diff --git a/patches.suse/edac-fix-reference-count-leaks.patch b/patches.suse/edac-fix-reference-count-leaks.patch new file mode 100644 index 0000000..217f619 --- /dev/null +++ b/patches.suse/edac-fix-reference-count-leaks.patch @@ -0,0 +1,54 @@ +From: Qiushi Wu +Date: Thu, 28 May 2020 15:22:37 -0500 +Subject: EDAC: Fix reference count leaks +Git-commit: 17ed808ad243192fb923e4e653c1338d3ba06207 +Patch-mainline: v5.9-rc1 +References: bsc#1112178 + +When kobject_init_and_add() returns an error, it should be handled +because kobject_init_and_add() takes a reference even when it fails. If +this function returns an error, kobject_put() must be called to properly +clean up the memory associated with the object. + +Therefore, replace calling kfree() and call kobject_put() and add a +missing kobject_put() in the edac_device_register_sysfs_main_kobj() +error path. + + [ bp: Massage and merge into a single patch. ] + +Fixes: b2ed215a3338 ("Kobject: change drivers/edac to use kobject_init_and_add") +Signed-off-by: Qiushi Wu +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20200528202238.18078-1-wu000273@umn.edu +Link: https://lkml.kernel.org/r/20200528203526.20908-1-wu000273@umn.edu +--- + drivers/edac/edac_device_sysfs.c | 1 + + drivers/edac/edac_pci_sysfs.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/edac/edac_device_sysfs.c b/drivers/edac/edac_device_sysfs.c +index 0e7ea3591b78..5e7593753799 100644 +--- a/drivers/edac/edac_device_sysfs.c ++++ b/drivers/edac/edac_device_sysfs.c +@@ -275,6 +275,7 @@ int edac_device_register_sysfs_main_kobj(struct edac_device_ctl_info *edac_dev) + + /* Error exit stack */ + err_kobj_reg: ++ kobject_put(&edac_dev->kobj); + module_put(edac_dev->owner); + + err_out: +diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c +index 72c9eb9fdffb..53042af7262e 100644 +--- a/drivers/edac/edac_pci_sysfs.c ++++ b/drivers/edac/edac_pci_sysfs.c +@@ -386,7 +386,7 @@ static int edac_pci_main_kobj_setup(void) + + /* Error unwind statck */ + kobject_init_and_add_fail: +- kfree(edac_pci_top_main_kobj); ++ kobject_put(edac_pci_top_main_kobj); + + kzalloc_fail: + module_put(THIS_MODULE); + diff --git a/patches.suse/kvm-svm-fix-svn_pin_memory-s-use-of-get_user_pages_fast.patch b/patches.suse/kvm-svm-fix-svn_pin_memory-s-use-of-get_user_pages_fast.patch new file mode 100644 index 0000000..49b79f5 --- /dev/null +++ b/patches.suse/kvm-svm-fix-svn_pin_memory-s-use-of-get_user_pages_fast.patch @@ -0,0 +1,66 @@ +From: John Hubbard +Date: Mon, 25 May 2020 23:22:06 -0700 +Subject: KVM: SVM: fix svn_pin_memory()'s use of get_user_pages_fast() +Git-commit: 78824fabc72e5e37d51e6e567fde70a4fc41a6d7 +Patch-mainline: v5.9-rc1 +References: bsc#1112178 + +There are two problems in svn_pin_memory(): + +1) The return value of get_user_pages_fast() is stored in an +unsigned long, although the declared return value is of type int. +This will not cause any symptoms, but it is misleading. +Fix this by changing the type of npinned to "int". + +2) The number of pages passed into get_user_pages_fast() is stored +in an unsigned long, even though get_user_pages_fast() accepts an +int. This means that it is possible to silently overflow the number +of pages. + +Fix this by adding a WARN_ON_ONCE() and an early error return. The +npages variable is left as an unsigned long for convenience in +checking for overflow. + +Fixes: 89c505809052 ("KVM: SVM: Add support for KVM_SEV_LAUNCH_UPDATE_DATA command") +Cc: Ingo Molnar +Cc: Borislav Petkov +Cc: Thomas Gleixner +Cc: Paolo Bonzini +Cc: Sean Christopherson +Cc: Vitaly Kuznetsov +Cc: Wanpeng Li +Cc: Jim Mattson +Cc: Joerg Roedel +Cc: H. Peter Anvin +Cc: x86@kernel.org +Cc: kvm@vger.kernel.org +Signed-off-by: John Hubbard +Message-Id: <20200526062207.1360225-2-jhubbard@nvidia.com> +Signed-off-by: Paolo Bonzini +Acked-by: Borislav Petkov +--- + arch/x86/kvm/svm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1780,7 +1780,8 @@ static struct page **sev_pin_memory(stru + int write) + { + struct kvm_sev_info *sev = &kvm->arch.sev_info; +- unsigned long npages, npinned, size; ++ unsigned long npages, size; ++ int npinned; + unsigned long locked, lock_limit; + struct page **pages; + int first, last; +@@ -1797,6 +1798,9 @@ static struct page **sev_pin_memory(stru + return NULL; + } + ++ if (WARN_ON_ONCE(npages > INT_MAX)) ++ return NULL; ++ + /* Avoid using vmalloc for smaller buffers. */ + size = npages * sizeof(struct page *); + if (size > PAGE_SIZE) diff --git a/patches.suse/net-ipv6_stub-use-ip6_dst_lookup_flow-instead-of-ip6.patch b/patches.suse/net-ipv6_stub-use-ip6_dst_lookup_flow-instead-of-ip6.patch index 6db6682..05fa400 100644 --- a/patches.suse/net-ipv6_stub-use-ip6_dst_lookup_flow-instead-of-ip6.patch +++ b/patches.suse/net-ipv6_stub-use-ip6_dst_lookup_flow-instead-of-ip6.patch @@ -25,21 +25,21 @@ Signed-off-by: David S. Miller Acked-by: Michal Kubecek --- - drivers/infiniband/core/addr.c | 7 +++---- - drivers/infiniband/sw/rxe/rxe_net.c | 8 +++++--- - drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 9 ++++----- - drivers/net/geneve.c | 4 +++- - drivers/net/vxlan.c | 8 +++----- - include/net/addrconf.h | 6 ++++-- - net/ipv6/addrconf_core.c | 11 ++++++----- - net/ipv6/af_inet6.c | 2 +- - net/mpls/af_mpls.c | 7 +++---- - net/tipc/udp_media.c | 8 +++++--- - 10 files changed, 37 insertions(+), 33 deletions(-) + drivers/infiniband/core/addr.c | 7 +++---- + drivers/infiniband/sw/rxe/rxe_net.c | 8 +++++--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 11 +++++------ + drivers/net/geneve.c | 4 +++- + drivers/net/vxlan.c | 8 +++----- + include/net/addrconf.h | 6 ++++-- + net/ipv6/addrconf_core.c | 11 ++++++----- + net/ipv6/af_inet6.c | 2 +- + net/mpls/af_mpls.c | 7 +++---- + net/tipc/udp_media.c | 8 +++++--- + 10 files changed, 38 insertions(+), 34 deletions(-) --- a/drivers/infiniband/core/addr.c +++ b/drivers/infiniband/core/addr.c -@@ -420,16 +420,15 @@ static int addr6_resolve(struct sockaddr *src_sock, +@@ -420,16 +420,15 @@ static int addr6_resolve(struct sockaddr (const struct sockaddr_in6 *)dst_sock; struct flowi6 fl6; struct dst_entry *dst; @@ -61,7 +61,7 @@ Acked-by: Michal Kubecek src_in->sin6_addr = fl6.saddr; --- a/drivers/infiniband/sw/rxe/rxe_net.c +++ b/drivers/infiniband/sw/rxe/rxe_net.c -@@ -154,10 +154,12 @@ static struct dst_entry *rxe_find_route6(struct net_device *ndev, +@@ -154,10 +154,12 @@ static struct dst_entry *rxe_find_route6 memcpy(&fl6.daddr, daddr, sizeof(*daddr)); fl6.flowi6_proto = IPPROTO_UDP; @@ -79,7 +79,7 @@ Acked-by: Michal Kubecek if (unlikely(ndst->error)) { --- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c -@@ -2384,12 +2384,11 @@ static int mlx5e_route_lookup_ipv6(struct mlx5e_priv *priv, +@@ -2384,12 +2384,11 @@ static int mlx5e_route_lookup_ipv6(struc #if IS_ENABLED(CONFIG_INET) && IS_ENABLED(CONFIG_IPV6) struct mlx5e_rep_priv *uplink_rpriv; struct mlx5_eswitch *esw = priv->mdev->priv.eswitch; @@ -96,9 +96,18 @@ Acked-by: Michal Kubecek if (!(*out_ttl)) *out_ttl = ip6_dst_hoplimit(dst); +@@ -2597,7 +2596,7 @@ static int mlx5e_create_encap_header_ipv + int max_encap_size = MLX5_CAP_ESW(priv->mdev, max_encap_header_size); + int ipv6_encap_size = ETH_HLEN + sizeof(struct ipv6hdr) + VXLAN_HLEN; + struct ip_tunnel_key *tun_key = &e->tun_info.key; +- struct net_device *out_dev; ++ struct net_device *out_dev = NULL; + struct neighbour *n = NULL; + struct flowi6 fl6 = {}; + u8 nud_state, tos, ttl; --- a/drivers/net/geneve.c +++ b/drivers/net/geneve.c -@@ -787,7 +787,9 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, +@@ -787,7 +787,9 @@ static struct dst_entry *geneve_get_v6_d if (dst) return dst; } @@ -111,7 +120,7 @@ Acked-by: Michal Kubecek } --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c -@@ -2023,7 +2023,6 @@ static struct dst_entry *vxlan6_get_route(struct vxlan_dev *vxlan, +@@ -2023,7 +2023,6 @@ static struct dst_entry *vxlan6_get_rout bool use_cache = ip_tunnel_dst_cache_usable(skb, info); struct dst_entry *ndst; struct flowi6 fl6; @@ -119,7 +128,7 @@ Acked-by: Michal Kubecek if (!sock6) return ERR_PTR(-EIO); -@@ -2046,10 +2045,9 @@ static struct dst_entry *vxlan6_get_route(struct vxlan_dev *vxlan, +@@ -2046,10 +2045,9 @@ static struct dst_entry *vxlan6_get_rout fl6.fl6_dport = dport; fl6.fl6_sport = sport; @@ -150,7 +159,7 @@ Acked-by: Michal Kubecek const struct in6_addr *solicited_addr, --- a/net/ipv6/addrconf_core.c +++ b/net/ipv6/addrconf_core.c -@@ -127,15 +127,16 @@ int inet6addr_validator_notifier_call_chain(unsigned long val, void *v) +@@ -127,15 +127,16 @@ int inet6addr_validator_notifier_call_ch } EXPORT_SYMBOL(inet6addr_validator_notifier_call_chain); @@ -174,7 +183,7 @@ Acked-by: Michal Kubecek --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c -@@ -898,7 +898,7 @@ static struct pernet_operations inet6_net_ops = { +@@ -898,7 +898,7 @@ static struct pernet_operations inet6_ne static const struct ipv6_stub ipv6_stub_impl = { .ipv6_sock_mc_join = ipv6_sock_mc_join, .ipv6_sock_mc_drop = ipv6_sock_mc_drop, @@ -185,7 +194,7 @@ Acked-by: Michal Kubecek .nd_tbl = &nd_tbl, --- a/net/mpls/af_mpls.c +++ b/net/mpls/af_mpls.c -@@ -586,16 +586,15 @@ static struct net_device *inet6_fib_lookup_dev(struct net *net, +@@ -586,16 +586,15 @@ static struct net_device *inet6_fib_look struct net_device *dev; struct dst_entry *dst; struct flowi6 fl6; @@ -207,7 +216,7 @@ Acked-by: Michal Kubecek dev_hold(dev); --- a/net/tipc/udp_media.c +++ b/net/tipc/udp_media.c -@@ -187,10 +187,12 @@ static int tipc_udp_xmit(struct net *net, struct sk_buff *skb, +@@ -187,10 +187,12 @@ static int tipc_udp_xmit(struct net *net .saddr = src->ipv6, .flowi6_proto = IPPROTO_UDP }; diff --git a/patches.suse/x86-fsgsbase-64-fix-null-deref-in-86_fsgsbase_read_task.patch b/patches.suse/x86-fsgsbase-64-fix-null-deref-in-86_fsgsbase_read_task.patch new file mode 100644 index 0000000..d60d969 --- /dev/null +++ b/patches.suse/x86-fsgsbase-64-fix-null-deref-in-86_fsgsbase_read_task.patch @@ -0,0 +1,71 @@ +From: Eric Dumazet +Date: Fri, 14 Aug 2020 11:16:17 -0700 +Subject: x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task +Git-commit: 8ab49526b53d3172d1d8dd03a75c7d1f5bd21239 +Patch-mainline: v5.9-rc1 +References: bsc#1112178 + +syzbot found its way in 86_fsgsbase_read_task() and triggered this oops: + + KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] + CPU: 0 PID: 6866 Comm: syz-executor262 Not tainted 5.8.0-syzkaller #0 + RIP: 0010:x86_fsgsbase_read_task+0x16d/0x310 arch/x86/kernel/process_64.c:393 + Call Trace: + putreg32+0x3ab/0x530 arch/x86/kernel/ptrace.c:876 + genregs32_set arch/x86/kernel/ptrace.c:1026 [inline] + genregs32_set+0xa4/0x100 arch/x86/kernel/ptrace.c:1006 + copy_regset_from_user include/linux/regset.h:326 [inline] + ia32_arch_ptrace arch/x86/kernel/ptrace.c:1061 [inline] + compat_arch_ptrace+0x36c/0xd90 arch/x86/kernel/ptrace.c:1198 + __do_compat_sys_ptrace kernel/ptrace.c:1420 [inline] + __se_compat_sys_ptrace kernel/ptrace.c:1389 [inline] + __ia32_compat_sys_ptrace+0x220/0x2f0 kernel/ptrace.c:1389 + do_syscall_32_irqs_on arch/x86/entry/common.c:84 [inline] + __do_fast_syscall_32+0x57/0x80 arch/x86/entry/common.c:126 + do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:149 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c + +This can happen if ptrace() or sigreturn() pokes an LDT selector into FS +or GS for a task with no LDT and something tries to read the base before +a return to usermode notices the bad selector and fixes it. + +The fix is to make sure ldt pointer is not NULL. + +Fixes: 07e1d88adaae ("x86/fsgsbase/64: Fix ptrace() to read the FS/GS base accurately") +Co-developed-by: Jann Horn +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Acked-by: Andy Lutomirski +Cc: Chang S. Bae +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Markus T Metzger +Cc: Peter Zijlstra +Cc: Ravi Shankar +Cc: Rik van Riel +Cc: Thomas Gleixner +Cc: Ingo Molnar +Signed-off-by: Linus Torvalds +Acked-by: Borislav Petkov +--- + arch/x86/kernel/process_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c +index d6f946707270..9afefe325acb 100644 +--- a/arch/x86/kernel/process_64.c ++++ b/arch/x86/kernel/process_64.c +@@ -390,7 +390,7 @@ unsigned long x86_fsgsbase_read_task(struct task_struct *task, + */ + mutex_lock(&task->mm->context.lock); + ldt = task->mm->context.ldt; +- if (unlikely(idx >= ldt->nr_entries)) ++ if (unlikely(!ldt || idx >= ldt->nr_entries)) + base = 0; + else + base = get_desc_base(ldt->entries + idx); + diff --git a/series.conf b/series.conf index 9dfd1cd..9e9c05e 100644 --- a/series.conf +++ b/series.conf @@ -55290,6 +55290,7 @@ patches.suse/x86-mce-inject-fix-a-wrong-assignment-of-i_mce-status.patch patches.suse/platform-x86-intel-hid-Fix-return-value-check-in-che.patch patches.suse/platform-x86-intel-vbtn-Fix-return-value-check-in-ch.patch + patches.suse/edac-fix-reference-count-leaks.patch patches.suse/regulator-gpio-Honor-regulator-boot-on-property.patch patches.suse/spi-lantiq-fix-Rx-overflow-error-in-full-duplex-mode.patch patches.suse/spi-sun4i-update-max-transfer-size-reported.patch @@ -55394,6 +55395,7 @@ patches.suse/selftests-livepatch-more-verification-in-test-klp-shadow-vars.patch patches.suse/selftests-livepatch-fix-mem-leaks-in-test-klp-shadow-vars.patch patches.suse/integrity-remove-redundant-initialization-of-variabl.patch + patches.suse/kvm-svm-fix-svn_pin_memory-s-use-of-get_user_pages_fast.patch patches.suse/ALSA-hda-realtek-Add-alc269-alc662-pin-tables-for-Lo.patch patches.suse/ALSA-core-pcm_iec958-fix-kernel-doc.patch patches.suse/ALSA-usb-line6-remove-defined-but-not-used-warning.patch @@ -55523,6 +55525,7 @@ patches.suse/0004-net-qcom-emac-add-missed-clk_disable_unprepare-in-er.patch patches.suse/net-stmmac-dwmac1000-provide-multicast-filter-fallba.patch patches.suse/net-ethernet-stmmac-Disable-hardware-multicast-filte.patch + patches.suse/x86-fsgsbase-64-fix-null-deref-in-86_fsgsbase_read_task.patch patches.suse/msft-hv-2127-Drivers-hv-vmbus-Only-notify-Hyper-V-for-die-events-.patch patches.suse/0001-drm-xen-front-Fix-misused-IS_ERR_OR_NULL-checks.patch patches.suse/ALSA-usb-audio-fix-spelling-mistake-buss-bus.patch