August 2023 - Linux-stable-mirror

[PATCH v5 bpf 0/4] lwt: fix return values of BPF ops

by Yan Zhai

lwt xmit hook does not expect positive return values in function ip_finish_output2 and ip6_finish_output. However, BPF programs can directly return positive statuses such like NET_XMIT_DROP, NET_RX_DROP, and etc to the caller. Such return values would make the kernel continue processing already freed skbs and eventually panic. This set fixes the return values from BPF ops to unexpected continue processing, and checks strictly on the correct continue condition for future proof. In addition, add missing selftests for BPF_REDIRECT and BPF_REROUTE cases for BPF-CI. v4: https://lore.kernel.org/bpf/ZMD1sFTW8SFiex+x@debian.debian/T/ v3: https://lore.kernel.org/bpf/cover.1690255889.git.yan@cloudflare.com/ v2: https://lore.kernel.org/netdev/ZLdY6JkWRccunvu0@debian.debian/ v1: https://lore.kernel.org/bpf/ZLbYdpWC8zt9EJtq@debian.debian/ changes since v4: * fixed same error on BPF_REROUTE path * re-implemented selftests under BPF-CI requirement changes since v3: * minor change in commit message and changelogs * tested by Jakub Sitnicki changes since v2: * subject name changed * also covered redirect to ingress case * added selftests changes since v1: * minor code style changes Yan Zhai (4): lwt: fix return values of BPF ops lwt: check LWTUNNEL_XMIT_CONTINUE strictly selftests/bpf: add lwt_xmit tests for BPF_REDIRECT selftests/bpf: add lwt_xmit tests for BPF_REROUTE include/net/lwtunnel.h | 5 +- net/core/lwt_bpf.c | 7 +- net/ipv4/ip_output.c | 2 +- net/ipv6/ip6_output.c | 2 +- .../selftests/bpf/prog_tests/lwt_helpers.h | 139 ++++++++ .../selftests/bpf/prog_tests/lwt_redirect.c | 319 ++++++++++++++++++ .../selftests/bpf/prog_tests/lwt_reroute.c | 256 ++++++++++++++ .../selftests/bpf/progs/test_lwt_redirect.c | 58 ++++ .../selftests/bpf/progs/test_lwt_reroute.c | 36 ++ 9 files changed, 817 insertions(+), 7 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/lwt_helpers.h create mode 100644 tools/testing/selftests/bpf/prog_tests/lwt_redirect.c create mode 100644 tools/testing/selftests/bpf/prog_tests/lwt_reroute.c create mode 100644 tools/testing/selftests/bpf/progs/test_lwt_redirect.c create mode 100644 tools/testing/selftests/bpf/progs/test_lwt_reroute.c -- 2.30.2

1 year, 4 months

3
8
0 0

[PATCH v2] lib: test_scanf: Add explicit type cast to result initialization in test_number_prefix()

by Nathan Chancellor

A recent change in clang allows it to consider more expressions as compile time constants, which causes it to point out an implicit conversion in the scanf tests: lib/test_scanf.c:661:2: warning: implicit conversion from 'int' to 'unsigned char' changes value from -168 to 88 [-Wconstant-conversion] 661 | test_number_prefix(unsigned char, "0xA7", "%2hhx%hhx", 0, 0xa7, 2, check_uchar); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ lib/test_scanf.c:609:29: note: expanded from macro 'test_number_prefix' 609 | T result[2] = {~expect[0], ~expect[1]}; \ | ~ ^~~~~~~~~~ 1 warning generated. The result of the bitwise negation is the type of the operand after going through the integer promotion rules, so this truncation is expected but harmless, as the initial values in the result array get overwritten by _test() anyways. Add an explicit cast to the expected type in test_number_prefix() to silence the warning. There is no functional change, as all the tests still pass with GCC 13.1.0 and clang 18.0.0. Cc: stable(a)vger.kernel.org Closes: https://github.com/ClangBuiltLinux/linux/issues/1899 Link: https://github.com/llvm/llvm-project/commit/610ec954e1f81c0e8fcadedcd25afe6… Suggested-by: Nick Desaulniers <ndesaulniers(a)google.com> Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- Changes in v2: - Add spaces in initializer to match result (Andy) - Add 'Cc: stable', as builds with CONFIG_WERROR will be broken, such as allmodconfig - Link to v1: https://lore.kernel.org/r/20230803-test_scanf-wconstant-conversion-v1-1-74d… --- lib/test_scanf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/test_scanf.c b/lib/test_scanf.c index b620cf7de503..a2707af2951a 100644 --- a/lib/test_scanf.c +++ b/lib/test_scanf.c @@ -606,7 +606,7 @@ static void __init numbers_slice(void) #define test_number_prefix(T, str, scan_fmt, expect0, expect1, n_args, fn) \ do { \ const T expect[2] = { expect0, expect1 }; \ - T result[2] = {~expect[0], ~expect[1]}; \ + T result[2] = { (T)~expect[0], (T)~expect[1] }; \ \ _test(fn, &expect, str, scan_fmt, n_args, &result[0], &result[1]); \ } while (0) --- base-commit: 5d0c230f1de8c7515b6567d9afba1f196fb4e2f4 change-id: 20230803-test_scanf-wconstant-conversion-d97efbf3bb5d Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

1 year, 4 months

2
3
0 0

[PATCH] drm/amdgpu: register a dirty framebuffer callback for fbcon

by Hamza Mahfooz

fbcon requires that we implement &drm_framebuffer_funcs.dirty. Otherwise, the framebuffer might take awhile to flush (which would manifest as noticeable lag). However, we can't enable this callback for non-fbcon cases since it might cause too many atomic commits to be made at once. So, implement amdgpu_dirtyfb() and only enable it for fbcon framebuffers on devices that support atomic KMS. Cc: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: stable(a)vger.kernel.org # 6.1+ Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2519 Signed-off-by: Hamza Mahfooz <hamza.mahfooz(a)amd.com> --- drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 26 ++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c index d20dd3f852fc..743db9aee68c 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c @@ -38,6 +38,8 @@ #include <linux/pci.h> #include <linux/pm_runtime.h> #include <drm/drm_crtc_helper.h> +#include <drm/drm_damage_helper.h> +#include <drm/drm_drv.h> #include <drm/drm_edid.h> #include <drm/drm_fb_helper.h> #include <drm/drm_gem_framebuffer_helper.h> @@ -532,11 +534,29 @@ bool amdgpu_display_ddc_probe(struct amdgpu_connector *amdgpu_connector, return true; } +static int amdgpu_dirtyfb(struct drm_framebuffer *fb, struct drm_file *file, + unsigned int flags, unsigned int color, + struct drm_clip_rect *clips, unsigned int num_clips) +{ + + if (strcmp(framebuffer->comm, "[fbcon]")) + return -ENOSYS; + + return drm_atomic_helper_dirtyfb(framebuffer, file_priv, flags, color, + clips, num_clips); +} + static const struct drm_framebuffer_funcs amdgpu_fb_funcs = { .destroy = drm_gem_fb_destroy, .create_handle = drm_gem_fb_create_handle, }; +static const struct drm_framebuffer_funcs amdgpu_fb_funcs_atomic = { + .destroy = drm_gem_fb_destroy, + .create_handle = drm_gem_fb_create_handle, + .dirty = amdgpu_dirtyfb +}; + uint32_t amdgpu_display_supported_domains(struct amdgpu_device *adev, uint64_t bo_flags) { @@ -1139,7 +1159,11 @@ static int amdgpu_display_gem_fb_verify_and_init(struct drm_device *dev, if (ret) goto err; - ret = drm_framebuffer_init(dev, &rfb->base, &amdgpu_fb_funcs); + if (drm_drv_uses_atomic_modeset(dev)) + ret = drm_framebuffer_init(dev, &rfb->base, + &amdgpu_fb_funcs_atomic); + else + ret = drm_framebuffer_init(dev, &rfb->base, &amdgpu_fb_funcs); if (ret) goto err; -- 2.41.0

1 year, 4 months

2
1
0 0

[PATCH 5.4 00/39] 5.4.254-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.254 release. There are 39 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue, 15 Aug 2023 21:16:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.254-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.254-rc1 Eric Dumazet <edumazet(a)google.com> sch_netem: fix issues in netem_change() vs get_dist_table() Masahiro Yamada <masahiroy(a)kernel.org> alpha: remove __init annotation from exported page_is_ram() Zhu Wang <wangzhu9(a)huawei.com> scsi: core: Fix possible memory leak if device_add() fails Zhu Wang <wangzhu9(a)huawei.com> scsi: snic: Fix possible memory leak if device_add() fails Alexandra Diupina <adiupina(a)astralinux.ru> scsi: 53c700: Check that command slot is not NULL Michael Kelley <mikelley(a)microsoft.com> scsi: storvsc: Fix handling of virtual Fibre Channel timeouts Tony Battersby <tonyb(a)cybernetics.com> scsi: core: Fix legacy /proc parsing buffer overflow Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: report use refcount overflow Ming Lei <ming.lei(a)redhat.com> nvme-rdma: fix potential unbalanced freeze & unfreeze Ming Lei <ming.lei(a)redhat.com> nvme-tcp: fix potential unbalanced freeze & unfreeze Josef Bacik <josef(a)toxicpanda.com> btrfs: set cache_block_group_error if we find an error Christoph Hellwig <hch(a)lst.de> btrfs: don't stop integrity writeback too early Nick Child <nnac123(a)linux.ibm.com> ibmvnic: Handle DMA unmapping of login buffs in release functions Daniel Jurgens <danielj(a)nvidia.com> net/mlx5: Allow 0 for total host VFs Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> dmaengine: mcf-edma: Fix a potential un-allocated memory access Felix Fietkau <nbd(a)nbd.name> wifi: cfg80211: fix sband iftype data lookup for AP_VLAN Douglas Miller <doug.miller(a)cornelisnetworks.com> IB/hfi1: Fix possible panic during hotplug remove Andrew Kanner <andrew.kanner(a)gmail.com> drivers: net: prevent tun_build_skb() to exceed the packet size limit Eric Dumazet <edumazet(a)google.com> dccp: fix data-race around dp->dccps_mss_cache Ziyang Xuan <william.xuanziyang(a)huawei.com> bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves Eric Dumazet <edumazet(a)google.com> net/packet: annotate data-races around tp->status Nathan Chancellor <nathan(a)kernel.org> mISDN: Update parameter type of dsp_cmx_send() Mark Brown <broonie(a)kernel.org> selftests/rseq: Fix build with undefined __weak Karol Herbst <kherbst(a)redhat.com> drm/nouveau/disp: Revert a NULL check inside nouveau_connector_get_modes Arnd Bergmann <arnd(a)arndb.de> x86: Move gds_ucode_mitigated() declaration to header Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/mm: Fix VDSO and VVAR placement on 5-level paging machines Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> x86/cpu/amd: Enable Zenbleed fix for AMD Custom APU 0405 Prashanth K <quic_prashk(a)quicinc.com> usb: common: usb-conn-gpio: Prevent bailing out if initial role is none Elson Roy Serrao <quic_eserrao(a)quicinc.com> usb: dwc3: Properly handle processing of pending events Alan Stern <stern(a)rowland.harvard.edu> usb-storage: alauda: Fix uninit-value in alauda_check_media() Qi Zheng <zhengqi.arch(a)bytedance.com> binder: fix memory leak in binder_init() Yiyuan Guo <yguoaz(a)gmail.com> iio: cros_ec: Fix the allocation size for cros_ec_command Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput Thomas Gleixner <tglx(a)linutronix.de> x86/pkeys: Revert a5eff7259790 ("x86/pkeys: Add PKRU value to init_fpstate") Colin Ian King <colin.i.king(a)gmail.com> radix tree test suite: fix incorrect allocation size for pthreads Karol Herbst <kherbst(a)redhat.com> drm/nouveau/gr: enable memory loads on helper invocation on all channels Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> dmaengine: pl330: Return DMA_PAUSED when transaction is paused Maciej Żenczykowski <maze(a)google.com> ipv6: adjust ndisc_is_useropt() to also return true for PIO Sergei Antonov <saproj(a)gmail.com> mmc: moxart: read scr register without changing byte order ------------- Diffstat: Makefile | 4 +- arch/alpha/kernel/setup.c | 3 +- arch/x86/entry/vdso/vma.c | 4 +- arch/x86/include/asm/processor.h | 2 + arch/x86/kernel/cpu/amd.c | 1 + arch/x86/kernel/cpu/common.c | 5 - arch/x86/kvm/x86.c | 2 - arch/x86/mm/pkeys.c | 6 - drivers/android/binder.c | 1 + drivers/android/binder_alloc.c | 6 + drivers/android/binder_alloc.h | 1 + drivers/dma/mcf-edma.c | 13 +- drivers/dma/pl330.c | 18 ++- drivers/gpu/drm/nouveau/nouveau_connector.c | 2 +- drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgf100.h | 1 + drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk104.c | 4 +- drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk110.c | 10 ++ drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk110b.c | 1 + drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk208.c | 1 + drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgm107.c | 1 + .../common/cros_ec_sensors/cros_ec_sensors_core.c | 2 +- drivers/infiniband/hw/hfi1/chip.c | 1 + drivers/isdn/mISDN/dsp.h | 2 +- drivers/isdn/mISDN/dsp_cmx.c | 2 +- drivers/isdn/mISDN/dsp_core.c | 2 +- drivers/mmc/host/moxart-mmc.c | 8 +- drivers/net/bonding/bond_main.c | 4 +- drivers/net/ethernet/ibm/ibmvnic.c | 15 +- drivers/net/ethernet/mellanox/mlx5/core/sriov.c | 3 +- drivers/net/tun.c | 2 +- drivers/nvme/host/rdma.c | 3 +- drivers/nvme/host/tcp.c | 3 +- drivers/scsi/53c700.c | 2 +- drivers/scsi/raid_class.c | 1 + drivers/scsi/scsi_proc.c | 30 ++-- drivers/scsi/snic/snic_disc.c | 1 + drivers/scsi/storvsc_drv.c | 4 - drivers/usb/common/usb-conn-gpio.c | 6 +- drivers/usb/dwc3/gadget.c | 9 +- drivers/usb/storage/alauda.c | 9 +- fs/btrfs/extent-tree.c | 5 +- fs/btrfs/extent_io.c | 7 +- fs/nilfs2/inode.c | 8 + fs/nilfs2/segment.c | 2 + fs/nilfs2/the_nilfs.h | 2 + include/net/cfg80211.h | 3 + include/net/netfilter/nf_tables.h | 31 +++- net/dccp/output.c | 2 +- net/dccp/proto.c | 10 +- net/ipv6/ndisc.c | 3 +- net/netfilter/nf_tables_api.c | 166 +++++++++++++-------- net/netfilter/nft_flow_offload.c | 6 +- net/netfilter/nft_objref.c | 8 +- net/packet/af_packet.c | 16 +- net/sched/sch_netem.c | 59 ++++---- tools/testing/radix-tree/regression1.c | 2 +- tools/testing/selftests/rseq/Makefile | 4 +- tools/testing/selftests/rseq/rseq.c | 2 + 58 files changed, 337 insertions(+), 194 deletions(-)

1 year, 4 months

8
46
0 0

[PATCH 4.19 00/33] 4.19.292-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.19.292 release. There are 33 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue, 15 Aug 2023 21:16:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.292-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.19.292-rc1 Eric Dumazet <edumazet(a)google.com> sch_netem: fix issues in netem_change() vs get_dist_table() Masahiro Yamada <masahiroy(a)kernel.org> alpha: remove __init annotation from exported page_is_ram() Zhu Wang <wangzhu9(a)huawei.com> scsi: core: Fix possible memory leak if device_add() fails Zhu Wang <wangzhu9(a)huawei.com> scsi: snic: Fix possible memory leak if device_add() fails Alexandra Diupina <adiupina(a)astralinux.ru> scsi: 53c700: Check that command slot is not NULL Michael Kelley <mikelley(a)microsoft.com> scsi: storvsc: Fix handling of virtual Fibre Channel timeouts Tony Battersby <tonyb(a)cybernetics.com> scsi: core: Fix legacy /proc parsing buffer overflow Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: report use refcount overflow Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush Christoph Hellwig <hch(a)lst.de> btrfs: don't stop integrity writeback too early Nick Child <nnac123(a)linux.ibm.com> ibmvnic: Handle DMA unmapping of login buffs in release functions Felix Fietkau <nbd(a)nbd.name> wifi: cfg80211: fix sband iftype data lookup for AP_VLAN Douglas Miller <doug.miller(a)cornelisnetworks.com> IB/hfi1: Fix possible panic during hotplug remove Andrew Kanner <andrew.kanner(a)gmail.com> drivers: net: prevent tun_build_skb() to exceed the packet size limit Eric Dumazet <edumazet(a)google.com> dccp: fix data-race around dp->dccps_mss_cache Ziyang Xuan <william.xuanziyang(a)huawei.com> bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves Eric Dumazet <edumazet(a)google.com> net/packet: annotate data-races around tp->status Nathan Chancellor <nathan(a)kernel.org> mISDN: Update parameter type of dsp_cmx_send() Karol Herbst <kherbst(a)redhat.com> drm/nouveau/disp: Revert a NULL check inside nouveau_connector_get_modes Arnd Bergmann <arnd(a)arndb.de> x86: Move gds_ucode_mitigated() declaration to header Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/mm: Fix VDSO and VVAR placement on 5-level paging machines Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> x86/cpu/amd: Enable Zenbleed fix for AMD Custom APU 0405 Elson Roy Serrao <quic_eserrao(a)quicinc.com> usb: dwc3: Properly handle processing of pending events Alan Stern <stern(a)rowland.harvard.edu> usb-storage: alauda: Fix uninit-value in alauda_check_media() Qi Zheng <zhengqi.arch(a)bytedance.com> binder: fix memory leak in binder_init() Yiyuan Guo <yguoaz(a)gmail.com> iio: cros_ec: Fix the allocation size for cros_ec_command Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput Colin Ian King <colin.i.king(a)gmail.com> radix tree test suite: fix incorrect allocation size for pthreads Karol Herbst <kherbst(a)redhat.com> drm/nouveau/gr: enable memory loads on helper invocation on all channels Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> dmaengine: pl330: Return DMA_PAUSED when transaction is paused Maciej Żenczykowski <maze(a)google.com> ipv6: adjust ndisc_is_useropt() to also return true for PIO Sergei Antonov <saproj(a)gmail.com> mmc: moxart: read scr register without changing byte order Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> sparc: fix up arch_cpu_finalize_init() build breakage. ------------- Diffstat: Makefile | 4 +- arch/alpha/kernel/setup.c | 3 +- arch/sparc/Kconfig | 2 +- arch/x86/entry/vdso/vma.c | 4 +- arch/x86/include/asm/processor.h | 2 + arch/x86/kernel/cpu/amd.c | 1 + arch/x86/kvm/x86.c | 2 - drivers/android/binder.c | 1 + drivers/android/binder_alloc.c | 6 + drivers/android/binder_alloc.h | 1 + drivers/dma/pl330.c | 18 ++- drivers/gpu/drm/nouveau/nouveau_connector.c | 2 +- drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgf100.h | 1 + drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk104.c | 4 +- drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk110.c | 10 ++ drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk110b.c | 1 + drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk208.c | 1 + drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgm107.c | 1 + .../common/cros_ec_sensors/cros_ec_sensors_core.c | 2 +- drivers/infiniband/hw/hfi1/chip.c | 1 + drivers/isdn/mISDN/dsp.h | 2 +- drivers/isdn/mISDN/dsp_cmx.c | 2 +- drivers/isdn/mISDN/dsp_core.c | 2 +- drivers/mmc/host/moxart-mmc.c | 8 +- drivers/net/bonding/bond_main.c | 4 +- drivers/net/ethernet/ibm/ibmvnic.c | 15 +- drivers/net/tun.c | 2 +- drivers/scsi/53c700.c | 2 +- drivers/scsi/raid_class.c | 1 + drivers/scsi/scsi_proc.c | 30 ++-- drivers/scsi/snic/snic_disc.c | 1 + drivers/scsi/storvsc_drv.c | 4 - drivers/usb/dwc3/gadget.c | 9 +- drivers/usb/storage/alauda.c | 9 +- fs/btrfs/extent_io.c | 7 +- fs/nilfs2/inode.c | 8 + fs/nilfs2/segment.c | 2 + fs/nilfs2/the_nilfs.h | 2 + include/net/cfg80211.h | 3 + include/net/netfilter/nf_tables.h | 35 +++- net/dccp/output.c | 2 +- net/dccp/proto.c | 10 +- net/ipv6/ndisc.c | 3 +- net/netfilter/nf_tables_api.c | 180 ++++++++++++++------- net/netfilter/nft_flow_offload.c | 23 ++- net/netfilter/nft_objref.c | 8 +- net/packet/af_packet.c | 16 +- net/sched/sch_netem.c | 59 +++---- tools/testing/radix-tree/regression1.c | 2 +- 49 files changed, 349 insertions(+), 169 deletions(-)

1 year, 4 months

6
38
0 0

[PATCH v4] usb: typec: bus: verify partner exists in typec_altmode_attention

by RD Babiera

Some usb hubs will negotiate DisplayPort Alt mode with the device but will then negotiate a data role swap after entering the alt mode. The data role swap causes the device to unregister all alt modes, however the usb hub will still send Attention messages even after failing to reregister the Alt Mode. type_altmode_attention currently does not verify whether or not a device's altmode partner exists, which results in a NULL pointer error when dereferencing the typec_altmode and typec_altmode_ops belonging to the altmode partner. Verify the presence of a device's altmode partner before sending the Attention message to the Alt Mode driver. Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes") Cc: stable(a)vger.kernel.org Signed-off-by: RD Babiera <rdbabiera(a)google.com> --- Changes since v1: * Only assigns pdev if altmode partner exists in typec_altmode_attention * Removed error return in typec_altmode_attention if Alt Mode does not implement Attention messages. * Changed tcpm_log message to indicate that altmode partner does not exist, as it only logs in that case. --- Changes since v2: * Changed tcpm_log message to accurately reflect error * Revised commit message --- Changes since v3: * Fixed nits --- drivers/usb/typec/bus.c | 12 ++++++++++-- drivers/usb/typec/tcpm/tcpm.c | 3 ++- include/linux/usb/typec_altmode.h | 2 +- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/drivers/usb/typec/bus.c b/drivers/usb/typec/bus.c index fe5b9a2e61f5..e95ec7e382bb 100644 --- a/drivers/usb/typec/bus.c +++ b/drivers/usb/typec/bus.c @@ -183,12 +183,20 @@ EXPORT_SYMBOL_GPL(typec_altmode_exit); * * Notifies the partner of @adev about Attention command. */ -void typec_altmode_attention(struct typec_altmode *adev, u32 vdo) +int typec_altmode_attention(struct typec_altmode *adev, u32 vdo) { - struct typec_altmode *pdev = &to_altmode(adev)->partner->adev; + struct altmode *partner = to_altmode(adev)->partner; + struct typec_altmode *pdev; + + if (!partner) + return -ENODEV; + + pdev = &partner->adev; if (pdev->ops && pdev->ops->attention) pdev->ops->attention(pdev, vdo); + + return 0; } EXPORT_SYMBOL_GPL(typec_altmode_attention); diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 5a7d8cc04628..77fe16190766 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -1877,7 +1877,8 @@ static void tcpm_handle_vdm_request(struct tcpm_port *port, } break; case ADEV_ATTENTION: - typec_altmode_attention(adev, p[1]); + if (typec_altmode_attention(adev, p[1])) + tcpm_log(port, "typec_altmode_attention no port partner altmode"); break; } } diff --git a/include/linux/usb/typec_altmode.h b/include/linux/usb/typec_altmode.h index 350d49012659..28aeef8f9e7b 100644 --- a/include/linux/usb/typec_altmode.h +++ b/include/linux/usb/typec_altmode.h @@ -67,7 +67,7 @@ struct typec_altmode_ops { int typec_altmode_enter(struct typec_altmode *altmode, u32 *vdo); int typec_altmode_exit(struct typec_altmode *altmode); -void typec_altmode_attention(struct typec_altmode *altmode, u32 vdo); +int typec_altmode_attention(struct typec_altmode *altmode, u32 vdo); int typec_altmode_vdm(struct typec_altmode *altmode, const u32 header, const u32 *vdo, int count); int typec_altmode_notify(struct typec_altmode *altmode, unsigned long conf, base-commit: f176638af476c6d46257cc3303f5c7cf47d5967d -- 2.41.0.694.ge786442a9b-goog

1 year, 4 months

3
2
0 0

Re: [v6.1] kernel BUG in ext4_writepages

by Muhammad Usama Anjum

Hi, Syzbot has reporting hitting this bug on 6.1.18 and 5.15.101 LTS kernels and provided reproducer as well. BUG_ON(ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)); I've copied the same config and reproduced the bug on 6.1.18, 6.1.44 and next-20230809. This part of code hasn't been changed from the time it was introduced 4e7ea81db53465 ("ext4: restructure writeback path"). I'm not sure why the inlined data is being destroyed before copying it somewhere else. Please consider this a report. Regards, Muhammad Usama Anjum On 3/13/23 11:34 AM, syzbot wrote: > syzbot has found a reproducer for the following issue on: > > HEAD commit: 1cc3fcf63192 Linux 6.1.18 > git tree: linux-6.1.y > console output: https://syzkaller.appspot.com/x/log.txt?x=10d4b342c80000 > kernel config: https://syzkaller.appspot.com/x/.config?x=157296d36f92ea19 ^ Kernel config > dashboard link: https://syzkaller.appspot.com/bug?extid=a8068dd81edde0186829 > compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 > userspace arch: arm64 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13512ec6c80000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15ca0ff4c80000 ^ reproducers. C reproducer reproduces the bug easily. > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/0e4c0d43698b/disk-1cc3fcf6.raw… > vmlinux: https://storage.googleapis.com/syzbot-assets/a4de39d735de/vmlinux-1cc3fcf6.… > kernel image: https://storage.googleapis.com/syzbot-assets/82bab928f6e3/Image-1cc3fcf6.gz… > mounted in repro: https://storage.googleapis.com/syzbot-assets/bf2e21b96210/mount_0.gz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+a8068dd81edde0186829(a)syzkaller.appspotmail.com > > ------------[ cut here ]------------ > kernel BUG at fs/ext4/inode.c:2746! > Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP > Modules linked in: > CPU: 0 PID: 11 Comm: kworker/u4:1 Not tainted 6.1.18-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 > Workqueue: writeback wb_workfn (flush-7:0) > pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) > pc : ext4_writepages+0x35f4/0x35f8 fs/ext4/inode.c:2745 > lr : ext4_writepages+0x35f4/0x35f8 fs/ext4/inode.c:2745 > sp : ffff800019d16d40 > x29: ffff800019d17120 x28: ffff800008e691e4 x27: dfff800000000000 > x26: ffff0000de1f3ee0 x25: ffff800019d17590 x24: ffff800019d17020 > x23: ffff0000dd616000 x22: ffff800019d16f40 x21: ffff0000de1f4108 > x20: 0000008410000000 x19: 0000000000000001 x18: ffff800019d16a20 > x17: ffff80001572d000 x16: ffff8000083099b4 x15: 000000000000ba31 > x14: 00000000ffffffff x13: dfff800000000000 x12: 0000000000000001 > x11: ff80800008e6c7d8 x10: 0000000000000000 x9 : ffff800008e6c7d8 > x8 : ffff0000c099b680 x7 : 0000000000000000 x6 : 0000000000000000 > x5 : 0000000000000080 x4 : 0000000000000000 x3 : 0000000000000001 > x2 : 0000000000000000 x1 : 0000008000000000 x0 : 0000000000000000 > Call trace: > ext4_writepages+0x35f4/0x35f8 fs/ext4/inode.c:2745 > do_writepages+0x2e8/0x56c mm/page-writeback.c:2469 > __writeback_single_inode+0x228/0x1ec8 fs/fs-writeback.c:1587 > writeback_sb_inodes+0x9c0/0x1844 fs/fs-writeback.c:1878 > wb_writeback+0x4f8/0x1580 fs/fs-writeback.c:2052 > wb_do_writeback fs/fs-writeback.c:2195 [inline] > wb_workfn+0x460/0x11b8 fs/fs-writeback.c:2235 > process_one_work+0x868/0x16f4 kernel/workqueue.c:2289 > worker_thread+0x8e4/0xfec kernel/workqueue.c:2436 > kthread+0x24c/0x2d4 kernel/kthread.c:376 > ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 > Code: d4210000 97da5cfa d4210000 97da5cf8 (d4210000) > ---[ end trace 0000000000000000 ]--- > > -- BR, Muhammad Usama Anjum

1 year, 4 months

4
7
0 0

[PATCH] ARC: avoid unwanted gcc optimizations in atomic operations

by Pavel.Kozlov＠synopsys.com

From: Pavel Kozlov <pavel.kozlov(a)synopsys.com> Notify a compiler about write operations and prevent unwanted optimizations. Add the "memory" clobber to the clobber list. An obvious problem with unwanted compiler optimizations appeared after the cpumask optimization commit 596ff4a09b89 ("cpumask: re-introduce constant-sized cpumask optimizations"). After this commit the SMP kernels for ARC no longer loads because of failed assert in the percpu allocator initialization routine: percpu: BUG: failure at mm/percpu.c:2981/pcpu_build_alloc_info()! The write operation performed by the scond instruction in the atomic inline asm code is not properly passed to the compiler. The compiler cannot correctly optimize a nested loop that runs through the cpumask in the pcpu_build_alloc_info() function. Add the "memory" clobber to fix this. Link: https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/135 Cc: <stable(a)vger.kernel.org> # v6.3+ Signed-off-by: Pavel Kozlov <pavel.kozlov(a)synopsys.com> --- arch/arc/include/asm/atomic-llsc.h | 6 +++--- arch/arc/include/asm/atomic64-arcv2.h | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/arch/arc/include/asm/atomic-llsc.h b/arch/arc/include/asm/atomic-llsc.h index 1b0ffaeee16d..5258cb81a16b 100644 --- a/arch/arc/include/asm/atomic-llsc.h +++ b/arch/arc/include/asm/atomic-llsc.h @@ -18,7 +18,7 @@ static inline void arch_atomic_##op(int i, atomic_t *v) \ : [val] "=&r" (val) /* Early clobber to prevent reg reuse */ \ : [ctr] "r" (&v->counter), /* Not "m": llock only supports reg direct addr mode */ \ [i] "ir" (i) \ - : "cc"); \ + : "cc", "memory"); \ } \ #define ATOMIC_OP_RETURN(op, asm_op) \ @@ -34,7 +34,7 @@ static inline int arch_atomic_##op##_return_relaxed(int i, atomic_t *v) \ : [val] "=&r" (val) \ : [ctr] "r" (&v->counter), \ [i] "ir" (i) \ - : "cc"); \ + : "cc", "memory"); \ \ return val; \ } @@ -56,7 +56,7 @@ static inline int arch_atomic_fetch_##op##_relaxed(int i, atomic_t *v) \ [orig] "=&r" (orig) \ : [ctr] "r" (&v->counter), \ [i] "ir" (i) \ - : "cc"); \ + : "cc", "memory"); \ \ return orig; \ } diff --git a/arch/arc/include/asm/atomic64-arcv2.h b/arch/arc/include/asm/atomic64-arcv2.h index 6b6db981967a..9b5791b85471 100644 --- a/arch/arc/include/asm/atomic64-arcv2.h +++ b/arch/arc/include/asm/atomic64-arcv2.h @@ -60,7 +60,7 @@ static inline void arch_atomic64_##op(s64 a, atomic64_t *v) \ " bnz 1b \n" \ : "=&r"(val) \ : "r"(&v->counter), "ir"(a) \ - : "cc"); \ + : "cc", "memory"); \ } \ #define ATOMIC64_OP_RETURN(op, op1, op2) \ @@ -77,7 +77,7 @@ static inline s64 arch_atomic64_##op##_return_relaxed(s64 a, atomic64_t *v) \ " bnz 1b \n" \ : [val] "=&r"(val) \ : "r"(&v->counter), "ir"(a) \ - : "cc"); /* memory clobber comes from smp_mb() */ \ + : "cc", "memory"); \ \ return val; \ } @@ -99,7 +99,7 @@ static inline s64 arch_atomic64_fetch_##op##_relaxed(s64 a, atomic64_t *v) \ " bnz 1b \n" \ : "=&r"(orig), "=&r"(val) \ : "r"(&v->counter), "ir"(a) \ - : "cc"); /* memory clobber comes from smp_mb() */ \ + : "cc", "memory"); \ \ return orig; \ } -- 2.25.1

1 year, 4 months

2
1
0 0

[PATCH 2/3] KVM: SEV: only access GHCB fields once

by Paolo Bonzini

A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the VMGEXIT handler recursively. sev_handle_vmgexit() maps the GHCB page using kvm_vcpu_map() and then fetches the exit code using ghcb_get_sw_exit_code(). Soon after, sev_es_validate_vmgexit() fetches the exit code again. Since the GHCB page is shared with the guest, the guest is able to quickly swap the values with another vCPU and hence bypass the validation. One vmexit code that can be rejected by sev_es_validate_vmgexit() is SVM_EXIT_VMGEXIT; if sev_handle_vmgexit() observes it in the second fetch, the call to svm_invoke_exit_handler() will invoke sev_handle_vmgexit() again recursively. To avoid the race, always fetch the GHCB data from the places where sev_es_sync_from_ghcb stores it. Exploiting recursions on linux kernel has been proven feasible in the past, but the impact is mitigated by stack guard pages (CONFIG_VMAP_STACK). Still, if an attacker manages to call the handler multiple times, they can theoretically trigger a stack overflow and cause a denial-of-service, or potentially guest-to-host escape in kernel configurations without stack guard pages. Note that winning the race reliably in every iteration is very tricky due to the very tight window of the fetches; depending on the compiler settings, they are often consecutive because of optimization and inlining. Tested by booting an SEV-ES RHEL9 guest. Fixes: CVE-2023-4155 Fixes: 291bd20d5d88 ("KVM: SVM: Add initial support for a VMGEXIT VMEXIT") Cc: stable(a)vger.kernel.org Reported-by: Andy Nguyen <theflow(a)google.com> Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> --- arch/x86/kvm/svm/sev.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index e898f0b2b0ba..ca4ba5fe9a01 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -2445,9 +2445,15 @@ static void sev_es_sync_from_ghcb(struct vcpu_svm *svm) memset(ghcb->save.valid_bitmap, 0, sizeof(ghcb->save.valid_bitmap)); } +static u64 kvm_ghcb_get_sw_exit_code(struct vmcb_control_area *control) +{ + return (((u64)control->exit_code_hi) << 32) | control->exit_code; +} + static int sev_es_validate_vmgexit(struct vcpu_svm *svm) { - struct kvm_vcpu *vcpu; + struct vmcb_control_area *control = &svm->vmcb->control; + struct kvm_vcpu *vcpu = &svm->vcpu; struct ghcb *ghcb; u64 exit_code; u64 reason; @@ -2458,7 +2464,7 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *svm) * Retrieve the exit code now even though it may not be marked valid * as it could help with debugging. */ - exit_code = ghcb_get_sw_exit_code(ghcb); + exit_code = kvm_ghcb_get_sw_exit_code(control); /* Only GHCB Usage code 0 is supported */ if (ghcb->ghcb_usage) { @@ -2473,7 +2479,7 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *svm) !kvm_ghcb_sw_exit_info_2_is_valid(svm)) goto vmgexit_err; - switch (ghcb_get_sw_exit_code(ghcb)) { + switch (exit_code) { case SVM_EXIT_READ_DR7: break; case SVM_EXIT_WRITE_DR7: @@ -2490,18 +2496,18 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *svm) if (!kvm_ghcb_rax_is_valid(svm) || !kvm_ghcb_rcx_is_valid(svm)) goto vmgexit_err; - if (ghcb_get_rax(ghcb) == 0xd) + if (vcpu->arch.regs[VCPU_REGS_RAX] == 0xd) if (!kvm_ghcb_xcr0_is_valid(svm)) goto vmgexit_err; break; case SVM_EXIT_INVD: break; case SVM_EXIT_IOIO: - if (ghcb_get_sw_exit_info_1(ghcb) & SVM_IOIO_STR_MASK) { + if (control->exit_info_1 & SVM_IOIO_STR_MASK) { if (!kvm_ghcb_sw_scratch_is_valid(svm)) goto vmgexit_err; } else { - if (!(ghcb_get_sw_exit_info_1(ghcb) & SVM_IOIO_TYPE_MASK)) + if (!(control->exit_info_1 & SVM_IOIO_TYPE_MASK)) if (!kvm_ghcb_rax_is_valid(svm)) goto vmgexit_err; } @@ -2509,7 +2515,7 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *svm) case SVM_EXIT_MSR: if (!kvm_ghcb_rcx_is_valid(svm)) goto vmgexit_err; - if (ghcb_get_sw_exit_info_1(ghcb)) { + if (control->exit_info_1) { if (!kvm_ghcb_rax_is_valid(svm) || !kvm_ghcb_rdx_is_valid(svm)) goto vmgexit_err; @@ -2553,8 +2559,6 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *svm) return 0; vmgexit_err: - vcpu = &svm->vcpu; - if (reason == GHCB_ERR_INVALID_USAGE) { vcpu_unimpl(vcpu, "vmgexit: ghcb usage %#x is not valid\n", ghcb->ghcb_usage); @@ -2852,8 +2856,6 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) trace_kvm_vmgexit_enter(vcpu->vcpu_id, ghcb); - exit_code = ghcb_get_sw_exit_code(ghcb); - sev_es_sync_from_ghcb(svm); ret = sev_es_validate_vmgexit(svm); if (ret) @@ -2862,6 +2864,7 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) ghcb_set_sw_exit_info_1(ghcb, 0); ghcb_set_sw_exit_info_2(ghcb, 0); + exit_code = kvm_ghcb_get_sw_exit_code(control); switch (exit_code) { case SVM_VMGEXIT_MMIO_READ: ret = setup_vmgexit_scratch(svm, true, control->exit_info_2); -- 2.39.0

1 year, 4 months

2
1
0 0

[PATCH 1/3] KVM: SEV: snapshot the GHCB before accessing it

by Paolo Bonzini

Validation of the GHCB is susceptible to time-of-check/time-of-use vulnerabilities. To avoid them, we would like to always snapshot the fields that are read in sev_es_validate_vmgexit(), and not use the GHCB anymore after it returns. This means: - invoking sev_es_sync_from_ghcb() before any GHCB access, including before sev_es_validate_vmgexit() - snapshotting all fields including the valid bitmap and the sw_scratch field, which are currently not caching anywhere. The valid bitmap is the first thing to be copied out of the GHCB; then, further accesses will use the copy in svm->sev_es. Fixes: 291bd20d5d88 ("KVM: SVM: Add initial support for a VMGEXIT VMEXIT") Cc: stable(a)vger.kernel.org Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> --- arch/x86/kvm/svm/sev.c | 69 +++++++++++++++++++++--------------------- arch/x86/kvm/svm/svm.h | 26 ++++++++++++++++ 2 files changed, 61 insertions(+), 34 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 07756b7348ae..e898f0b2b0ba 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -2417,15 +2417,18 @@ static void sev_es_sync_from_ghcb(struct vcpu_svm *svm) */ memset(vcpu->arch.regs, 0, sizeof(vcpu->arch.regs)); - vcpu->arch.regs[VCPU_REGS_RAX] = ghcb_get_rax_if_valid(ghcb); - vcpu->arch.regs[VCPU_REGS_RBX] = ghcb_get_rbx_if_valid(ghcb); - vcpu->arch.regs[VCPU_REGS_RCX] = ghcb_get_rcx_if_valid(ghcb); - vcpu->arch.regs[VCPU_REGS_RDX] = ghcb_get_rdx_if_valid(ghcb); - vcpu->arch.regs[VCPU_REGS_RSI] = ghcb_get_rsi_if_valid(ghcb); + BUILD_BUG_ON(sizeof(svm->sev_es.valid_bitmap) != sizeof(ghcb->save.valid_bitmap)); + memcpy(&svm->sev_es.valid_bitmap, &ghcb->save.valid_bitmap, sizeof(ghcb->save.valid_bitmap)); - svm->vmcb->save.cpl = ghcb_get_cpl_if_valid(ghcb); + vcpu->arch.regs[VCPU_REGS_RAX] = kvm_ghcb_get_rax_if_valid(svm, ghcb); + vcpu->arch.regs[VCPU_REGS_RBX] = kvm_ghcb_get_rbx_if_valid(svm, ghcb); + vcpu->arch.regs[VCPU_REGS_RCX] = kvm_ghcb_get_rcx_if_valid(svm, ghcb); + vcpu->arch.regs[VCPU_REGS_RDX] = kvm_ghcb_get_rdx_if_valid(svm, ghcb); + vcpu->arch.regs[VCPU_REGS_RSI] = kvm_ghcb_get_rsi_if_valid(svm, ghcb); - if (ghcb_xcr0_is_valid(ghcb)) { + svm->vmcb->save.cpl = kvm_ghcb_get_cpl_if_valid(svm, ghcb); + + if (kvm_ghcb_xcr0_is_valid(svm)) { vcpu->arch.xcr0 = ghcb_get_xcr0(ghcb); kvm_update_cpuid_runtime(vcpu); } @@ -2436,6 +2439,7 @@ static void sev_es_sync_from_ghcb(struct vcpu_svm *svm) control->exit_code_hi = upper_32_bits(exit_code); control->exit_info_1 = ghcb_get_sw_exit_info_1(ghcb); control->exit_info_2 = ghcb_get_sw_exit_info_2(ghcb); + svm->sev_es.sw_scratch = kvm_ghcb_get_sw_scratch_if_valid(svm, ghcb); /* Clear the valid entries fields */ memset(ghcb->save.valid_bitmap, 0, sizeof(ghcb->save.valid_bitmap)); @@ -2464,56 +2468,56 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *svm) reason = GHCB_ERR_MISSING_INPUT; - if (!ghcb_sw_exit_code_is_valid(ghcb) || - !ghcb_sw_exit_info_1_is_valid(ghcb) || - !ghcb_sw_exit_info_2_is_valid(ghcb)) + if (!kvm_ghcb_sw_exit_code_is_valid(svm) || + !kvm_ghcb_sw_exit_info_1_is_valid(svm) || + !kvm_ghcb_sw_exit_info_2_is_valid(svm)) goto vmgexit_err; switch (ghcb_get_sw_exit_code(ghcb)) { case SVM_EXIT_READ_DR7: break; case SVM_EXIT_WRITE_DR7: - if (!ghcb_rax_is_valid(ghcb)) + if (!kvm_ghcb_rax_is_valid(svm)) goto vmgexit_err; break; case SVM_EXIT_RDTSC: break; case SVM_EXIT_RDPMC: - if (!ghcb_rcx_is_valid(ghcb)) + if (!kvm_ghcb_rcx_is_valid(svm)) goto vmgexit_err; break; case SVM_EXIT_CPUID: - if (!ghcb_rax_is_valid(ghcb) || - !ghcb_rcx_is_valid(ghcb)) + if (!kvm_ghcb_rax_is_valid(svm) || + !kvm_ghcb_rcx_is_valid(svm)) goto vmgexit_err; if (ghcb_get_rax(ghcb) == 0xd) - if (!ghcb_xcr0_is_valid(ghcb)) + if (!kvm_ghcb_xcr0_is_valid(svm)) goto vmgexit_err; break; case SVM_EXIT_INVD: break; case SVM_EXIT_IOIO: if (ghcb_get_sw_exit_info_1(ghcb) & SVM_IOIO_STR_MASK) { - if (!ghcb_sw_scratch_is_valid(ghcb)) + if (!kvm_ghcb_sw_scratch_is_valid(svm)) goto vmgexit_err; } else { if (!(ghcb_get_sw_exit_info_1(ghcb) & SVM_IOIO_TYPE_MASK)) - if (!ghcb_rax_is_valid(ghcb)) + if (!kvm_ghcb_rax_is_valid(svm)) goto vmgexit_err; } break; case SVM_EXIT_MSR: - if (!ghcb_rcx_is_valid(ghcb)) + if (!kvm_ghcb_rcx_is_valid(svm)) goto vmgexit_err; if (ghcb_get_sw_exit_info_1(ghcb)) { - if (!ghcb_rax_is_valid(ghcb) || - !ghcb_rdx_is_valid(ghcb)) + if (!kvm_ghcb_rax_is_valid(svm) || + !kvm_ghcb_rdx_is_valid(svm)) goto vmgexit_err; } break; case SVM_EXIT_VMMCALL: - if (!ghcb_rax_is_valid(ghcb) || - !ghcb_cpl_is_valid(ghcb)) + if (!kvm_ghcb_rax_is_valid(svm) || + !kvm_ghcb_cpl_is_valid(svm)) goto vmgexit_err; break; case SVM_EXIT_RDTSCP: @@ -2521,19 +2525,19 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *svm) case SVM_EXIT_WBINVD: break; case SVM_EXIT_MONITOR: - if (!ghcb_rax_is_valid(ghcb) || - !ghcb_rcx_is_valid(ghcb) || - !ghcb_rdx_is_valid(ghcb)) + if (!kvm_ghcb_rax_is_valid(svm) || + !kvm_ghcb_rcx_is_valid(svm) || + !kvm_ghcb_rdx_is_valid(svm)) goto vmgexit_err; break; case SVM_EXIT_MWAIT: - if (!ghcb_rax_is_valid(ghcb) || - !ghcb_rcx_is_valid(ghcb)) + if (!kvm_ghcb_rax_is_valid(svm) || + !kvm_ghcb_rcx_is_valid(svm)) goto vmgexit_err; break; case SVM_VMGEXIT_MMIO_READ: case SVM_VMGEXIT_MMIO_WRITE: - if (!ghcb_sw_scratch_is_valid(ghcb)) + if (!kvm_ghcb_sw_scratch_is_valid(svm)) goto vmgexit_err; break; case SVM_VMGEXIT_NMI_COMPLETE: @@ -2563,9 +2567,6 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *svm) dump_ghcb(svm); } - /* Clear the valid entries fields */ - memset(ghcb->save.valid_bitmap, 0, sizeof(ghcb->save.valid_bitmap)); - ghcb_set_sw_exit_info_1(ghcb, 2); ghcb_set_sw_exit_info_2(ghcb, reason); @@ -2586,7 +2587,7 @@ void sev_es_unmap_ghcb(struct vcpu_svm *svm) */ if (svm->sev_es.ghcb_sa_sync) { kvm_write_guest(svm->vcpu.kvm, - ghcb_get_sw_scratch(svm->sev_es.ghcb), + svm->sev_es.sw_scratch, svm->sev_es.ghcb_sa, svm->sev_es.ghcb_sa_len); svm->sev_es.ghcb_sa_sync = false; @@ -2637,7 +2638,7 @@ static int setup_vmgexit_scratch(struct vcpu_svm *svm, bool sync, u64 len) u64 scratch_gpa_beg, scratch_gpa_end; void *scratch_va; - scratch_gpa_beg = ghcb_get_sw_scratch(ghcb); + scratch_gpa_beg = svm->sev_es.sw_scratch; if (!scratch_gpa_beg) { pr_err("vmgexit: scratch gpa not provided\n"); goto e_scratch; @@ -2853,11 +2854,11 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) exit_code = ghcb_get_sw_exit_code(ghcb); + sev_es_sync_from_ghcb(svm); ret = sev_es_validate_vmgexit(svm); if (ret) return ret; - sev_es_sync_from_ghcb(svm); ghcb_set_sw_exit_info_1(ghcb, 0); ghcb_set_sw_exit_info_2(ghcb, 0); diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h index 18af7e712a5a..8239c8de45ac 100644 --- a/arch/x86/kvm/svm/svm.h +++ b/arch/x86/kvm/svm/svm.h @@ -190,10 +190,12 @@ struct vcpu_sev_es_state { /* SEV-ES support */ struct sev_es_save_area *vmsa; struct ghcb *ghcb; + u8 valid_bitmap[16]; struct kvm_host_map ghcb_map; bool received_first_sipi; /* SEV-ES scratch area support */ + u64 sw_scratch; void *ghcb_sa; u32 ghcb_sa_len; bool ghcb_sa_sync; @@ -744,4 +746,28 @@ void sev_es_unmap_ghcb(struct vcpu_svm *svm); void __svm_sev_es_vcpu_run(struct vcpu_svm *svm, bool spec_ctrl_intercepted); void __svm_vcpu_run(struct vcpu_svm *svm, bool spec_ctrl_intercepted); +#define DEFINE_KVM_GHCB_ACCESSORS(field) \ + static __always_inline bool kvm_ghcb_##field##_is_valid(const struct vcpu_svm *svm) \ + { \ + return test_bit(GHCB_BITMAP_IDX(field), \ + (unsigned long *)&svm->sev_es.valid_bitmap); \ + } \ + \ + static __always_inline u64 kvm_ghcb_get_##field##_if_valid(struct vcpu_svm *svm, struct ghcb *ghcb) \ + { \ + return kvm_ghcb_##field##_is_valid(svm) ? ghcb->save.field : 0; \ + } \ + +DEFINE_KVM_GHCB_ACCESSORS(cpl) +DEFINE_KVM_GHCB_ACCESSORS(rax) +DEFINE_KVM_GHCB_ACCESSORS(rcx) +DEFINE_KVM_GHCB_ACCESSORS(rdx) +DEFINE_KVM_GHCB_ACCESSORS(rbx) +DEFINE_KVM_GHCB_ACCESSORS(rsi) +DEFINE_KVM_GHCB_ACCESSORS(sw_exit_code) +DEFINE_KVM_GHCB_ACCESSORS(sw_exit_info_1) +DEFINE_KVM_GHCB_ACCESSORS(sw_exit_info_2) +DEFINE_KVM_GHCB_ACCESSORS(sw_scratch) +DEFINE_KVM_GHCB_ACCESSORS(xcr0) + #endif -- 2.39.0

1 year, 4 months

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror August 2023