Unverified Commit bbee829a authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!342 sync pull request https://gitee.com/openeuler/kernel/pulls/340 from openEuler-22.03-LTS. 

Merge Pull Request from: @openeuler-sync-bot 
 
Auto sync pull request https://gitee.com/openeuler/kernel/pulls/340 from openEuler-22.03-LTS.

Original pull request related commit(s) at <Original branch name>:
04856b0e KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS
a9d49f94 bfq: fix null-ptr-deref in bfq_pd_offline
9da915fa i2c: ismt: Fix an out-of-bounds bug in ismt_access()
9bb7487f ksmbd: fix heap-based overflow in set_ntacl_dacl()
6bd39552 ksmbd: prevent out of bound read for SMB2_WRITE
61dc2a2e ksmbd: validate length in smb2_write()
5a5e896a xfs: fix super block buf log item UAF during force shutdown
1146fdf4 xfs: wait iclog complete before tearing down AIL
be18cd15 xfs: get rid of assert from xfs_btree_islastblock

Pull new CVEs:
CVE-2022-2196
CVE-2022-2873
CVE-2022-47942
CVE-2022-47943
CVE-2022-47940

fs bugfixes from Guo Xuenan and Li Nan:
xfs: fix super block buf log item UAF during force shutdown
xfs: wait iclog complete before tearing down AIL
xfs: get rid of assert from xfs_btree_islastblock
bfq: fix null-ptr-deref in bfq_pd_offline 
 
Link:https://gitee.com/openeuler/kernel/pulls/342

 
Reviewed-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parents 23ac13e3 383c1ef2

arch/x86/kvm/vmx/nested.c

+11 −0
Original line number Diff line number Diff line
@@ -4543,6 +4543,17 @@ void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 vm_exit_reason, 


	vmx_switch_vmcs(vcpu, &vmx->vmcs01);



	/*

	 * If IBRS is advertised to the vCPU, KVM must flush the indirect

	 * branch predictors when transitioning from L2 to L1, as L1 expects

	 * hardware (KVM in this case) to provide separate predictor modes.

	 * Bare metal isolates VMX root (host) from VMX non-root (guest), but

	 * doesn't isolate different VMCSs, i.e. in this case, doesn't provide

	 * separate modes for L2 vs L1.

	 */

	if (guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL))

		indirect_branch_prediction_barrier();



	/* Update any VMCS fields that might have changed while L2 ran */

	vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, vmx->msr_autoload.host.nr);

	vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, vmx->msr_autoload.guest.nr);

arch/x86/kvm/vmx/vmx.c

+4 −2
Original line number Diff line number Diff line
@@ -1454,8 +1454,10 @@ void vmx_vcpu_load_vmcs(struct kvm_vcpu *vcpu, int cpu, 


		/*

		 * No indirect branch prediction barrier needed when switching

		 * the active VMCS within a guest, e.g. on nested VM-Enter.

		 * The L1 VMM can protect itself with retpolines, IBPB or IBRS.

		 * the active VMCS within a vCPU, unless IBRS is advertised to

		 * the vCPU.  To minimize the number of IBPBs executed, KVM

		 * performs IBPB on nested VM-Exit (a single nested transition

		 * may switch the active VMCS multiple times).

		 */

		if (!buddy || WARN_ON_ONCE(buddy->vmcs != prev))

			indirect_branch_prediction_barrier();

block/bfq-cgroup.c

+3 −0
Original line number Diff line number Diff line
@@ -911,6 +911,9 @@ static void bfq_pd_offline(struct blkg_policy_data *pd) 
	unsigned long flags;

	int i;



	if (!bfqg->online)

		return;



	spin_lock_irqsave(&bfqd->lock, flags);



	if (!entity) /* root group */

drivers/i2c/busses/i2c-ismt.c

+3 −0
Original line number Diff line number Diff line
@@ -507,6 +507,9 @@ static int ismt_access(struct i2c_adapter *adap, u16 addr, 
		if (read_write == I2C_SMBUS_WRITE) {

			/* Block Write */

			dev_dbg(dev, "I2C_SMBUS_BLOCK_DATA:  WRITE\n");

			if (data->block[0] < 1 || data->block[0] > I2C_SMBUS_BLOCK_MAX)

				return -EINVAL;



			dma_size = data->block[0] + 1;

			dma_direction = DMA_TO_DEVICE;

			desc->wr_len_cmd = dma_size;

fs/ksmbd/smb2misc.c

+5 −2
Original line number Diff line number Diff line
@@ -132,8 +132,11 @@ static int smb2_get_data_area_len(unsigned int *off, unsigned int *len, 
		*len = le16_to_cpu(((struct smb2_read_req *)hdr)->ReadChannelInfoLength);

		break;

	case SMB2_WRITE:

		if (((struct smb2_write_req *)hdr)->DataOffset) {

			*off = le16_to_cpu(((struct smb2_write_req *)hdr)->DataOffset);

		if (((struct smb2_write_req *)hdr)->DataOffset ||

		    ((struct smb2_write_req *)hdr)->Length) {

			*off = max_t(unsigned int,

				     le16_to_cpu(((struct smb2_write_req *)hdr)->DataOffset),

				     offsetof(struct smb2_write_req, Buffer));

			*len = le32_to_cpu(((struct smb2_write_req *)hdr)->Length);

			break;

		}