Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.2.6 2023-03-10T08:28:51+00:00 2023-03-10T08:28:51+00:00 George Kennedy george.kennedy@oracle.com 2022-11-28T20:18:25+00:00 urn:sha1:91b8e4f61f8f4594ee65368c8d89e6fdc29d3fb1 [ Upstream commit 1a726cb47fd204109c767409fa9ca15a96328f14 ] The call to get_user_pages_fast() in vmci_host_setup_notify() can return NULL context->notify_page causing a GPF. To avoid GPF check if context->notify_page == NULL and return error if so. general protection fault, probably for non-canonical address 0xe0009d1000000060: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0x0005088000000300- 0x0005088000000307] CPU: 2 PID: 26180 Comm: repro_34802241 Not tainted 6.1.0-rc4 #1 Hardware name: Red Hat KVM, BIOS 1.15.0-2.module+el8.6.0 04/01/2014 RIP: 0010:vmci_ctx_check_signal_notify+0x91/0xe0 Call Trace: <TASK> vmci_host_unlocked_ioctl+0x362/0x1f40 __x64_sys_ioctl+0x1a1/0x230 do_syscall_64+0x3a/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Fixes: a1d88436d53a ("VMCI: Fix two UVA mapping bugs") Reported-by: syzkaller <syzkaller@googlegroups.com> Signed-off-by: George Kennedy <george.kennedy@oracle.com> Reviewed-by: Vishnu Dasa <vdasa@vmware.com> Link: https://lore.kernel.org/r/1669666705-24012-1-git-send-email-george.kennedy@oracle.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2023-01-20T12:24:11+00:00 Vishnu Dasa vdasa@vmware.com 2022-11-30T07:05:11+00:00 urn:sha1:3daed6345d5880464f46adab871d208e1baa2f3a The vmci_dispatch_dgs() tasklet function calls vmci_read_data() which uses wait_event() resulting in invalid sleep in an atomic context (and therefore potentially in a deadlock). Use threaded irqs to fix this issue and completely remove usage of tasklets. [ 20.264639] BUG: sleeping function called from invalid context at drivers/misc/vmw_vmci/vmci_guest.c:145 [ 20.264643] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 762, name: vmtoolsd [ 20.264645] preempt_count: 101, expected: 0 [ 20.264646] RCU nest depth: 0, expected: 0 [ 20.264647] 1 lock held by vmtoolsd/762: [ 20.264648] #0: ffff0000874ae440 (sk_lock-AF_VSOCK){+.+.}-{0:0}, at: vsock_connect+0x60/0x330 [vsock] [ 20.264658] Preemption disabled at: [ 20.264659] [<ffff80000151d7d8>] vmci_send_datagram+0x44/0xa0 [vmw_vmci] [ 20.264665] CPU: 0 PID: 762 Comm: vmtoolsd Not tainted 5.19.0-0.rc8.20220727git39c3c396f813.60.fc37.aarch64 #1 [ 20.264667] Hardware name: VMware, Inc. VBSA/VBSA, BIOS VEFI 12/31/2020 [ 20.264668] Call trace: [ 20.264669] dump_backtrace+0xc4/0x130 [ 20.264672] show_stack+0x24/0x80 [ 20.264673] dump_stack_lvl+0x88/0xb4 [ 20.264676] dump_stack+0x18/0x34 [ 20.264677] __might_resched+0x1a0/0x280 [ 20.264679] __might_sleep+0x58/0x90 [ 20.264681] vmci_read_data+0x74/0x120 [vmw_vmci] [ 20.264683] vmci_dispatch_dgs+0x64/0x204 [vmw_vmci] [ 20.264686] tasklet_action_common.constprop.0+0x13c/0x150 [ 20.264688] tasklet_action+0x40/0x50 [ 20.264689] __do_softirq+0x23c/0x6b4 [ 20.264690] __irq_exit_rcu+0x104/0x214 [ 20.264691] irq_exit_rcu+0x1c/0x50 [ 20.264693] el1_interrupt+0x38/0x6c [ 20.264695] el1h_64_irq_handler+0x18/0x24 [ 20.264696] el1h_64_irq+0x68/0x6c [ 20.264697] preempt_count_sub+0xa4/0xe0 [ 20.264698] _raw_spin_unlock_irqrestore+0x64/0xb0 [ 20.264701] vmci_send_datagram+0x7c/0xa0 [vmw_vmci] [ 20.264703] vmci_datagram_dispatch+0x84/0x100 [vmw_vmci] [ 20.264706] vmci_datagram_send+0x2c/0x40 [vmw_vmci] [ 20.264709] vmci_transport_send_control_pkt+0xb8/0x120 [vmw_vsock_vmci_transport] [ 20.264711] vmci_transport_connect+0x40/0x7c [vmw_vsock_vmci_transport] [ 20.264713] vsock_connect+0x278/0x330 [vsock] [ 20.264715] __sys_connect_file+0x8c/0xc0 [ 20.264718] __sys_connect+0x84/0xb4 [ 20.264720] __arm64_sys_connect+0x2c/0x3c [ 20.264721] invoke_syscall+0x78/0x100 [ 20.264723] el0_svc_common.constprop.0+0x68/0x124 [ 20.264724] do_el0_svc+0x38/0x4c [ 20.264725] el0_svc+0x60/0x180 [ 20.264726] el0t_64_sync_handler+0x11c/0x150 [ 20.264728] el0t_64_sync+0x190/0x194 Signed-off-by: Vishnu Dasa <vdasa@vmware.com> Suggested-by: Zack Rusin <zackr@vmware.com> Reported-by: Nadav Amit <namit@vmware.com> Reported-by: Nathan Chancellor <nathan@kernel.org> Tested-by: Nathan Chancellor <nathan@kernel.org> Fixes: 463713eb6164 ("VMCI: dma dg: add support for DMA datagrams receive") Cc: <stable@vger.kernel.org> # v5.18+ Cc: VMware PV-Drivers Reviewers <pv-drivers@vmware.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Bryan Tan <bryantan@vmware.com> Reviewed-by: Bryan Tan <bryantan@vmware.com> Reviewed-by: Zack Rusin <zackr@vmware.com> Link: https://lore.kernel.org/r/20221130070511.46558-1-vdasa@vmware.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-11-25T18:01:55+00:00 Al Viro viro@zeniv.linux.org.uk 2022-09-16T00:25:47+00:00 urn:sha1:de4eda9de2d957ef2d6a8365a01e26a435e958cb READ/WRITE proved to be actively confusing - the meanings are "data destination, as used with read(2)" and "data source, as used with write(2)", but people keep interpreting those as "we read data from it" and "we write data to it", i.e. exactly the wrong way. Call them ITER_DEST and ITER_SOURCE - at least that is harder to misinterpret... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2022-11-09T14:40:03+00:00 Alexander Potapenko glider@google.com 2022-11-04T17:58:49+00:00 urn:sha1:e5b0d06d9b10f5f43101bd6598b076c347f9295f `struct vmci_event_qp` allocated by qp_notify_peer() contains padding, which may carry uninitialized data to the userspace, as observed by KMSAN: BUG: KMSAN: kernel-infoleak in instrument_copy_to_user ./include/linux/instrumented.h:121 instrument_copy_to_user ./include/linux/instrumented.h:121 _copy_to_user+0x5f/0xb0 lib/usercopy.c:33 copy_to_user ./include/linux/uaccess.h:169 vmci_host_do_receive_datagram drivers/misc/vmw_vmci/vmci_host.c:431 vmci_host_unlocked_ioctl+0x33d/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:925 vfs_ioctl fs/ioctl.c:51 ... Uninit was stored to memory at: kmemdup+0x74/0xb0 mm/util.c:131 dg_dispatch_as_host drivers/misc/vmw_vmci/vmci_datagram.c:271 vmci_datagram_dispatch+0x4f8/0xfc0 drivers/misc/vmw_vmci/vmci_datagram.c:339 qp_notify_peer+0x19a/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1479 qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662 qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750 vmci_qp_broker_alloc+0x96/0xd0 drivers/misc/vmw_vmci/vmci_queue_pair.c:1940 vmci_host_do_alloc_queuepair drivers/misc/vmw_vmci/vmci_host.c:488 vmci_host_unlocked_ioctl+0x24fd/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:927 ... Local variable ev created at: qp_notify_peer+0x54/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1456 qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662 qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750 Bytes 28-31 of 48 are uninitialized Memory access of size 48 starts at ffff888035155e00 Data copied to user address 0000000020000100 Use memset() to prevent the infoleaks. Also speculatively fix qp_notify_peer_local(), which may suffer from the same problem. Reported-by: syzbot+39be4da489ed2493ba25@syzkaller.appspotmail.com Cc: stable <stable@kernel.org> Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.") Signed-off-by: Alexander Potapenko <glider@google.com> Reviewed-by: Vishnu Dasa <vdasa@vmware.com> Link: https://lore.kernel.org/r/20221104175849.2782567-1-glider@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-09-09T08:22:32+00:00 Fabio M. De Francesco fmdefrancesco@gmail.com 2022-09-01T13:57:14+00:00 urn:sha1:dd8dc442c1e3b1798fad61211f3b090523dd926d kmap() is being deprecated in favor of kmap_local_page(). There are two main problems with kmap(): (1) It comes with an overhead as the mapping space is restricted and protected by a global lock for synchronization and (2) it also requires global TLB invalidation when the kmap’s pool wraps and it might block when the mapping space is fully utilized until a slot becomes available. With kmap_local_page() the mappings are per thread, CPU local, can take page faults, and can be called from any context (including interrupts). It is faster than kmap() in kernels with HIGHMEM enabled. Furthermore, the tasks can be preempted and, when they are scheduled to run again, the kernel virtual addresses are restored and still valid. Since its use in vmci_queue_pair.c is safe everywhere, replace kmap() with kmap_local_page(). Cc: "Venkataramanan, Anirudh" <anirudh.venkataramanan@intel.com> Suggested-by: Ira Weiny <ira.weiny@intel.com> Signed-off-by: Fabio M. De Francesco <fmdefrancesco@gmail.com> Link: https://lore.kernel.org/r/20220901135714.16481-1-fmdefrancesco@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-04-24T15:32:14+00:00 Vishnu Dasa vdasa@vmware.com 2022-04-14T19:33:16+00:00 urn:sha1:1f7142915d304804a9bd952245fce92786b1b62f Add support for ARM64 architecture so that the driver can now be built and VMCI device can be used. Update Kconfig file to allow the driver to be built on ARM64 as well. Fail vmci_guest_probe_device() on ARM64 if the device does not support MMIO register access. Lastly, add virtualization specific barriers which map to actual memory barrier instructions on ARM64, because it is required in case of ARM64 for queuepair (de)queuing. Reviewed-by: Bryan Tan <bryantan@vmware.com> Reviewed-by: Cyprien Laplace <claplace@vmware.com> Signed-off-by: Vishnu Dasa <vdasa@vmware.com> Link: https://lore.kernel.org/r/20220414193316.14356-1-vdasa@vmware.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-04-24T15:24:09+00:00 Jakob Koschel jakobkoschel@gmail.com 2022-03-24T07:31:51+00:00 urn:sha1:f61c5c830ff0c906907a73a4bfddba6a8f91cbcb To move the list iterator variable into the list_for_each_entry_*() macro in the future it should be avoided to use the list iterator variable after the loop body. To *never* use the list iterator variable after the loop it was concluded to use a separate iterator variable instead of a found boolean [1]. This removes the need to use a found variable and simply checking if the variable was set, can determine if the break/goto was hit. Link: https://lore.kernel.org/all/CAHk-=wgRr_D8CB-D9Kg-c=EHreAsk5SqXPwr9Y7k9sA6cWXJ6w@mail.gmail.com/ Signed-off-by: Jakob Koschel <jakobkoschel@gmail.com> Link: https://lore.kernel.org/r/20220324073151.66305-1-jakobkoschel@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-03-18T12:47:48+00:00 Vishnu Dasa vdasa@vmware.com 2022-03-18T06:00:40+00:00 urn:sha1:c8e9b30ccae605bf1dbeaf03971f9b83f70b928d notification_bitmap may not be released when VMCI_CAPS_DMA_DATAGRAM capability is missing from the device. Add missing 'err_free_notification_bitmap' label and use it instead of 'err_free_data_buffers' to avoid this. Fixes: eed2298d9360 ("VMCI: dma dg: detect DMA datagram capability") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Bryan Tan <bryantan@vmware.com> Reviewed-by: Rajesh Jalisatgi <rjalisatgi@vmware.com> Signed-off-by: Vishnu Dasa <vdasa@vmware.com> Link: https://lore.kernel.org/r/20220318060040.31621-1-vdasa@vmware.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-03-18T12:47:34+00:00 Vishnu Dasa vdasa@vmware.com 2022-03-18T05:58:43+00:00 urn:sha1:5df0e734b8c39598effe0f17e5bd8ff7748a0693 free_irq() may be called to free an interrupt that was not allocated. Add missing 'if' statement to check for exclusive_vectors when freeing interrupt 1. Fixes: cc68f2177fcb ("VMCI: dma dg: register dummy IRQ handlers for DMA datagrams") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Bryan Tan <bryantan@vmware.com> Reviewed-by: Rajesh Jalisatgi <rjalisatgi@vmware.com> Signed-off-by: Vishnu Dasa <vdasa@vmware.com> Link: https://lore.kernel.org/r/20220318055843.30606-1-vdasa@vmware.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-02-25T10:55:01+00:00 Christophe JAILLET christophe.jaillet@wanadoo.fr 2022-02-24T20:22:37+00:00 urn:sha1:77e861619baea5a7c934e47fda74b03c0b072aec The 'err_remove_vmci_dev_g' error label is not at the right place. This could lead to un-released resource. There is also a missing label. If pci_alloc_irq_vectors() fails, the previous vmci_event_subscribe() call must be undone. Acked-by: Vishnu Dasa <vdasa@vmware.com> Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Link: https://lore.kernel.org/r/959218ce3b135197946d85cd9453551cd04fa5da.1645734041.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>