powerpc fixes for 6.10 #3

- Prevent use-after-free in 64-bit KVM VFIO
 
  - Add generated Power8 crypto asm to .gitignore
 
 Thanks to: Al Viro, Nathan Lynch.
 -----BEGIN PGP SIGNATURE-----
 
 iQJHBAABCAAxFiEEJFGtCPCthwEv2Y/bUevqPMjhpYAFAmZ3gh8THG1wZUBlbGxl
 cm1hbi5pZC5hdQAKCRBR6+o8yOGlgFJFD/9qRGjTbC8KOXhgtMevyZ78NlvWGsqj
 LvrXmeS74/LPGz2soKriei+kho1ZfB8Z+scNI381fqXg21hwDD74b2mEOCgjc19Z
 uKYMCEv1VxCCaz/4GiSOmDEUXC5IQnP/k6JuXYPxFCTrhQaEajknXM7EzU3JPQiB
 zB+xhvq0tVsB/QEvTJmzsVCnujZrYniILCgfE5/dw52sZ8dekdXh0YbZuZWpPpLT
 qqXTDovOE0WA6KNLrwZKYypbw2+YS/nV4Tl9DyHAm9M39zBBGiaHpOscBLEfpEHD
 U79pwe5sJgx6xiB9OnSkkDnoaMFauTtQmlKoYUVNC5asiKOVAKiykFmXFUBBoTA+
 rRKT7UhIYxdxyP6GWqKAbl2poZlqXTI5bRTJSAxVgxnab3bMc6o6A9RtcgylTaoB
 IiUdfj+5QiglHhN5cMWIuXDVRSIQBoDZqBJplkYCmDsIRRNntK1xdqSSfBs5jD2h
 D6B5as4q23cqFphhyfHApxyj1MGVHJiK0C2Ns0IPkaCV8XN2TvwjsKJnGfgEJmRj
 rrQtsn9r6u+ZW/xKhX88Fk4YK9XH4Yzr+8dDy+AYuOVfTKZjJma4oNmZeQDyriNh
 bR1Cs7eCpEp1TwbM8tEPt+YkGqJVNER1QAxfmLJ08Yiu98e1efVhgMdZWESX152f
 Kl6X9Re8Fk2ZLA==
 =CGCC
 -----END PGP SIGNATURE-----

Merge tag 'powerpc-6.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux

Pull powerpc fixes from Michael Ellerman:

 - Prevent use-after-free in 64-bit KVM VFIO

 - Add generated Power8 crypto asm to .gitignore

Thanks to Al Viro and Nathan Lynch.

* tag 'powerpc-6.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
  KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()
  powerpc/crypto: Add generated P8 asm to .gitignore
This commit is contained in:
Linus Torvalds 2024-06-23 07:13:23 -07:00
commit d1505b5cd0
2 changed files with 15 additions and 5 deletions

View File

@ -1,3 +1,5 @@
# SPDX-License-Identifier: GPL-2.0-only
aesp10-ppc.S
aesp8-ppc.S
ghashp10-ppc.S
ghashp8-ppc.S

View File

@ -130,14 +130,16 @@ long kvm_spapr_tce_attach_iommu_group(struct kvm *kvm, int tablefd,
}
rcu_read_unlock();
fdput(f);
if (!found)
if (!found) {
fdput(f);
return -EINVAL;
}
table_group = iommu_group_get_iommudata(grp);
if (WARN_ON(!table_group))
if (WARN_ON(!table_group)) {
fdput(f);
return -EFAULT;
}
for (i = 0; i < IOMMU_TABLE_GROUP_MAX_TABLES; ++i) {
struct iommu_table *tbltmp = table_group->tables[i];
@ -158,8 +160,10 @@ long kvm_spapr_tce_attach_iommu_group(struct kvm *kvm, int tablefd,
break;
}
}
if (!tbl)
if (!tbl) {
fdput(f);
return -EINVAL;
}
rcu_read_lock();
list_for_each_entry_rcu(stit, &stt->iommu_tables, next) {
@ -170,6 +174,7 @@ long kvm_spapr_tce_attach_iommu_group(struct kvm *kvm, int tablefd,
/* stit is being destroyed */
iommu_tce_table_put(tbl);
rcu_read_unlock();
fdput(f);
return -ENOTTY;
}
/*
@ -177,6 +182,7 @@ long kvm_spapr_tce_attach_iommu_group(struct kvm *kvm, int tablefd,
* its KVM reference counter and can return.
*/
rcu_read_unlock();
fdput(f);
return 0;
}
rcu_read_unlock();
@ -184,6 +190,7 @@ long kvm_spapr_tce_attach_iommu_group(struct kvm *kvm, int tablefd,
stit = kzalloc(sizeof(*stit), GFP_KERNEL);
if (!stit) {
iommu_tce_table_put(tbl);
fdput(f);
return -ENOMEM;
}
@ -192,6 +199,7 @@ long kvm_spapr_tce_attach_iommu_group(struct kvm *kvm, int tablefd,
list_add_rcu(&stit->next, &stt->iommu_tables);
fdput(f);
return 0;
}