks +References: bsc#1164728 + +This fixes a Spectre-v1/L1TF vulnerability in ioapic_read_indirect(). +This function contains index computations based on the +(attacker-controlled) IOREGSEL register. + +Fixes: a2c118bfab8b ("KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/ioapic.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c +index 7312aab33298..c5776febb517 100644 +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -36,6 +36,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -73,13 +74,14 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic, + default: + { + u32 redir_index = (ioapic->ioregsel - 0x10) >> 1; +- u64 redir_content; ++ u64 redir_content = ~0ULL; + +- if (redir_index < IOAPIC_NUM_PINS) +- redir_content = +- ioapic->redirtbl[redir_index].bits; +- else +- redir_content = ~0ULL; ++ if (redir_index < IOAPIC_NUM_PINS) { ++ u32 index = array_index_nospec( ++ redir_index, IOAPIC_NUM_PINS); ++ ++ redir_content = ioapic->redirtbl[index].bits; ++ } + + result = (ioapic->ioregsel & 0x1) ? + (redir_content >> 32) & 0xffffffff : +-- +2.16.4 + diff --git a/patches.suse/0006-KVM-x86-Protect-ioapic_write_indirect-from-Spectre-v.patch b/patches.suse/0006-KVM-x86-Protect-ioapic_write_indirect-from-Spectre-v.patch new file mode 100644 index 0000000..bbdb310 --- /dev/null +++ b/patches.suse/0006-KVM-x86-Protect-ioapic_write_indirect-from-Spectre-v.patch @@ -0,0 +1,43 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 670564559ca35b439c8d8861fc399451ddf95137 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:45 -0800 +Subject: [PATCH] KVM: x86: Protect ioapic_write_indirect() from + Spectre-v1/L1TF attacks +References: bsc#1164729 + +This fixes a Spectre-v1/L1TF vulnerability in ioapic_write_indirect(). +This function contains index computations based on the +(attacker-controlled) IOREGSEL register. + +This patch depends on patch +"KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks". + +Fixes: 70f93dae32ac ("KVM: Use temporary variable to shorten lines.") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/ioapic.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c +index c5776febb517..26aa22cb9b29 100644 +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -299,6 +299,7 @@ static void ioapic_write_indirect(struct kvm_ioapic *ioapic, u32 val) + ioapic_debug("change redir index %x val %x\n", index, val); + if (index >= IOAPIC_NUM_PINS) + return; ++ index = array_index_nospec(index, IOAPIC_NUM_PINS); + e = &ioapic->redirtbl[index]; + mask_before = e->fields.mask; + /* Preserve read-only fields */ +-- +2.16.4 + diff --git a/patches.suse/0007-KVM-x86-Protect-kvm_lapic_reg_write-from-Spectre-v1-.patch b/patches.suse/0007-KVM-x86-Protect-kvm_lapic_reg_write-from-Spectre-v1-.patch new file mode 100644 index 0000000..d11a2bb --- /dev/null +++ b/patches.suse/0007-KVM-x86-Protect-kvm_lapic_reg_write-from-Spectre-v1-.patch @@ -0,0 +1,57 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 4bf79cb089f6b1c6c632492c0271054ce52ad766 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:46 -0800 +Subject: [PATCH] KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF + attacks +References: bsc#1164730 + +This fixes a Spectre-v1/L1TF vulnerability in kvm_lapic_reg_write(). +This function contains index computations based on the +(attacker-controlled) MSR number. + +Fixes: 0105d1a52640 ("KVM: x2apic interface to lapic") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/lapic.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 88c3c0c6d1e3..865edce27a6a 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1791,15 +1791,20 @@ int kvm_lapic_reg_write(struct kvm_lapic *apic, u32 reg, u32 val) + case APIC_LVTTHMR: + case APIC_LVTPC: + case APIC_LVT1: +- case APIC_LVTERR: ++ case APIC_LVTERR: { + /* TODO: Check vector */ ++ size_t size; ++ u32 index; ++ + if (!kvm_apic_sw_enabled(apic)) + val |= APIC_LVT_MASKED; +- +- val &= apic_lvt_mask[(reg - APIC_LVTT) >> 4]; ++ size = ARRAY_SIZE(apic_lvt_mask); ++ index = array_index_nospec( ++ (reg - APIC_LVTT) >> 4, size); ++ val &= apic_lvt_mask[index]; + kvm_lapic_set_reg(apic, reg, val); +- + break; ++ } + + case APIC_LVTT: + if (!kvm_apic_sw_enabled(apic)) +-- +2.16.4 + diff --git a/patches.suse/0008-KVM-x86-Protect-MSR-based-index-computations-in-fixe.patch b/patches.suse/0008-KVM-x86-Protect-MSR-based-index-computations-in-fixe.patch new file mode 100644 index 0000000..129a207 --- /dev/null +++ b/patches.suse/0008-KVM-x86-Protect-MSR-based-index-computations-in-fixe.patch @@ -0,0 +1,50 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 25a5edea71b7c154b6a0b8cec14c711cafa31d26 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:47 -0800 +Subject: [PATCH] KVM: x86: Protect MSR-based index computations in + fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks +References: bsc#1164731 + +This fixes a Spectre-v1/L1TF vulnerability in fixed_msr_to_seg_unit(). +This function contains index computations based on the +(attacker-controlled) MSR number. + +Fixes: de9aef5e1ad6 ("KVM: MTRR: introduce fixed_mtrr_segment table") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/mtrr.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c +index 25ce3edd1872..7f0059aa30e1 100644 +--- a/arch/x86/kvm/mtrr.c ++++ b/arch/x86/kvm/mtrr.c +@@ -202,11 +202,15 @@ static bool fixed_msr_to_seg_unit(u32 msr, int *seg, int *unit) + break; + case MSR_MTRRfix16K_80000 ... MSR_MTRRfix16K_A0000: + *seg = 1; +- *unit = msr - MSR_MTRRfix16K_80000; ++ *unit = array_index_nospec( ++ msr - MSR_MTRRfix16K_80000, ++ MSR_MTRRfix16K_A0000 - MSR_MTRRfix16K_80000 + 1); + break; + case MSR_MTRRfix4K_C0000 ... MSR_MTRRfix4K_F8000: + *seg = 2; +- *unit = msr - MSR_MTRRfix4K_C0000; ++ *unit = array_index_nospec( ++ msr - MSR_MTRRfix4K_C0000, ++ MSR_MTRRfix4K_F8000 - MSR_MTRRfix4K_C0000 + 1); + break; + default: + return false; +-- +2.16.4 + diff --git a/patches.suse/0009-KVM-x86-Protect-MSR-based-index-computations-in-pmu..patch b/patches.suse/0009-KVM-x86-Protect-MSR-based-index-computations-in-pmu..patch new file mode 100644 index 0000000..72ba054 --- /dev/null +++ b/patches.suse/0009-KVM-x86-Protect-MSR-based-index-computations-in-pmu..patch @@ -0,0 +1,72 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 13c5183a4e643cc2b03a22d0e582c8e17bb7457d +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:48 -0800 +Subject: [PATCH] KVM: x86: Protect MSR-based index computations in pmu.h from + Spectre-v1/L1TF attacks +References: bsc#1164732 + +This fixes a Spectre-v1/L1TF vulnerability in the get_gp_pmc() and +get_fixed_pmc() functions. +They both contain index computations based on the (attacker-controlled) +MSR number. + +Fixes: 25462f7f5295 ("KVM: x86/vPMU: Define kvm_pmu_ops to support vPMU function dispatch") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/pmu.h | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/pmu.h b/arch/x86/kvm/pmu.h +index 7ebb62326c14..13332984b6d5 100644 +--- a/arch/x86/kvm/pmu.h ++++ b/arch/x86/kvm/pmu.h +@@ -1,6 +1,8 @@ + #ifndef __KVM_X86_PMU_H + #define __KVM_X86_PMU_H + ++#include ++ + #define vcpu_to_pmu(vcpu) (&(vcpu)->arch.pmu) + #define pmu_to_vcpu(pmu) (container_of((pmu), struct kvm_vcpu, arch.pmu)) + #define pmc_to_pmu(pmc) (&(pmc)->vcpu->arch.pmu) +@@ -80,8 +82,12 @@ static inline bool kvm_valid_perf_global_ctrl(struct kvm_pmu *pmu, + static inline struct kvm_pmc *get_gp_pmc(struct kvm_pmu *pmu, u32 msr, + u32 base) + { +- if (msr >= base && msr < base + pmu->nr_arch_gp_counters) +- return &pmu->gp_counters[msr - base]; ++ if (msr >= base && msr < base + pmu->nr_arch_gp_counters) { ++ u32 index = array_index_nospec(msr - base, ++ pmu->nr_arch_gp_counters); ++ ++ return &pmu->gp_counters[index]; ++ } + + return NULL; + } +@@ -91,8 +97,12 @@ static inline struct kvm_pmc *get_fixed_pmc(struct kvm_pmu *pmu, u32 msr) + { + int base = MSR_CORE_PERF_FIXED_CTR0; + +- if (msr >= base && msr < base + pmu->nr_arch_fixed_counters) +- return &pmu->fixed_counters[msr - base]; ++ if (msr >= base && msr < base + pmu->nr_arch_fixed_counters) { ++ u32 index = array_index_nospec(msr - base, ++ pmu->nr_arch_fixed_counters); ++ ++ return &pmu->fixed_counters[index]; ++ } + + return NULL; + } +-- +2.16.4 + diff --git a/patches.suse/0010-KVM-x86-Protect-MSR-based-index-computations-from.patch b/patches.suse/0010-KVM-x86-Protect-MSR-based-index-computations-from.patch new file mode 100644 index 0000000..8aa91b3 --- /dev/null +++ b/patches.suse/0010-KVM-x86-Protect-MSR-based-index-computations-from.patch @@ -0,0 +1,57 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 6ec4c5eee1750d5d17951c4e1960d953376a0dda +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:49 -0800 +Subject: [PATCH] KVM: x86: Protect MSR-based index computations from + Spectre-v1/L1TF attacks in x86.c +References: bsc#1164733 + +This fixes a Spectre-v1/L1TF vulnerability in set_msr_mce() and +get_msr_mce(). +Both functions contain index computations based on the +(attacker-controlled) MSR number. + +Fixes: 890ca9aefa78 ("KVM: Add MCE support") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/x86.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 985066e1bda5..913e55f6dca3 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2138,7 +2138,10 @@ static int set_msr_mce(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + default: + if (msr >= MSR_IA32_MC0_CTL && + msr < MSR_IA32_MCx_CTL(bank_num)) { +- u32 offset = msr - MSR_IA32_MC0_CTL; ++ u32 offset = array_index_nospec( ++ msr - MSR_IA32_MC0_CTL, ++ MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL); ++ + /* only 0 or all 1s can be written to IA32_MCi_CTL + * some Linux kernels though clear bit 10 in bank 4 to + * workaround a BIOS/GART TBL issue on AMD K8s, ignore +@@ -2526,7 +2529,10 @@ static int get_msr_mce(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata, bool host) + default: + if (msr >= MSR_IA32_MC0_CTL && + msr < MSR_IA32_MCx_CTL(bank_num)) { +- u32 offset = msr - MSR_IA32_MC0_CTL; ++ u32 offset = array_index_nospec( ++ msr - MSR_IA32_MC0_CTL, ++ MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL); ++ + data = vcpu->arch.mce_banks[offset]; + break; + } +-- +2.16.4 + diff --git a/patches.suse/0011-KVM-x86-Protect-DR-based-index-computations-from.patch b/patches.suse/0011-KVM-x86-Protect-DR-based-index-computations-from.patch new file mode 100644 index 0000000..07d4f50 --- /dev/null +++ b/patches.suse/0011-KVM-x86-Protect-DR-based-index-computations-from.patch @@ -0,0 +1,60 @@ +Patch-mainline: v5.6-rc1 +Git-commit: ea740059ecb37807ba47b84b33d1447435a8d868 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:52 -0800 +Subject: [PATCH] KVM: x86: Protect DR-based index computations from + Spectre-v1/L1TF attacks +References: bsc#1164734 + +This fixes a Spectre-v1/L1TF vulnerability in __kvm_set_dr() and +kvm_get_dr(). +Both kvm_get_dr() and kvm_set_dr() (a wrapper of __kvm_set_dr()) are +exported symbols so KVM should tream them conservatively from a security +perspective. + +Fixes: 020df0794f57 ("KVM: move DR register access handling into generic code") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/x86.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 913e55f6dca3..780224e76723 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -917,9 +917,11 @@ static u64 kvm_dr6_fixed(struct kvm_vcpu *vcpu) + + static int __kvm_set_dr(struct kvm_vcpu *vcpu, int dr, unsigned long val) + { ++ size_t size = ARRAY_SIZE(vcpu->arch.db); ++ + switch (dr) { + case 0 ... 3: +- vcpu->arch.db[dr] = val; ++ vcpu->arch.db[array_index_nospec(dr, size)] = val; + if (!(vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP)) + vcpu->arch.eff_db[dr] = val; + break; +@@ -956,9 +958,11 @@ EXPORT_SYMBOL_GPL(kvm_set_dr); + + int kvm_get_dr(struct kvm_vcpu *vcpu, int dr, unsigned long *val) + { ++ size_t size = ARRAY_SIZE(vcpu->arch.db); ++ + switch (dr) { + case 0 ... 3: +- *val = vcpu->arch.db[dr]; ++ *val = vcpu->arch.db[array_index_nospec(dr, size)]; + break; + case 4: + /* fall through */ +-- +2.16.4 + diff --git a/patches.suse/0012-KVM-x86-Protect-pmu_intel.c-from-Spectre-v1-L1TF-att.patch b/patches.suse/0012-KVM-x86-Protect-pmu_intel.c-from-Spectre-v1-L1TF-att.patch new file mode 100644 index 0000000..0b2dbb4 --- /dev/null +++ b/patches.suse/0012-KVM-x86-Protect-pmu_intel.c-from-Spectre-v1-L1TF-att.patch @@ -0,0 +1,77 @@ +Patch-mainline: v5.6-rc1 +Git-commit: 66061740f1a487f4ed54fde75e724709f805da53 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:53 -0800 +Subject: [PATCH] KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks +References: bsc#1164735 + +This fixes Spectre-v1/L1TF vulnerabilities in intel_find_fixed_event() +and intel_rdpmc_ecx_to_pmc(). +kvm_rdpmc() (ancestor of intel_find_fixed_event()) and +reprogram_fixed_counter() (ancestor of intel_rdpmc_ecx_to_pmc()) are +exported symbols so KVM should treat them conservatively from a security +perspective. + +Fixes: 25462f7f5295 ("KVM: x86/vPMU: Define kvm_pmu_ops to support vPMU function dispatch") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/pmu_intel.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/kvm/pmu_intel.c b/arch/x86/kvm/pmu_intel.c +index 7023138b1cb0..34a3a17bb6d7 100644 +--- a/arch/x86/kvm/pmu_intel.c ++++ b/arch/x86/kvm/pmu_intel.c +@@ -87,10 +87,14 @@ static unsigned intel_find_arch_event(struct kvm_pmu *pmu, + + static unsigned intel_find_fixed_event(int idx) + { +- if (idx >= ARRAY_SIZE(fixed_pmc_events)) ++ u32 event; ++ size_t size = ARRAY_SIZE(fixed_pmc_events); ++ ++ if (idx >= size) + return PERF_COUNT_HW_MAX; + +- return intel_arch_events[fixed_pmc_events[idx]].event_type; ++ event = fixed_pmc_events[array_index_nospec(idx, size)]; ++ return intel_arch_events[event].event_type; + } + + /* check if a PMC is enabled by comparing it with globl_ctrl bits. */ +@@ -131,15 +135,19 @@ static struct kvm_pmc *intel_msr_idx_to_pmc(struct kvm_vcpu *vcpu, + struct kvm_pmu *pmu = vcpu_to_pmu(vcpu); + bool fixed = idx & (1u << 30); + struct kvm_pmc *counters; ++ unsigned int num_counters; + + idx &= ~(3u << 30); +- if (!fixed && idx >= pmu->nr_arch_gp_counters) +- return NULL; +- if (fixed && idx >= pmu->nr_arch_fixed_counters) ++ if (fixed) { ++ counters = pmu->fixed_counters; ++ num_counters = pmu->nr_arch_fixed_counters; ++ } else { ++ counters = pmu->gp_counters; ++ num_counters = pmu->nr_arch_gp_counters; ++ } ++ if (idx >= num_counters) + return NULL; +- counters = fixed ? pmu->fixed_counters : pmu->gp_counters; +- +- return &counters[idx]; ++ return &counters[array_index_nospec(idx, num_counters)]; + } + + static bool intel_is_valid_msr(struct kvm_vcpu *vcpu, u32 msr) +-- +2.16.4 + diff --git a/patches.suse/PCI-IOV-Fix-memory-leak-in-pci_iov_add_virtfn.patch b/patches.suse/PCI-IOV-Fix-memory-leak-in-pci_iov_add_virtfn.patch new file mode 100644 index 0000000..90606c9 --- /dev/null +++ b/patches.suse/PCI-IOV-Fix-memory-leak-in-pci_iov_add_virtfn.patch @@ -0,0 +1,31 @@ +From: Navid Emamdoost +Date: Mon, 25 Nov 2019 13:52:52 -0600 +Subject: PCI/IOV: Fix memory leak in pci_iov_add_virtfn() +Git-commit: 8c386cc817878588195dde38e919aa6ba9409d58 +Patch-mainline: 5.6-rc1 +References: git-fixes + +In the implementation of pci_iov_add_virtfn() the allocated virtfn is +leaked if pci_setup_device() fails. The error handling is not calling +pci_stop_and_remove_bus_device(). Change the goto label to failed2. + +Fixes: 156c55325d30 ("PCI: Check for pci_setup_device() failure in pci_iov_add_virtfn()") +Link: https://lore.kernel.org/r/20191125195255.23740-1-navid.emamdoost@gmail.com +Signed-off-by: Navid Emamdoost +Signed-off-by: Bjorn Helgaas +Signed-off-by: Jiri Slaby +--- + drivers/pci/iov.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/iov.c ++++ b/drivers/pci/iov.c +@@ -137,7 +137,7 @@ int pci_iov_add_virtfn(struct pci_dev *d + pci_read_config_word(dev, iov->pos + PCI_SRIOV_VF_DID, &virtfn->device); + rc = pci_setup_device(virtfn); + if (rc) +- goto failed0; ++ goto failed1; + + virtfn->dev.parent = dev->dev.parent; + virtfn->physfn = pci_dev_get(dev); diff --git a/patches.suse/kvm-nvmx-check-io-instruction-vm-exit-conditions b/patches.suse/kvm-nvmx-check-io-instruction-vm-exit-conditions new file mode 100644 index 0000000..6993706 --- /dev/null +++ b/patches.suse/kvm-nvmx-check-io-instruction-vm-exit-conditions @@ -0,0 +1,87 @@ +From: Oliver Upton +Date: Tue, 4 Feb 2020 15:26:31 -0800 +Subject: KVM: nVMX: Check IO instruction VM-exit conditions +Git-commit: 35a571346a94fb93b5b3b6a599675ef3384bc75c +References: CVE-2020-2732 bsc#1163971 +Patch-mainline: v5.6-rc4 + +Consult the 'unconditional IO exiting' and 'use IO bitmaps' VM-execution +controls when checking instruction interception. If the 'use IO bitmaps' +VM-execution control is 1, check the instruction access against the IO +bitmaps to determine if the instruction causes a VM-exit. + +Signed-off-by: Oliver Upton +Signed-off-by: Paolo Bonzini +Acked-by: Joerg Roedel +--- + arch/x86/kvm/vmx/nested.c | 2 +- + arch/x86/kvm/vmx/vmx.c | 57 ++++++++++++++++++++++++++++++++++++++++++----- + 2 files changed, 52 insertions(+), 7 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -8570,7 +8570,7 @@ static bool nested_vmx_exit_handled_io(s + struct vmcs12 *vmcs12) + { + unsigned long exit_qualification; +- unsigned int port; ++ unsigned short port; + int size; + + if (!nested_cpu_has(vmcs12, CPU_BASED_USE_IO_BITMAPS)) +@@ -12386,10 +12386,55 @@ static void nested_vmx_entry_failure(str + to_vmx(vcpu)->nested.sync_shadow_vmcs = true; + } + ++static int vmx_check_intercept_io(struct kvm_vcpu *vcpu, ++ struct x86_instruction_info *info) ++{ ++ struct vmcs12 *vmcs12 = get_vmcs12(vcpu); ++ unsigned short port; ++ bool intercept; ++ int size; ++ ++ if (info->intercept == x86_intercept_in || ++ info->intercept == x86_intercept_ins) { ++ port = info->src_val; ++ size = info->dst_bytes; ++ } else { ++ port = info->dst_val; ++ size = info->src_bytes; ++ } ++ ++ /* ++ * If the 'use IO bitmaps' VM-execution control is 0, IO instruction ++ * VM-exits depend on the 'unconditional IO exiting' VM-execution ++ * control. ++ * ++ * Otherwise, IO instruction VM-exits are controlled by the IO bitmaps. ++ */ ++ if (!nested_cpu_has(vmcs12, CPU_BASED_USE_IO_BITMAPS)) ++ intercept = nested_cpu_has(vmcs12, ++ CPU_BASED_UNCOND_IO_EXITING); ++ else ++ intercept = nested_vmx_check_io_bitmaps(vcpu, port, size); ++ ++ return intercept ? X86EMUL_UNHANDLEABLE : X86EMUL_CONTINUE; ++} ++ + static int vmx_check_intercept(struct kvm_vcpu *vcpu, + struct x86_instruction_info *info, + enum x86_intercept_stage stage) + { ++ switch (info->intercept) { ++ case x86_intercept_in: ++ case x86_intercept_ins: ++ case x86_intercept_out: ++ case x86_intercept_outs: ++ return vmx_check_intercept_io(vcpu, info); ++ ++ /* TODO: check more intercepts... */ ++ default: ++ break; ++ } ++ + return X86EMUL_UNHANDLEABLE; + } + diff --git a/patches.suse/kvm-nvmx-don-t-emulate-instructions-in-guest-mode b/patches.suse/kvm-nvmx-don-t-emulate-instructions-in-guest-mode new file mode 100644 index 0000000..dc989c6 --- /dev/null +++ b/patches.suse/kvm-nvmx-don-t-emulate-instructions-in-guest-mode @@ -0,0 +1,31 @@ +From: Paolo Bonzini +Date: Tue, 4 Feb 2020 15:26:29 -0800 +Subject: KVM: nVMX: Don't emulate instructions in guest mode +Git-commit: 07721feee46b4b248402133228235318199b05ec +References: CVE-2020-2732 bsc#1163971 +Patch-mainline: v5.6-rc4 + +vmx_check_intercept is not yet fully implemented. To avoid emulating +instructions disallowed by the L1 hypervisor, refuse to emulate +instructions by default. + +Cc: stable@vger.kernel.org +[Made commit, added commit msg - Oliver] +Signed-off-by: Oliver Upton +Signed-off-by: Paolo Bonzini +Acked-by: Joerg Roedel +--- + arch/x86/kvm/vmx/vmx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -12378,7 +12378,7 @@ static int vmx_check_intercept(struct kv + struct x86_instruction_info *info, + enum x86_intercept_stage stage) + { +- return X86EMUL_CONTINUE; ++ return X86EMUL_UNHANDLEABLE; + } + + #ifdef CONFIG_X86_64 diff --git a/patches.suse/kvm-nvmx-refactor-io-bitmap-checks-into-helper-function b/patches.suse/kvm-nvmx-refactor-io-bitmap-checks-into-helper-function new file mode 100644 index 0000000..f67b2f3 --- /dev/null +++ b/patches.suse/kvm-nvmx-refactor-io-bitmap-checks-into-helper-function @@ -0,0 +1,78 @@ +From: Oliver Upton +Date: Tue, 4 Feb 2020 15:26:30 -0800 +Subject: KVM: nVMX: Refactor IO bitmap checks into helper function +Git-commit: e71237d3ff1abf9f3388337cfebf53b96df2020d +References: CVE-2020-2732 bsc#1163971 +Patch-mainline: v5.6-rc4 + +Checks against the IO bitmap are useful for both instruction emulation +and VM-exit reflection. Refactor the IO bitmap checks into a helper +function. + +Signed-off-by: Oliver Upton +Reviewed-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Acked-by: Joerg Roedel +--- + arch/x86/kvm/vmx/nested.c | 39 +++++++++++++++++++++++++-------------- + arch/x86/kvm/vmx/nested.h | 2 ++ + 2 files changed, 27 insertions(+), 14 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -8529,23 +8529,17 @@ static int (*const kvm_vmx_exit_handlers + static const int kvm_vmx_max_exit_handlers = + ARRAY_SIZE(kvm_vmx_exit_handlers); + +-static bool nested_vmx_exit_handled_io(struct kvm_vcpu *vcpu, +- struct vmcs12 *vmcs12) ++/* ++ * Return true if an IO instruction with the specified port and size should cause ++ * a VM-exit into L1. ++ */ ++static bool nested_vmx_check_io_bitmaps(struct kvm_vcpu *vcpu, unsigned int port, ++ int size) + { +- unsigned long exit_qualification; ++ struct vmcs12 *vmcs12 = get_vmcs12(vcpu); + gpa_t bitmap, last_bitmap; +- unsigned int port; +- int size; + u8 b; + +- if (!nested_cpu_has(vmcs12, CPU_BASED_USE_IO_BITMAPS)) +- return nested_cpu_has(vmcs12, CPU_BASED_UNCOND_IO_EXITING); +- +- exit_qualification = vmcs_readl(EXIT_QUALIFICATION); +- +- port = exit_qualification >> 16; +- size = (exit_qualification & 7) + 1; +- + last_bitmap = (gpa_t)-1; + b = -1; + +@@ -8572,6 +8566,24 @@ static bool nested_vmx_exit_handled_io(s + return false; + } + ++static bool nested_vmx_exit_handled_io(struct kvm_vcpu *vcpu, ++ struct vmcs12 *vmcs12) ++{ ++ unsigned long exit_qualification; ++ unsigned int port; ++ int size; ++ ++ if (!nested_cpu_has(vmcs12, CPU_BASED_USE_IO_BITMAPS)) ++ return nested_cpu_has(vmcs12, CPU_BASED_UNCOND_IO_EXITING); ++ ++ exit_qualification = vmcs_readl(EXIT_QUALIFICATION); ++ ++ port = exit_qualification >> 16; ++ size = (exit_qualification & 7) + 1; ++ ++ return nested_vmx_check_io_bitmaps(vcpu, port, size); ++} ++ + /* + * Return 1 if we should exit from L2 to L1 to handle an MSR access access, + * rather than handle it ourselves in L0. I.e., check whether L1 expressed diff --git a/patches.suse/net-sched-correct-flower-port-blocking.patch b/patches.suse/net-sched-correct-flower-port-blocking.patch new file mode 100644 index 0000000..375a785 --- /dev/null +++ b/patches.suse/net-sched-correct-flower-port-blocking.patch @@ -0,0 +1,65 @@ +From: Jason Baron +Date: Mon, 17 Feb 2020 15:38:09 -0500 +Subject: net: sched: correct flower port blocking +Git-commit: 8a9093c79863b58cc2f9874d7ae788f0d622a596 +Patch-mainline: 5.6-rc3 +References: git-fixes + +tc flower rules that are based on src or dst port blocking are sometimes +ineffective due to uninitialized stack data. __skb_flow_dissect() extracts +ports from the skb for tc flower to match against. However, the port +dissection is not done when when the FLOW_DIS_IS_FRAGMENT bit is set in +key_control->flags. All callers of __skb_flow_dissect(), zero-out the +key_control field except for fl_classify() as used by the flower +classifier. Thus, the FLOW_DIS_IS_FRAGMENT may be set on entry to +__skb_flow_dissect(), since key_control is allocated on the stack +and may not be initialized. + +Since key_basic and key_control are present for all flow keys, let's +make sure they are initialized. + +Fixes: 62230715fd24 ("flow_dissector: do not dissect l4 ports for fragments") +Co-developed-by: Eric Dumazet +Signed-off-by: Eric Dumazet +Acked-by: Cong Wang +Signed-off-by: Jason Baron +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +--- + include/net/flow_dissector.h | 9 +++++++++ + net/sched/cls_flower.c | 1 + + 2 files changed, 10 insertions(+) + +--- a/include/net/flow_dissector.h ++++ b/include/net/flow_dissector.h +@@ -3,6 +3,7 @@ + + #include + #include ++#include + #include + + /** +@@ -272,4 +273,12 @@ static inline void *skb_flow_dissector_t + return ((char *)target_container) + flow_dissector->offset[key_id]; + } + ++static inline void ++flow_dissector_init_keys(struct flow_dissector_key_control *key_control, ++ struct flow_dissector_key_basic *key_basic) ++{ ++ memset(key_control, 0, sizeof(*key_control)); ++ memset(key_basic, 0, sizeof(*key_basic)); ++} ++ + #endif +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -157,6 +157,7 @@ static int fl_classify(struct sk_buff *s + struct fl_flow_key skb_mkey; + + list_for_each_entry_rcu(mask, &head->masks, list) { ++ flow_dissector_init_keys(&skb_key.control, &skb_key.basic); + fl_clear_masked_range(&skb_key, mask); + + skb_key.indev_ifindex = skb->skb_iif; diff --git a/series.conf b/series.conf index 8330093..5fb69a3 100644 --- a/series.conf +++ b/series.conf @@ -47548,6 +47548,7 @@ patches.suse/kvm-x86-svm-make-sure-nmi-is-injected-after-nmi_singlestep patches.suse/kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu patches.suse/kvm-x86-always-use-32-bit-smram-save-state-for-32-bit-kernels + patches.suse/0001-KVM-fix-spectrev1-gadgets.patch patches.suse/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch patches.suse/cfg80211-Handle-WMM-rules-in-regulatory-domain-inter.patch patches.suse/mac80211-fix-memory-accounting-with-A-MSDU-aggregati.patch @@ -52154,6 +52155,17 @@ patches.suse/kvm-svm-override-default-mmio-mask-if-memory-encryption-is-enabled patches.suse/KVM-PPC-Book3S-HV-Uninit-vCPU-if-vcore-creation-fail.patch patches.suse/KVM-PPC-Book3S-PR-Free-shared-page-if-mmu-initializa.patch + patches.suse/0002-KVM-x86-Protect-x86_decode_insn-from-Spectre-v1-L1TF.patch + patches.suse/0003-KVM-x86-Protect-kvm_hv_msr_-get-set-_crash_data-from.patch + patches.suse/0004-KVM-x86-Refactor-picdev_write-to-prevent-Spectre-v1-.patch + patches.suse/0005-KVM-x86-Protect-ioapic_read_indirect-from-Spectre-v1.patch + patches.suse/0006-KVM-x86-Protect-ioapic_write_indirect-from-Spectre-v.patch + patches.suse/0007-KVM-x86-Protect-kvm_lapic_reg_write-from-Spectre-v1-.patch + patches.suse/0008-KVM-x86-Protect-MSR-based-index-computations-in-fixe.patch + patches.suse/0009-KVM-x86-Protect-MSR-based-index-computations-in-pmu..patch + patches.suse/0010-KVM-x86-Protect-MSR-based-index-computations-from.patch + patches.suse/0011-KVM-x86-Protect-DR-based-index-computations-from.patch + patches.suse/0012-KVM-x86-Protect-pmu_intel.c-from-Spectre-v1-L1TF-att.patch patches.suse/KVM-Clean-up-__kvm_gfn_to_hva_cache_init-and-its-cal.patch patches.suse/KVM-PPC-Book3S-PR-Fix-Werror-return-type-build-failu.patch patches.suse/x86-resctrl-fix-use-after-free-when-deleting-resource-groups.patch @@ -52171,6 +52183,7 @@ patches.suse/media-uvcvideo-Avoid-cyclic-entity-chains-due-to-mal.patch patches.suse/PCI-Don-t-disable-bridge-BARs-when-assigning-bus-res.patch patches.suse/PCI-switchtec-Fix-vep_vector_number-ioread-width.patch + patches.suse/PCI-IOV-Fix-memory-leak-in-pci_iov_add_virtfn.patch patches.suse/vfs-fix-do_last-regression.patch patches.suse/mfd-dln2-More-sanity-checking-for-endpoints.patch patches.suse/mfd-da9062-Fix-watchdog-compatible-string.patch @@ -52239,9 +52252,13 @@ patches.suse/ALSA-seq-Fix-concurrent-access-to-queue-current-tick.patch patches.suse/ALSA-hda-Use-scnprintf-for-printing-texts-for-sysfs-.patch patches.suse/ASoC-sun8i-codec-Fix-setting-DAI-data-format.patch + patches.suse/net-sched-correct-flower-port-blocking.patch patches.suse/powerpc-tm-Fix-clearing-MSR-TS-in-current-when-recla.patch patches.suse/0001-xen-Enable-interrupts-when-calling-_cond_resched.patch patches.suse/0001-ext4-fix-mount-failure-with-quota-configured-as-modu.patch + patches.suse/kvm-nvmx-don-t-emulate-instructions-in-guest-mode + patches.suse/kvm-nvmx-refactor-io-bitmap-checks-into-helper-function + patches.suse/kvm-nvmx-check-io-instruction-vm-exit-conditions # dhowells/linux-fs keys-uefi patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch