From 06cae871d06fa6f47eef462d29bf82676036c531 Mon Sep 17 00:00:00 2001
From: Frederic Weisbecker <fweisbecker@suse.de>
Date: May 02 2023 09:35:19 +0000
Subject: Merge 'SLE15-SP2-LTSS' (224a98a1fcb) into 'SLE15-SP2-RT'


- No -rt specific changes this merge.

---

diff --git a/patches.suse/msft-hv-2770-Drivers-vmbus-Check-for-channel-allocation-before-lo.patch b/patches.suse/msft-hv-2770-Drivers-vmbus-Check-for-channel-allocation-before-lo.patch
new file mode 100644
index 0000000..c4c9419
--- /dev/null
+++ b/patches.suse/msft-hv-2770-Drivers-vmbus-Check-for-channel-allocation-before-lo.patch
@@ -0,0 +1,42 @@
+From: Mohammed Gamal <mgamal@redhat.com>
+Date: Fri, 17 Feb 2023 22:44:11 +0200
+Patch-mainline: v6.3-rc6
+Subject: Drivers: vmbus: Check for channel allocation before looking up relids
+Git-commit: 1eb65c8687316c65140b48fad27133d583178e15
+References: git-fixes
+
+relid2channel() assumes vmbus channel array to be allocated when called.
+However, in cases such as kdump/kexec, not all relids will be reset by the host.
+When the second kernel boots and if the guest receives a vmbus interrupt during
+vmbus driver initialization before vmbus_connect() is called, before it finishes,
+or if it fails, the vmbus interrupt service routine is called which in turn calls
+relid2channel() and can cause a null pointer dereference.
+
+Print a warning and error out in relid2channel() for a channel id that's invalid
+in the second kernel.
+
+Fixes: 8b6a877c060e ("Drivers: hv: vmbus: Replace the per-CPU channel lists with a global array of channels")
+
+Signed-off-by: Mohammed Gamal <mgamal@redhat.com>
+Reviewed-by: Dexuan Cui <decui@microsoft.com>
+Link: https://lore.kernel.org/r/20230217204411.212709-1-mgamal@redhat.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Acked-by: Olaf Hering <ohering@suse.de>
+---
+ drivers/hv/connection.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c
+--- a/drivers/hv/connection.c
++++ b/drivers/hv/connection.c
+@@ -409,6 +409,10 @@ void vmbus_disconnect(void)
+  */
+ struct vmbus_channel *relid2channel(u32 relid)
+ {
++	if (vmbus_connection.channels == NULL) {
++		pr_warn_once("relid2channel: relid=%d: No channels mapped!\n", relid);
++		return NULL;
++	}
+ 	if (WARN_ON(relid >= MAX_CHANNEL_RELIDS))
+ 		return NULL;
+ 	return READ_ONCE(vmbus_connection.channels[relid]);
diff --git a/patches.suse/x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch b/patches.suse/x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch
new file mode 100644
index 0000000..6fb1683
--- /dev/null
+++ b/patches.suse/x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch
@@ -0,0 +1,94 @@
+From: KP Singh <kpsingh@kernel.org>
+Date: Mon, 27 Feb 2023 07:05:40 +0100
+Subject: x86/speculation: Allow enabling STIBP with legacy IBRS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Git-commit: 6921ed9049bc7457f66c1596c5b78aec0dae4a9d
+Patch-mainline: 6.3-rc1
+References: bsc#1210506 CVE-2023-1998
+
+When plain IBRS is enabled (not enhanced IBRS), the logic in
+spectre_v2_user_select_mitigation() determines that STIBP is not needed.
+
+The IBRS bit implicitly protects against cross-thread branch target
+injection. However, with legacy IBRS, the IBRS bit is cleared on
+returning to userspace for performance reasons which leaves userspace
+threads vulnerable to cross-thread branch target injection against which
+STIBP protects.
+
+Exclude IBRS from the spectre_v2_in_ibrs_mode() check to allow for
+enabling STIBP (through seccomp/prctl() by default or always-on, if
+selected by spectre_v2_user kernel cmdline parameter).
+
+  [ bp: Massage. ]
+
+Fixes: 7c693f54c873 ("x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS")
+Reported-by: José Oliveira <joseloliveira11@gmail.com>
+Reported-by: Rodrigo Branco <rodrigo@kernelhacking.com>
+Signed-off-by: KP Singh <kpsingh@kernel.org>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230220120127.1975241-1-kpsingh@kernel.org
+Link: https://lore.kernel.org/r/20230221184908.2349578-1-kpsingh@kernel.org
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/kernel/cpu/bugs.c |   25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1023,14 +1023,18 @@ spectre_v2_parse_user_cmdline(void)
+ 	return SPECTRE_V2_USER_CMD_AUTO;
+ }
+ 
+-static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)
++static inline bool spectre_v2_in_eibrs_mode(enum spectre_v2_mitigation mode)
+ {
+-	return mode == SPECTRE_V2_IBRS ||
+-	       mode == SPECTRE_V2_EIBRS ||
++	return mode == SPECTRE_V2_EIBRS ||
+ 	       mode == SPECTRE_V2_EIBRS_RETPOLINE ||
+ 	       mode == SPECTRE_V2_EIBRS_LFENCE;
+ }
+ 
++static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)
++{
++	return spectre_v2_in_eibrs_mode(mode) || mode == SPECTRE_V2_IBRS;
++}
++
+ static void __init
+ spectre_v2_user_select_mitigation(void)
+ {
+@@ -1093,12 +1097,19 @@ spectre_v2_user_select_mitigation(void)
+ 	}
+ 
+ 	/*
+-	 * If no STIBP, IBRS or enhanced IBRS is enabled, or SMT impossible,
+-	 * STIBP is not required.
++	 * If no STIBP, enhanced IBRS is enabled, or SMT impossible, STIBP
++	 * is not required.
++	 *
++	 * Enhanced IBRS also protects against cross-thread branch target
++	 * injection in user-mode as the IBRS bit remains always set which
++	 * implicitly enables cross-thread protections.  However, in legacy IBRS
++	 * mode, the IBRS bit is set only on kernel entry and cleared on return
++	 * to userspace. This disables the implicit cross-thread protection,
++	 * so allow for STIBP to be selected in that case.
+ 	 */
+ 	if (!boot_cpu_has(X86_FEATURE_STIBP) ||
+ 	    !smt_possible ||
+-	    spectre_v2_in_ibrs_mode(spectre_v2_enabled))
++	    spectre_v2_in_eibrs_mode(spectre_v2_enabled))
+ 		return;
+ 
+ 	/*
+@@ -2158,7 +2169,7 @@ static ssize_t mmio_stale_data_show_stat
+ 
+ static char *stibp_state(void)
+ {
+-	if (spectre_v2_in_ibrs_mode(spectre_v2_enabled))
++	if (spectre_v2_in_eibrs_mode(spectre_v2_enabled))
+ 		return "";
+ 
+ 	switch (spectre_v2_user_stibp) {
diff --git a/series.conf b/series.conf
index 1413769..3733145 100644
--- a/series.conf
+++ b/series.conf
@@ -23585,10 +23585,12 @@
 	patches.suse/HID-bigben_worker-remove-unneeded-check-on-report_fi.patch
 	patches.suse/HID-bigben-use-spinlock-to-safely-schedule-workers.patch
 	patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch
+	patches.suse/x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch
 	patches.suse/0001-net-tls-fix-possible-race-condition-between-do_tls_g.patch
 	patches.suse/nfc-st-nci-Fix-use-after-free-bug-in-ndlc_remove-due.patch
 	patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch
 	patches.suse/btrfs-fix-race-between-quota-disable-and-quota-assig.patch
+	patches.suse/msft-hv-2770-Drivers-vmbus-Check-for-channel-allocation-before-lo.patch
 
 	########################################################
 	# end of sorted patches