diff --git a/blacklist.conf b/blacklist.conf index c1d0995..188421b 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -2813,3 +2813,37 @@ a494398bde273143c2352dd373cad8211f7d94b2 # not needed with downstream version of 3c91b0c1de8d013490bbc41ce9ee8810ea5baddd # not needed 64d7839af8c8f67daaf9bf387135052c55d85f90 # already applied 7856e8616273098dc6c09a6e084afd98a283ff0d # already applied +633e2b2ded739a34bd0fb1d8b5b871f7e489ea29 # breaks existing user space +3670de80678961eda7fa2220883fc77c16868951 # potential of breaking API +98a65439172dc69cb16834e62e852afc2adb83ed # driver not enabled: video: fbdev: kyro: fix a DoS bug by restricting user input +b36b242d4b8ea178f7fd038965e3cac7f30c3f09 # driver not enabled: video: fbdev: asiliantfb: Error out if 'pixclock' equals zero +1520b4b7ba964f8eec2e7dd14c571d50de3e5191 # driver not enabled: video: fbdev: kyro: Error out if 'pixclock' equals zero +f92763cb0feba247e0939ed137b495601fd072a5 # driver not enabled: video: fbdev: riva: Error out if 'pixclock' equals zero +37a1a2e6eeeb101285cd34e12e48a881524701aa # driver not enabled: video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow +8738ddcac644964ae128ccd3d80d48773c8d528e # driver not enabled: video: fbdev: w100fb: Reset global state +5c6f402bdcf9e7239c6bc7087eda71ac99b31379 # driver not enabled: video: fbdev: cirrusfb: check pixclock to avoid divide by zero +24565bc4115961db7ee64fcc7ad2a7437c0d0a49 # driver not enabled: video: fbdev: omapfb: acx565akm: replace snprintf with sysfs_emit +f63658a59c3d439c8ad7b290f8ec270980e0f384 # driver not enabled: video: fbdev: omapfb: panel-dsi-cm: Use sysfs_emit() instead of snprintf() +c07a039cbb96748f54c02995bae8131cc9a73b0a # driver not enabled: video: fbdev: omapfb: panel-tpo-td043mtea1: Use sysfs_emit() instead of snprintf() +4f01d09b2bbfbcb47b3eb305560a7f4857a32260 # driver not enabled: video: fbdev: sm712fb: Fix crash in smtcfb_write() +d87ad457f7e1b8d2492ca5b1531eb35030a1cc8f # driver not enabled: video: fbdev: pxa3xx-gcu: release the resources correctly in pxa3xx_gcu_probe/remove() +a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 # driver not enabled: video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write +40bf722f8064f50200b8c4f8946cd625b441dda9 # driver not enabled: video: fbdev: i740fb: Check the argument of i740_calc_vclk() +07c55c9803dea748d17a054000cbf1913ce06399 # driver not enabled: fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init() +5610bcfe8693c02e2e4c8b31427f1bdbdecc839c # driver not enabled: fbdev: smscufx: Fix use-after-free in ufx_ops_open() +aca7c13d3bee81a968337a5515411409ae9d095d # driver not enabled: parisc: fbdev/stifb: Align graphics memory size to 4MB +cc67482c9e5f2c80d62f623bcc347c29f9f648e1 # driver not enabled: fbdev: smscufx: Fix several use-after-free bugs +3c6bf6bddc84888c0ce163b09dee0ddd23b5172a # driver not enabled: fbdev: cyber2000fb: fix missing pci_disable_device() +025e3b507a3a8e1ee96a3112bb67495c77d6cdb6 # driver not enabled: fbdev: ssd1307fb: Drop optional dependency +ed359a464846b48f76ea6cc5cd8257e545ac97f4 # driver not enabled: fbdev: pm2fb: fix missing pci_disable_device() +5886b130de953cfb8826f7771ec8640a79934a7f # driver not enabled: fbdev: via: Fix error in via_core_init() +001f2cdb952a9566c77fb4b5470cc361db5601bb # driver not enabled: fbdev: vermilion: decrease reference count in error path +7f501aa71da9dc2eaae2b0118a151cad018d33b0 # driver not enabled: fbdev: omapfb: cleanup inconsistent indentation +f90bd245de82c095187d8c2cabb8b488a39eaecc # driver not enabled: fbdev: tgafb: Fix potential divide by zero +203873a535d627c668f293be0cb73e26c30f9cc7 # driver not enabled: fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks +92e2a00f2987483e1f9253625828622edd442e61 # driver not enabled: fbdev: nvidia: Fix potential divide by zero +d823685486a3446d061fed7c7d2f80af984f119a # driver not enabled: fbdev: intelfb: Fix potential divide by zero +61ac4b86a4c047c20d5cb423ddd87496f14d9868 # driver not enabled: fbdev: lxfb: Fix potential divide by zero +44a3b36b42acfc433aaaf526191dd12fbb919fdb # driver not enabled: fbdev: au1200fb: Fix potential divide by zero +5a6bef734247c7a8c19511664ff77634ab86f45b # driver not enabled: fbdev: arcfb: Fix error handling in arcfb_probe() +ed9de4ed39875706607fb08118a58344ae6c5f42 # driver not enabled: fbdev: udlfb: Fix endpoint check diff --git a/patches.suse/KVM-nSVM-clear-events-pending-from-svm_complete_inte.patch b/patches.suse/KVM-nSVM-clear-events-pending-from-svm_complete_inte.patch new file mode 100644 index 0000000..1ec3019 --- /dev/null +++ b/patches.suse/KVM-nSVM-clear-events-pending-from-svm_complete_inte.patch @@ -0,0 +1,47 @@ +Patch-mainline: v5.0-rc4 +Git-commit: 619ad846fc3452adaf71ca246c5aa711e2055398 +References: git-fixes +From: Vitaly Kuznetsov +Date: Mon, 7 Jan 2019 19:44:51 +0100 +Subject: [PATCH] KVM: nSVM: clear events pending from + svm_complete_interrupts() when exiting to L1 + +kvm-unit-tests' eventinj "NMI failing on IDT" test results in NMI being +delivered to the host (L1) when it's running nested. The problem seems to +be: svm_complete_interrupts() raises 'nmi_injected' flag but later we +decide to reflect EXIT_NPF to L1. The flag remains pending and we do NMI +injection upon entry so it got delivered to L1 instead of L2. + +It seems that VMX code solves the same issue in prepare_vmcs12(), this was +introduced with code refactoring in commit 5f3d5799974b ("KVM: nVMX: Rework +event injection and recovery"). + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/svm.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 8a0c9a1f6ac8..9caf1252c64a 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3414,6 +3414,14 @@ static int nested_svm_vmexit(struct vcpu_svm *svm) + kvm_mmu_reset_context(&svm->vcpu); + kvm_mmu_load(&svm->vcpu); + ++ /* ++ * Drop what we picked up for L2 via svm_complete_interrupts() so it ++ * doesn't end up in L1. ++ */ ++ svm->vcpu.arch.nmi_injected = false; ++ kvm_clear_exception_queue(&svm->vcpu); ++ kvm_clear_interrupt_queue(&svm->vcpu); ++ + return 0; + } + +-- +2.35.3 + diff --git a/patches.suse/KVM-x86-Update-the-exit_qualification-access-bits-wh.patch b/patches.suse/KVM-x86-Update-the-exit_qualification-access-bits-wh.patch new file mode 100644 index 0000000..76b2bd1 --- /dev/null +++ b/patches.suse/KVM-x86-Update-the-exit_qualification-access-bits-wh.patch @@ -0,0 +1,109 @@ +Patch-mainline: v4.17-rc1 +Git-commit: ddd6f0e94d3153951580d5b88b9d97c7e26a0e00 +References: git-fixes +From: KarimAllah Ahmed +Date: Wed, 28 Feb 2018 19:06:48 +0100 +Subject: [PATCH] KVM: x86: Update the exit_qualification access bits while + walking an address +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +... to avoid having a stale value when handling an EPT misconfig for MMIO +regions. + +MMIO regions that are not passed-through to the guest are handled through +EPT misconfigs. The first time a certain MMIO page is touched it causes an +EPT violation, then KVM marks the EPT entry to cause an EPT misconfig +instead. Any subsequent accesses to the entry will generate an EPT +misconfig. + +Things gets slightly complicated with nested guest handling for MMIO +regions that are not passed through from L0 (i.e. emulated by L0 +user-space). + +An EPT violation for one of these MMIO regions from L2, exits to L0 +hypervisor. L0 would then look at the EPT12 mapping for L1 hypervisor and +realize it is not present (or not sufficient to serve the request). Then L0 +injects an EPT violation to L1. L1 would then update its EPT mappings. The +EXIT_QUALIFICATION value for L1 would come from exit_qualification variable +in "struct vcpu". The problem is that this variable is only updated on EPT +violation and not on EPT misconfig. So if an EPT violation because of a +read happened first, then an EPT misconfig because of a write happened +afterwards. The L0 hypervisor will still contain exit_qualification value +from the previous read instead of the write and end up injecting an EPT +violation to the L1 hypervisor with an out of date EXIT_QUALIFICATION. + +The EPT violation that is injected from L0 to L1 needs to have the correct +EXIT_QUALIFICATION specially for the access bits because the individual +access bits for MMIO EPTs are updated only on actual access of this +specific type. So for the example above, the L1 hypervisor will keep +updating only the read bit in the EPT then resume the L2 guest. The L2 +guest would end up causing another exit where the L0 *again* will inject +another EPT violation to L1 hypervisor with *again* an out of date +exit_qualification which indicates a read and not a write. Then this +ping-pong just keeps happening without making any forward progress. + +The behavior of mapping MMIO regions changed in: + + commit a340b3e229b24 ("kvm: Map PFN-type memory regions as writable (if possible)") + +... where an EPT violation for a read would also fixup the write bits to +avoid another EPT violation which by acciddent would fix the bug mentioned +above. + +This commit fixes this situation and ensures that the access bits for the +exit_qualifcation is up to date. That ensures that even L1 hypervisor +running with a KVM version before the commit mentioned above would still +work. + +( The description above assumes EPT to be available and used by L1 + hypervisor + the L1 hypervisor is passing through the MMIO region to the L2 + guest while this MMIO region is emulated by the L0 user-space ). + +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: H. Peter Anvin +Cc: x86@kernel.org +Cc: kvm@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: KarimAllah Ahmed +Signed-off-by: Radim Krčmář +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/paging_tmpl.h | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h +index 5abae72266b7..6288e9d7068e 100644 +--- a/arch/x86/kvm/paging_tmpl.h ++++ b/arch/x86/kvm/paging_tmpl.h +@@ -452,14 +452,21 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker, + * done by is_rsvd_bits_set() above. + * + * We set up the value of exit_qualification to inject: +- * [2:0] - Derive from [2:0] of real exit_qualification at EPT violation ++ * [2:0] - Derive from the access bits. The exit_qualification might be ++ * out of date if it is serving an EPT misconfiguration. + * [5:3] - Calculated by the page walk of the guest EPT page tables + * [7:8] - Derived from [7:8] of real exit_qualification + * + * The other bits are set to 0. + */ + if (!(errcode & PFERR_RSVD_MASK)) { +- vcpu->arch.exit_qualification &= 0x187; ++ vcpu->arch.exit_qualification &= 0x180; ++ if (write_fault) ++ vcpu->arch.exit_qualification |= EPT_VIOLATION_ACC_WRITE; ++ if (user_fault) ++ vcpu->arch.exit_qualification |= EPT_VIOLATION_ACC_READ; ++ if (fetch_fault) ++ vcpu->arch.exit_qualification |= EPT_VIOLATION_ACC_INSTR; + vcpu->arch.exit_qualification |= (pte_access & 0x7) << 3; + } + #endif +-- +2.35.3 + diff --git a/patches.suse/KVM-x86-avoid-misreporting-level-triggered-irqs-as-e.patch b/patches.suse/KVM-x86-avoid-misreporting-level-triggered-irqs-as-e.patch new file mode 100644 index 0000000..22ab451 --- /dev/null +++ b/patches.suse/KVM-x86-avoid-misreporting-level-triggered-irqs-as-e.patch @@ -0,0 +1,51 @@ +Patch-mainline: v5.1-rc6 +Git-commit: 7a223e06b1a411cef6c4cd7a9b9a33c8d225b10e +References: git-fixes +From: Vitaly Kuznetsov +Date: Wed, 27 Mar 2019 15:12:20 +0100 +Subject: [PATCH] KVM: x86: avoid misreporting level-triggered irqs as + edge-triggered in tracing + +In __apic_accept_irq() interface trig_mode is int and actually on some code +paths it is set above u8: + +kvm_apic_set_irq() extracts it from 'struct kvm_lapic_irq' where trig_mode +is u16. This is done on purpose as e.g. kvm_set_msi_irq() sets it to +(1 << 15) & e->msi.data + +kvm_apic_local_deliver sets it to reg & (1 << 15). + +Fix the immediate issue by making 'tm' into u16. We may also want to adjust +__apic_accept_irq() interface and use proper sizes for vector, level, +trig_mode but this is not urgent. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/trace.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/trace.h b/arch/x86/kvm/trace.h +index 6432d08c7de7..4d47a2631d1f 100644 +--- a/arch/x86/kvm/trace.h ++++ b/arch/x86/kvm/trace.h +@@ -438,13 +438,13 @@ TRACE_EVENT(kvm_apic_ipi, + ); + + TRACE_EVENT(kvm_apic_accept_irq, +- TP_PROTO(__u32 apicid, __u16 dm, __u8 tm, __u8 vec), ++ TP_PROTO(__u32 apicid, __u16 dm, __u16 tm, __u8 vec), + TP_ARGS(apicid, dm, tm, vec), + + TP_STRUCT__entry( + __field( __u32, apicid ) + __field( __u16, dm ) +- __field( __u8, tm ) ++ __field( __u16, tm ) + __field( __u8, vec ) + ), + +-- +2.35.3 + diff --git a/patches.suse/KVM-x86-emulator-em_sysexit-should-update-ctxt-mode.patch b/patches.suse/KVM-x86-emulator-em_sysexit-should-update-ctxt-mode.patch new file mode 100644 index 0000000..8eebcb5 --- /dev/null +++ b/patches.suse/KVM-x86-emulator-em_sysexit-should-update-ctxt-mode.patch @@ -0,0 +1,39 @@ +Patch-mainline: v6.1-rc4 +Git-commit: 5015bb89b58225f97df6ac44383e7e8c8662c8c9 +References: git-fixes +From: Maxim Levitsky +Date: Tue, 25 Oct 2022 15:47:28 +0300 +Subject: [PATCH] KVM: x86: emulator: em_sysexit should update ctxt->mode + +SYSEXIT is one of the instructions that can change the +processor mode, thus ctxt->mode should be updated after it. + +Note that this is likely a benign bug, because the only problematic +mode change is from 32 bit to 64 bit which can lead to truncation of RIP, +and it is not possible to do with sysexit, +since sysexit running in 32 bit mode will be limited to 32 bit version. + +Signed-off-by: Maxim Levitsky +Message-Id: <20221025124741.228045-11-mlevitsk@redhat.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/emulate.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 3b27622d4642..261732957431 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2876,6 +2876,7 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) + ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); + + ctxt->_eip = rdx; ++ ctxt->mode = usermode; + *reg_write(ctxt, VCPU_REGS_RSP) = rcx; + + return X86EMUL_CONTINUE; +-- +2.35.3 + diff --git a/patches.suse/KVM-x86-emulator-introduce-emulator_recalc_and_set_m.patch b/patches.suse/KVM-x86-emulator-introduce-emulator_recalc_and_set_m.patch new file mode 100644 index 0000000..3eff6de --- /dev/null +++ b/patches.suse/KVM-x86-emulator-introduce-emulator_recalc_and_set_m.patch @@ -0,0 +1,166 @@ +Patch-mainline: v6.1-rc4 +Git-commit: d087e0f79fa0dd336a9a6b2f79ec23120f5eff73 +References: git-fixes +From: Maxim Levitsky +Date: Tue, 25 Oct 2022 15:47:29 +0300 +Subject: [PATCH] KVM: x86: emulator: introduce emulator_recalc_and_set_mode + +Some instructions update the cpu execution mode, which needs to update the +emulation mode. + +Extract this code, and make assign_eip_far use it. + +assign_eip_far now reads CS, instead of getting it via a parameter, +which is ok, because callers always assign CS to the same value +before calling this function. + +No functional change is intended. + +Signed-off-by: Maxim Levitsky +Message-Id: <20221025124741.228045-12-mlevitsk@redhat.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/emulate.c | 85 ++++++++++++++++++++++++++++-------------- + 1 file changed, 57 insertions(+), 28 deletions(-) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 261732957431..e5522a23d985 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -791,8 +791,7 @@ static int linearize(struct x86_emulate_ctxt *ctxt, + ctxt->mode, linear); + } + +-static inline int assign_eip(struct x86_emulate_ctxt *ctxt, ulong dst, +- enum x86emul_mode mode) ++static inline int assign_eip(struct x86_emulate_ctxt *ctxt, ulong dst) + { + ulong linear; + int rc; +@@ -802,41 +801,71 @@ static inline int assign_eip(struct x86_emulate_ctxt *ctxt, ulong dst, + + if (ctxt->op_bytes != sizeof(unsigned long)) + addr.ea = dst & ((1UL << (ctxt->op_bytes << 3)) - 1); +- rc = __linearize(ctxt, addr, &max_size, 1, false, true, mode, &linear); ++ rc = __linearize(ctxt, addr, &max_size, 1, false, true, ctxt->mode, &linear); + if (rc == X86EMUL_CONTINUE) + ctxt->_eip = addr.ea; + return rc; + } + ++static inline int emulator_recalc_and_set_mode(struct x86_emulate_ctxt *ctxt) ++{ ++ u64 efer; ++ struct desc_struct cs; ++ u16 selector; ++ u32 base3; ++ ++ ctxt->ops->get_msr(ctxt, MSR_EFER, &efer); ++ ++ if (!(ctxt->ops->get_cr(ctxt, 0) & X86_CR0_PE)) { ++ /* Real mode. cpu must not have long mode active */ ++ if (efer & EFER_LMA) ++ return X86EMUL_UNHANDLEABLE; ++ ctxt->mode = X86EMUL_MODE_REAL; ++ return X86EMUL_CONTINUE; ++ } ++ ++ if (ctxt->eflags & X86_EFLAGS_VM) { ++ /* Protected/VM86 mode. cpu must not have long mode active */ ++ if (efer & EFER_LMA) ++ return X86EMUL_UNHANDLEABLE; ++ ctxt->mode = X86EMUL_MODE_VM86; ++ return X86EMUL_CONTINUE; ++ } ++ ++ if (!ctxt->ops->get_segment(ctxt, &selector, &cs, &base3, VCPU_SREG_CS)) ++ return X86EMUL_UNHANDLEABLE; ++ ++ if (efer & EFER_LMA) { ++ if (cs.l) { ++ /* Proper long mode */ ++ ctxt->mode = X86EMUL_MODE_PROT64; ++ } else if (cs.d) { ++ /* 32 bit compatibility mode*/ ++ ctxt->mode = X86EMUL_MODE_PROT32; ++ } else { ++ ctxt->mode = X86EMUL_MODE_PROT16; ++ } ++ } else { ++ /* Legacy 32 bit / 16 bit mode */ ++ ctxt->mode = cs.d ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16; ++ } ++ ++ return X86EMUL_CONTINUE; ++} ++ + static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst) + { +- return assign_eip(ctxt, dst, ctxt->mode); ++ return assign_eip(ctxt, dst); + } + +-static int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst, +- const struct desc_struct *cs_desc) ++static int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst) + { +- enum x86emul_mode mode = ctxt->mode; +- int rc; ++ int rc = emulator_recalc_and_set_mode(ctxt); + +-#ifdef CONFIG_X86_64 +- if (ctxt->mode >= X86EMUL_MODE_PROT16) { +- if (cs_desc->l) { +- u64 efer = 0; ++ if (rc != X86EMUL_CONTINUE) ++ return rc; + +- ctxt->ops->get_msr(ctxt, MSR_EFER, &efer); +- if (efer & EFER_LMA) +- mode = X86EMUL_MODE_PROT64; +- } else +- mode = X86EMUL_MODE_PROT32; /* temporary value */ +- } +-#endif +- if (mode == X86EMUL_MODE_PROT16 || mode == X86EMUL_MODE_PROT32) +- mode = cs_desc->d ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16; +- rc = assign_eip(ctxt, dst, mode); +- if (rc == X86EMUL_CONTINUE) +- ctxt->mode = mode; +- return rc; ++ return assign_eip(ctxt, dst); + } + + static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) +@@ -2172,7 +2201,7 @@ static int em_jmp_far(struct x86_emulate_ctxt *ctxt) + if (rc != X86EMUL_CONTINUE) + return rc; + +- rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc); ++ rc = assign_eip_far(ctxt, ctxt->src.val); + /* Error handling is not implemented. */ + if (rc != X86EMUL_CONTINUE) + return X86EMUL_UNHANDLEABLE; +@@ -2250,7 +2279,7 @@ static int em_ret_far(struct x86_emulate_ctxt *ctxt) + &new_desc); + if (rc != X86EMUL_CONTINUE) + return rc; +- rc = assign_eip_far(ctxt, eip, &new_desc); ++ rc = assign_eip_far(ctxt, eip); + /* Error handling is not implemented. */ + if (rc != X86EMUL_CONTINUE) + return X86EMUL_UNHANDLEABLE; +@@ -3470,7 +3499,7 @@ static int em_call_far(struct x86_emulate_ctxt *ctxt) + if (rc != X86EMUL_CONTINUE) + return rc; + +- rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc); ++ rc = assign_eip_far(ctxt, ctxt->src.val); + if (rc != X86EMUL_CONTINUE) + goto fail; + +-- +2.35.3 + diff --git a/patches.suse/KVM-x86-emulator-update-the-emulation-mode-after-CR0.patch b/patches.suse/KVM-x86-emulator-update-the-emulation-mode-after-CR0.patch new file mode 100644 index 0000000..151a14d --- /dev/null +++ b/patches.suse/KVM-x86-emulator-update-the-emulation-mode-after-CR0.patch @@ -0,0 +1,58 @@ +Patch-mainline: v6.1-rc4 +Git-commit: ad8f9e69942c7db90758d9d774157e53bce94840 +References: git-fixes +From: Maxim Levitsky +Date: Tue, 25 Oct 2022 15:47:31 +0300 +Subject: [PATCH] KVM: x86: emulator: update the emulation mode after CR0 write + +Update the emulation mode when handling writes to CR0, because +toggling CR0.PE switches between Real and Protected Mode, and toggling +CR0.PG when EFER.LME=1 switches between Long and Protected Mode. + +This is likely a benign bug because there is no writeback of state, +other than the RIP increment, and when toggling CR0.PE, the CPU has +to execute code from a very low memory address. + +Signed-off-by: Maxim Levitsky +Message-Id: <20221025124741.228045-14-mlevitsk@redhat.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/emulate.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 33385ebae100..2954c046740b 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -3641,11 +3641,25 @@ static int em_movbe(struct x86_emulate_ctxt *ctxt) + + static int em_cr_write(struct x86_emulate_ctxt *ctxt) + { +- if (ctxt->ops->set_cr(ctxt, ctxt->modrm_reg, ctxt->src.val)) ++ int cr_num = ctxt->modrm_reg; ++ int r; ++ ++ if (ctxt->ops->set_cr(ctxt, cr_num, ctxt->src.val)) + return emulate_gp(ctxt, 0); + + /* Disable writeback. */ + ctxt->dst.type = OP_NONE; ++ ++ if (cr_num == 0) { ++ /* ++ * CR0 write might have updated CR0.PE and/or CR0.PG ++ * which can affect the cpu's execution mode. ++ */ ++ r = emulator_recalc_and_set_mode(ctxt); ++ if (r != X86EMUL_CONTINUE) ++ return r; ++ } ++ + return X86EMUL_CONTINUE; + } + +-- +2.35.3 + diff --git a/patches.suse/KVM-x86-fix-empty-body-warnings.patch b/patches.suse/KVM-x86-fix-empty-body-warnings.patch new file mode 100644 index 0000000..b32cb68 --- /dev/null +++ b/patches.suse/KVM-x86-fix-empty-body-warnings.patch @@ -0,0 +1,43 @@ +Patch-mainline: v4.20-rc5 +Git-commit: 354cb410d87314e2eda344feea84809e4261570a +References: git-fixes +From: Yi Wang +Date: Thu, 8 Nov 2018 16:48:36 +0800 +Subject: [PATCH] KVM: x86: fix empty-body warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We get the following warnings about empty statements when building +with 'W=1': + +arch/x86/kvm/lapic.c:632:53: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +arch/x86/kvm/lapic.c:1907:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +arch/x86/kvm/lapic.c:1936:65: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +arch/x86/kvm/lapic.c:1975:44: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] + +Rework the debug helper macro to get rid of these warnings. + +Signed-off-by: Yi Wang +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/lapic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 02f2291dcf7e..c4533d05c214 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -55,7 +55,7 @@ + #define PRIo64 "o" + + /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */ +-#define apic_debug(fmt, arg...) ++#define apic_debug(fmt, arg...) do {} while (0) + + /* 14 is the version for Xeon and Pentium 8.4.8*/ + #define APIC_VERSION (0x14UL | ((KVM_APIC_LVT_NUM - 1) << 16)) +-- +2.35.3 + diff --git a/patches.suse/KVM-x86-fix-incorrect-comparison-in-trace-event.patch b/patches.suse/KVM-x86-fix-incorrect-comparison-in-trace-event.patch new file mode 100644 index 0000000..b301526 --- /dev/null +++ b/patches.suse/KVM-x86-fix-incorrect-comparison-in-trace-event.patch @@ -0,0 +1,32 @@ +Patch-mainline: v5.6-rc4 +Git-commit: 147f1a1fe5d7e6b01b8df4d0cbd6f9eaf6b6c73b +References: git-fixes +From: Paolo Bonzini +Date: Thu, 13 Feb 2020 18:24:48 +0100 +Subject: [PATCH] KVM: x86: fix incorrect comparison in trace event + +The "u" field in the event has three states, -1/0/1. Using u8 however means that +comparison with -1 will always fail, so change to signed char. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/mmutrace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/mmutrace.h b/arch/x86/kvm/mmutrace.h +index 3c6522b84ff1..ffcd96fc02d0 100644 +--- a/arch/x86/kvm/mmutrace.h ++++ b/arch/x86/kvm/mmutrace.h +@@ -339,7 +339,7 @@ TRACE_EVENT( + /* These depend on page entry type, so compute them now. */ + __field(bool, r) + __field(bool, x) +- __field(u8, u) ++ __field(signed char, u) + ), + + TP_fast_assign( +-- +2.35.3 + diff --git a/patches.suse/KVM-x86-svm-report-MSR_IA32_MCG_EXT_CTL-as-unsupport.patch b/patches.suse/KVM-x86-svm-report-MSR_IA32_MCG_EXT_CTL-as-unsupport.patch new file mode 100644 index 0000000..a64cf7a --- /dev/null +++ b/patches.suse/KVM-x86-svm-report-MSR_IA32_MCG_EXT_CTL-as-unsupport.patch @@ -0,0 +1,45 @@ +Patch-mainline: v5.0-rc1 +Git-commit: e87555e550cef4941579cd879759a7c0dee24e68 +References: git-fixes +From: Vitaly Kuznetsov +Date: Wed, 19 Dec 2018 12:06:13 +0100 +Subject: [PATCH] KVM: x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +AMD doesn't seem to implement MSR_IA32_MCG_EXT_CTL and svm code in kvm +knows nothing about it, however, this MSR is among emulated_msrs and +thus returned with KVM_GET_MSR_INDEX_LIST. The consequent KVM_GET_MSRS, +of course, fails. + +Report the MSR as unsupported to not confuse userspace. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Radim Krčmář +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/svm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index e4f18a305ef6..c4377f02a33b 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -5840,6 +5840,13 @@ static bool svm_cpu_has_accelerated_tpr(void) + + static bool svm_has_emulated_msr(int index) + { ++ switch (index) { ++ case MSR_IA32_MCG_EXT_CTL: ++ return false; ++ default: ++ break; ++ } ++ + return true; + } + +-- +2.35.3 + diff --git a/patches.suse/f2fs-Fix-f2fs_truncate_partial_nodes-ftrace-event.patch b/patches.suse/f2fs-Fix-f2fs_truncate_partial_nodes-ftrace-event.patch new file mode 100644 index 0000000..811a135 --- /dev/null +++ b/patches.suse/f2fs-Fix-f2fs_truncate_partial_nodes-ftrace-event.patch @@ -0,0 +1,43 @@ +From: Douglas Raillard +Date: Mon, 6 Mar 2023 12:25:49 +0000 +Subject: f2fs: Fix f2fs_truncate_partial_nodes ftrace event +Git-commit: 0b04d4c0542e8573a837b1d81b94209e48723b25 +Patch-mainline: v6.3-rc5 +References: git-fixes + +Fix the nid_t field so that its size is correctly reported in the text +format embedded in trace.dat files. As it stands, it is reported as +being of size 4: + + field:nid_t nid[3]; offset:24; size:4; signed:0; + +Instead of 12: + + field:nid_t nid[3]; offset:24; size:12; signed:0; + +This also fixes the reported offset of subsequent fields so that they +match with the actual struct layout. + +Signed-off-by: Douglas Raillard +Reviewed-by: Mukesh Ojha +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Acked-by: Petr Pavlu +--- + include/trace/events/f2fs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/trace/events/f2fs.h b/include/trace/events/f2fs.h +index 1322d34a5dfc..99cbc5949e3c 100644 +--- a/include/trace/events/f2fs.h ++++ b/include/trace/events/f2fs.h +@@ -512,7 +512,7 @@ TRACE_EVENT(f2fs_truncate_partial_nodes, + TP_STRUCT__entry( + __field(dev_t, dev) + __field(ino_t, ino) +- __field(nid_t, nid[3]) ++ __array(nid_t, nid, 3) + __field(int, depth) + __field(int, err) + ), + diff --git a/patches.suse/kvm-mmu-Don-t-read-PDPTEs-when-paging-is-not-enabled.patch b/patches.suse/kvm-mmu-Don-t-read-PDPTEs-when-paging-is-not-enabled.patch new file mode 100644 index 0000000..36fb92e --- /dev/null +++ b/patches.suse/kvm-mmu-Don-t-read-PDPTEs-when-paging-is-not-enabled.patch @@ -0,0 +1,42 @@ +Patch-mainline: v4.19-rc5 +Git-commit: d35b34a9a70edae7ef923f100e51b8b5ae9fe899 +References: git-fixes +From: Junaid Shahid +Date: Wed, 8 Aug 2018 17:45:24 -0700 +Subject: [PATCH] kvm: mmu: Don't read PDPTEs when paging is not enabled + +kvm should not attempt to read guest PDPTEs when CR0.PG = 0 and +CR4.PAE = 1. + +Signed-off-by: Junaid Shahid +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/x86.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 542f6315444d..5c870203737f 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -628,7 +628,7 @@ bool pdptrs_changed(struct kvm_vcpu *vcpu) + gfn_t gfn; + int r; + +- if (is_long_mode(vcpu) || !is_pae(vcpu)) ++ if (is_long_mode(vcpu) || !is_pae(vcpu) || !is_paging(vcpu)) + return false; + + if (!test_bit(VCPU_EXREG_PDPTR, +@@ -8177,7 +8177,7 @@ static int __set_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs) + kvm_update_cpuid(vcpu); + + idx = srcu_read_lock(&vcpu->kvm->srcu); +- if (!is_long_mode(vcpu) && is_pae(vcpu)) { ++ if (!is_long_mode(vcpu) && is_pae(vcpu) && is_paging(vcpu)) { + load_pdptrs(vcpu, vcpu->arch.walk_mmu, kvm_read_cr3(vcpu)); + mmu_reset_needed = 1; + } +-- +2.35.3 + diff --git a/patches.suse/libata-add-horkage-for-ASMedia-1092.patch b/patches.suse/libata-add-horkage-for-ASMedia-1092.patch new file mode 100644 index 0000000..d46b13d --- /dev/null +++ b/patches.suse/libata-add-horkage-for-ASMedia-1092.patch @@ -0,0 +1,38 @@ +From a66307d473077b7aeba74e9b09c841ab3d399c2d Mon Sep 17 00:00:00 2001 +From: Hannes Reinecke +Date: Wed, 8 Dec 2021 07:58:53 +0100 +Subject: [PATCH] libata: add horkage for ASMedia 1092 +Git-commit: a66307d473077b7aeba74e9b09c841ab3d399c2d +Patch-mainline: v5.16-rc5 +References: bsc#1118212 git-fixes + +The ASMedia 1092 has a configuration mode which will present a +dummy device; sadly the implementation falsely claims to provide +a device with 100M which doesn't actually exist. +So disable this device to avoid errors during boot. + +Cc: stable@vger.kernel.org +Signed-off-by: Hannes Reinecke +Signed-off-by: Damien Le Moal +Acked-by: Takashi Iwai + +--- + drivers/ata/libata-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 59ad8c979cb3..aba0c67d1bd6 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -3920,6 +3920,8 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { + { "VRFDFC22048UCHC-TE*", NULL, ATA_HORKAGE_NODMA }, + /* Odd clown on sil3726/4726 PMPs */ + { "Config Disk", NULL, ATA_HORKAGE_DISABLE }, ++ /* Similar story with ASMedia 1092 */ ++ { "ASMT109x- Config", NULL, ATA_HORKAGE_DISABLE }, + + /* Weird ATAPI devices */ + { "TORiSAN DVD-ROM DRD-N216", NULL, ATA_HORKAGE_MAX_SEC_128 }, +-- +2.31.1 + diff --git a/patches.suse/ring-buffer-Ensure-proper-resetting-of-atomic-variables-in-ring_buffer_reset_online_cpus.patch b/patches.suse/ring-buffer-Ensure-proper-resetting-of-atomic-variables-in-ring_buffer_reset_online_cpus.patch new file mode 100644 index 0000000..02a52dc --- /dev/null +++ b/patches.suse/ring-buffer-Ensure-proper-resetting-of-atomic-variables-in-ring_buffer_reset_online_cpus.patch @@ -0,0 +1,83 @@ +From: Tze-nan Wu +Date: Wed, 26 Apr 2023 14:20:23 +0800 +Subject: ring-buffer: Ensure proper resetting of atomic variables in + ring_buffer_reset_online_cpus +Git-commit: 7c339fb4d8577792378136c15fde773cfb863cb8 +Patch-mainline: v6.4-rc1 +References: git-fixes + +In ring_buffer_reset_online_cpus, the buffer_size_kb write operation +may permanently fail if the cpu_online_mask changes between two +for_each_online_buffer_cpu loops. The number of increases and decreases +on both cpu_buffer->resize_disabled and cpu_buffer->record_disabled may be +inconsistent, causing some CPUs to have non-zero values for these atomic +variables after the function returns. + +This issue can be reproduced by "echo 0 > trace" while hotplugging cpu. +After reproducing success, we can find out buffer_size_kb will not be +functional anymore. + +To prevent leaving 'resize_disabled' and 'record_disabled' non-zero after +ring_buffer_reset_online_cpus returns, we ensure that each atomic variable +has been set up before atomic_sub() to it. + +Link: https://lore.kernel.org/linux-trace-kernel/20230426062027.17451-1-Tze-nan.Wu@mediatek.com + +Cc: stable@vger.kernel.org +Cc: +Cc: npiggin@gmail.com +Fixes: b23d7a5f4a07 ("ring-buffer: speed up buffer resets by avoiding synchronize_rcu for each CPU") +Reviewed-by: Cheng-Jui Wang +Signed-off-by: Tze-nan Wu +Signed-off-by: Steven Rostedt (Google) +Acked-by: Petr Pavlu +--- + kernel/trace/ring_buffer.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 58be5b409f72..9a0cb94c3972 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -5326,6 +5326,9 @@ void ring_buffer_reset_cpu(struct trace_buffer *buffer, int cpu) + } + EXPORT_SYMBOL_GPL(ring_buffer_reset_cpu); + ++/* Flag to ensure proper resetting of atomic variables */ ++#define RESET_BIT (1 << 30) ++ + /** + * ring_buffer_reset_cpu - reset a ring buffer per CPU buffer + * @buffer: The ring buffer to reset a per cpu buffer of +@@ -5342,20 +5345,27 @@ void ring_buffer_reset_online_cpus(struct trace_buffer *buffer) + for_each_online_buffer_cpu(buffer, cpu) { + cpu_buffer = buffer->buffers[cpu]; + +- atomic_inc(&cpu_buffer->resize_disabled); ++ atomic_add(RESET_BIT, &cpu_buffer->resize_disabled); + atomic_inc(&cpu_buffer->record_disabled); + } + + /* Make sure all commits have finished */ + synchronize_rcu(); + +- for_each_online_buffer_cpu(buffer, cpu) { ++ for_each_buffer_cpu(buffer, cpu) { + cpu_buffer = buffer->buffers[cpu]; + ++ /* ++ * If a CPU came online during the synchronize_rcu(), then ++ * ignore it. ++ */ ++ if (!(atomic_read(&cpu_buffer->resize_disabled) & RESET_BIT)) ++ continue; ++ + reset_disabled_cpu_buffer(cpu_buffer); + + atomic_dec(&cpu_buffer->record_disabled); +- atomic_dec(&cpu_buffer->resize_disabled); ++ atomic_sub(RESET_BIT, &cpu_buffer->resize_disabled); + } + + mutex_unlock(&buffer->mutex); + diff --git a/patches.suse/ring-buffer-Sync-IRQ-works-before-buffer-destruction.patch b/patches.suse/ring-buffer-Sync-IRQ-works-before-buffer-destruction.patch new file mode 100644 index 0000000..94b11dd --- /dev/null +++ b/patches.suse/ring-buffer-Sync-IRQ-works-before-buffer-destruction.patch @@ -0,0 +1,95 @@ +From: Johannes Berg +Date: Thu, 27 Apr 2023 17:59:20 +0200 +Subject: ring-buffer: Sync IRQ works before buffer destruction +Git-commit: 675751bb20634f981498c7d66161584080cc061e +Patch-mainline: v6.4-rc1 +References: git-fixes + +If something was written to the buffer just before destruction, +it may be possible (maybe not in a real system, but it did +happen in ARCH=um with time-travel) to destroy the ringbuffer +before the IRQ work ran, leading this KASAN report (or a crash +without KASAN): + + BUG: KASAN: slab-use-after-free in irq_work_run_list+0x11a/0x13a + Read of size 8 at addr 000000006d640a48 by task swapper/0 + + CPU: 0 PID: 0 Comm: swapper Tainted: G W O 6.3.0-rc1 #7 + Stack: + 60c4f20f 0c203d48 41b58ab3 60f224fc + 600477fa 60f35687 60c4f20f 601273dd + 00000008 6101eb00 6101eab0 615be548 + Call Trace: + [<60047a58>] show_stack+0x25e/0x282 + [<60c609e0>] dump_stack_lvl+0x96/0xfd + [<60c50d4c>] print_report+0x1a7/0x5a8 + [<603078d3>] kasan_report+0xc1/0xe9 + [<60308950>] __asan_report_load8_noabort+0x1b/0x1d + [<60232844>] irq_work_run_list+0x11a/0x13a + [<602328b4>] irq_work_tick+0x24/0x34 + [<6017f9dc>] update_process_times+0x162/0x196 + [<6019f335>] tick_sched_handle+0x1a4/0x1c3 + [<6019fd9e>] tick_sched_timer+0x79/0x10c + [<601812b9>] __hrtimer_run_queues.constprop.0+0x425/0x695 + [<60182913>] hrtimer_interrupt+0x16c/0x2c4 + [<600486a3>] um_timer+0x164/0x183 + [...] + + Allocated by task 411: + save_stack_trace+0x99/0xb5 + stack_trace_save+0x81/0x9b + kasan_save_stack+0x2d/0x54 + kasan_set_track+0x34/0x3e + kasan_save_alloc_info+0x25/0x28 + ____kasan_kmalloc+0x8b/0x97 + __kasan_kmalloc+0x10/0x12 + __kmalloc+0xb2/0xe8 + load_elf_phdrs+0xee/0x182 + [...] + + The buggy address belongs to the object at 000000006d640800 + which belongs to the cache kmalloc-1k of size 1024 + The buggy address is located 584 bytes inside of + freed 1024-byte region [000000006d640800, 000000006d640c00) + +Add the appropriate irq_work_sync() so the work finishes before +the buffers are destroyed. + +Prior to the commit in the Fixes tag below, there was only a +single global IRQ work, so this issue didn't exist. + +Link: https://lore.kernel.org/linux-trace-kernel/20230427175920.a76159263122.I8295e405c44362a86c995e9c2c37e3e03810aa56@changeid + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Fixes: 15693458c4bc ("tracing/ring-buffer: Move poll wake ups into ring buffer code") +Signed-off-by: Johannes Berg +Signed-off-by: Steven Rostedt (Google) +Acked-by: Petr Pavlu +--- + kernel/trace/ring_buffer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 9a0cb94c3972..0d748f1f79ff 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -1767,6 +1767,8 @@ static void rb_free_cpu_buffer(struct ring_buffer_per_cpu *cpu_buffer) + struct list_head *head = cpu_buffer->pages; + struct buffer_page *bpage, *tmp; + ++ irq_work_sync(&cpu_buffer->irq_work.work); ++ + free_buffer_page(cpu_buffer->reader_page); + + if (head) { +@@ -1873,6 +1875,8 @@ ring_buffer_free(struct trace_buffer *buffer) + + cpuhp_state_remove_instance(CPUHP_TRACE_RB_PREPARE, &buffer->node); + ++ irq_work_sync(&buffer->irq_work.work); ++ + for_each_buffer_cpu(buffer, cpu) + rb_free_cpu_buffer(buffer->buffers[cpu]); + + diff --git a/patches.suse/x86-kvm-Don-t-call-kvm_spurious_fault-from-.fixup.patch b/patches.suse/x86-kvm-Don-t-call-kvm_spurious_fault-from-.fixup.patch new file mode 100644 index 0000000..7f9b4a4 --- /dev/null +++ b/patches.suse/x86-kvm-Don-t-call-kvm_spurious_fault-from-.fixup.patch @@ -0,0 +1,122 @@ +Patch-mainline: v5.3-rc1 +Git-commit: 3901336ed9887b075531bffaeef7742ba614058b +References: git-fixes +From: Josh Poimboeuf +Date: Wed, 17 Jul 2019 20:36:39 -0500 +Subject: [PATCH] x86/kvm: Don't call kvm_spurious_fault() from .fixup + +After making a change to improve objtool's sibling call detection, it +started showing the following warning: + + arch/x86/kvm/vmx/nested.o: warning: objtool: .fixup+0x15: sibling call from callable instruction with modified stack frame + +The problem is the ____kvm_handle_fault_on_reboot() macro. It does a +fake call by pushing a fake RIP and doing a jump. That tricks the +unwinder into printing the function which triggered the exception, +rather than the .fixup code. + +Instead of the hack to make it look like the original function made the +call, just change the macro so that the original function actually does +make the call. This allows removal of the hack, and also makes objtool +happy. + +I triggered a vmx instruction exception and verified that the stack +trace is still sane: + + kernel BUG at arch/x86/kvm/x86.c:358! + invalid opcode: 0000 [#1] SMP PTI + CPU: 28 PID: 4096 Comm: qemu-kvm Not tainted 5.2.0+ #16 + Hardware name: Lenovo THINKSYSTEM SD530 -[7X2106Z000]-/-[7X2106Z000]-, BIOS -[TEE113Z-1.00]- 07/17/2017 + RIP: 0010:kvm_spurious_fault+0x5/0x10 + Code: 00 00 00 00 00 8b 44 24 10 89 d2 45 89 c9 48 89 44 24 10 8b 44 24 08 48 89 44 24 08 e9 d4 40 22 00 0f 1f 40 00 0f 1f 44 00 00 <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 55 49 89 fd 41 + RSP: 0018:ffffbf91c683bd00 EFLAGS: 00010246 + RAX: 000061f040000000 RBX: ffff9e159c77bba0 RCX: ffff9e15a5c87000 + RDX: 0000000665c87000 RSI: ffff9e15a5c87000 RDI: ffff9e159c77bba0 + RBP: 0000000000000000 R08: 0000000000000000 R09: ffff9e15a5c87000 + R10: 0000000000000000 R11: fffff8f2d99721c0 R12: ffff9e159c77bba0 + R13: ffffbf91c671d960 R14: ffff9e159c778000 R15: 0000000000000000 + FS: 00007fa341cbe700(0000) GS:ffff9e15b7400000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fdd38356804 CR3: 00000006759de003 CR4: 00000000007606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + loaded_vmcs_init+0x4f/0xe0 + alloc_loaded_vmcs+0x38/0xd0 + vmx_create_vcpu+0xf7/0x600 + kvm_vm_ioctl+0x5e9/0x980 + ? __switch_to_asm+0x40/0x70 + ? __switch_to_asm+0x34/0x70 + ? __switch_to_asm+0x40/0x70 + ? __switch_to_asm+0x34/0x70 + ? free_one_page+0x13f/0x4e0 + do_vfs_ioctl+0xa4/0x630 + ksys_ioctl+0x60/0x90 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x55/0x1c0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7fa349b1ee5b + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Thomas Gleixner +Acked-by: Paolo Bonzini +Acked-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/64a9b64d127e87b6920a97afde8e96ea76f6524e.1563413318.git.jpoimboe@redhat.com +Signed-off-by: Juergen Gross +--- + arch/x86/include/asm/kvm_host.h | 34 ++++++++++++++++++--------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index 0cc5b611a113..8282b8d41209 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1496,25 +1496,29 @@ enum { + #define kvm_arch_vcpu_memslots_id(vcpu) ((vcpu)->arch.hflags & HF_SMM_MASK ? 1 : 0) + #define kvm_memslots_for_spte_role(kvm, role) __kvm_memslots(kvm, (role).smm) + ++asmlinkage void __noreturn kvm_spurious_fault(void); ++ + /* + * Hardware virtualization extension instructions may fault if a + * reboot turns off virtualization while processes are running. +- * Trap the fault and ignore the instruction if that happens. ++ * Usually after catching the fault we just panic; during reboot ++ * instead the instruction is ignored. + */ +-asmlinkage void kvm_spurious_fault(void); +- +-#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \ +- "666: " insn "\n\t" \ +- "668: \n\t" \ +- ".pushsection .fixup, \"ax\" \n" \ +- "667: \n\t" \ +- cleanup_insn "\n\t" \ +- "cmpb $0, kvm_rebooting \n\t" \ +- "jne 668b \n\t" \ +- __ASM_SIZE(push) " $666b \n\t" \ +- "jmp kvm_spurious_fault \n\t" \ +- ".popsection \n\t" \ +- _ASM_EXTABLE(666b, 667b) ++#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \ ++ "666: \n\t" \ ++ insn "\n\t" \ ++ "jmp 668f \n\t" \ ++ "667: \n\t" \ ++ "call kvm_spurious_fault \n\t" \ ++ "668: \n\t" \ ++ ".pushsection .fixup, \"ax\" \n\t" \ ++ "700: \n\t" \ ++ cleanup_insn "\n\t" \ ++ "cmpb $0, kvm_rebooting\n\t" \ ++ "je 667b \n\t" \ ++ "jmp 668b \n\t" \ ++ ".popsection \n\t" \ ++ _ASM_EXTABLE(666b, 700b) + + #define __kvm_handle_fault_on_reboot(insn) \ + ____kvm_handle_fault_on_reboot(insn, "") +-- +2.35.3 + diff --git a/patches.suse/x86-kvm-avoid-constant-conversion-warning.patch b/patches.suse/x86-kvm-avoid-constant-conversion-warning.patch new file mode 100644 index 0000000..32cce23 --- /dev/null +++ b/patches.suse/x86-kvm-avoid-constant-conversion-warning.patch @@ -0,0 +1,53 @@ +Patch-mainline: v5.3-rc1 +Git-commit: a6a6d3b1f867d34ba5bd61aa7bb056b48ca67cff +References: git-fixes +From: Arnd Bergmann +Date: Fri, 12 Jul 2019 11:12:30 +0200 +Subject: [PATCH] x86: kvm: avoid constant-conversion warning + +clang finds a contruct suspicious that converts an unsigned +character to a signed integer and back, causing an overflow: + +arch/x86/kvm/mmu.c:4605:39: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -205 to 51 [-Werror,-Wconstant-conversion] + u8 wf = (pfec & PFERR_WRITE_MASK) ? ~w : 0; + ~~ ^~ +arch/x86/kvm/mmu.c:4607:38: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -241 to 15 [-Werror,-Wconstant-conversion] + u8 uf = (pfec & PFERR_USER_MASK) ? ~u : 0; + ~~ ^~ +arch/x86/kvm/mmu.c:4609:39: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -171 to 85 [-Werror,-Wconstant-conversion] + u8 ff = (pfec & PFERR_FETCH_MASK) ? ~x : 0; + ~~ ^~ + +Add an explicit cast to tell clang that everything works as +intended here. + +Signed-off-by: Arnd Bergmann +Link: https://github.com/ClangBuiltLinux/linux/issues/95 +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/mmu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c +index 9a5814d8d194..8f72526e2f68 100644 +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -4597,11 +4597,11 @@ static void update_permission_bitmask(struct kvm_vcpu *vcpu, + */ + + /* Faults from writes to non-writable pages */ +- u8 wf = (pfec & PFERR_WRITE_MASK) ? ~w : 0; ++ u8 wf = (pfec & PFERR_WRITE_MASK) ? (u8)~w : 0; + /* Faults from user mode accesses to supervisor pages */ +- u8 uf = (pfec & PFERR_USER_MASK) ? ~u : 0; ++ u8 uf = (pfec & PFERR_USER_MASK) ? (u8)~u : 0; + /* Faults from fetches of non-executable pages*/ +- u8 ff = (pfec & PFERR_FETCH_MASK) ? ~x : 0; ++ u8 ff = (pfec & PFERR_FETCH_MASK) ? (u8)~x : 0; + /* Faults from kernel mode fetches of user pages */ + u8 smepf = 0; + /* Faults from kernel mode accesses of user pages */ +-- +2.35.3 + diff --git a/patches.suse/x86-kvm-vmx-fix-old-style-function-declaration.patch b/patches.suse/x86-kvm-vmx-fix-old-style-function-declaration.patch new file mode 100644 index 0000000..b58310a --- /dev/null +++ b/patches.suse/x86-kvm-vmx-fix-old-style-function-declaration.patch @@ -0,0 +1,68 @@ +Patch-mainline: v4.20-rc5 +Git-commit: 1e4329ee2c52692ea42cc677fb2133519718b34a +References: git-fixes +From: Yi Wang +Date: Thu, 8 Nov 2018 11:22:21 +0800 +Subject: [PATCH] x86/kvm/vmx: fix old-style function declaration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The inline keyword which is not at the beginning of the function +declaration may trigger the following build warnings, so let's fix it: + +arch/x86/kvm/vmx.c:1309:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] +arch/x86/kvm/vmx.c:5947:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] +arch/x86/kvm/vmx.c:5985:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] +arch/x86/kvm/vmx.c:6023:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] + +Signed-off-by: Yi Wang +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/vmx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index d09d67310012..5f43fcfc225b 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1308,7 +1308,7 @@ static void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked); + static bool nested_vmx_is_page_fault_vmexit(struct vmcs12 *vmcs12, + u16 error_code); + static void vmx_update_msr_bitmap(struct kvm_vcpu *vcpu); +-static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type); + + static DEFINE_PER_CPU(struct vmcs *, vmxarea); +@@ -5956,7 +5956,7 @@ static void free_vpid(int vpid) + spin_unlock(&vmx_vpid_lock); + } + +-static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type) + { + int f = sizeof(unsigned long); +@@ -5994,7 +5994,7 @@ static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bit + } + } + +-static void __always_inline vmx_enable_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_enable_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type) + { + int f = sizeof(unsigned long); +@@ -6032,7 +6032,7 @@ static void __always_inline vmx_enable_intercept_for_msr(unsigned long *msr_bitm + } + } + +-static void __always_inline vmx_set_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_set_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type, bool value) + { + if (value) +-- +2.35.3 + diff --git a/series.conf b/series.conf index 4b5d07a..51ba39d 100644 --- a/series.conf +++ b/series.conf @@ -29636,6 +29636,7 @@ patches.suse/msft-hv-1607-kvm-x86-factor-out-kvm.arch.hyperv-de-init.patch patches.suse/msft-hv-1608-kvm-x86-hyperv-guest-host-event-signaling-via-eventf.patch patches.suse/kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use + patches.suse/KVM-x86-Update-the-exit_qualification-access-bits-wh.patch patches.suse/msft-hv-1631-x86-kvm-hyper-v-add-reenlightenment-MSRs-support.patch patches.suse/msft-hv-1632-x86-kvm-hyper-v-remove-stale-entries-from-vec_bitmap.patch patches.suse/msft-hv-1633-x86-kvm-hyper-v-inject-GP-only-when-invalid-SINTx-ve.patch @@ -41086,6 +41087,7 @@ patches.suse/s390-sles15sp1-00-04-19-KVM-s390-Make-huge-pages-unavailable-in-ucontrol-VMs.patch patches.suse/KVM-PPC-Avoid-marking-DMA-mapped-pages-dirty-in-real.patch patches.suse/KVM-PPC-Book3S-HV-Don-t-use-compound_order-to-determ.patch + patches.suse/kvm-mmu-Don-t-read-PDPTEs-when-paging-is-not-enabled.patch patches.suse/msft-hv-1758-x86-hyper-v-rename-ipi_arg_-ex-non_ex-structures.patch patches.suse/pinctrl-cannonlake-Fix-gpio-base-for-GPP-E.patch patches.suse/pinctrl-intel-Do-pin-translation-in-other-GPIO-opera.patch @@ -44477,6 +44479,8 @@ patches.suse/kvm-x86-fix-scan-ioapic-use-before-initialization patches.suse/svm-add-mutex_lock-to-protect-apic_access_page_done-on-amd-systems patches.suse/kvm-x86-fix-kernel-info-leak-in-kvm_hc_clock_pairing-hypercall + patches.suse/KVM-x86-fix-empty-body-warnings.patch + patches.suse/x86-kvm-vmx-fix-old-style-function-declaration.patch patches.suse/kvm-mmu-fix-race-in-emulated-page-table-writes patches.suse/kvm-svm-ensure-an-ibpb-on-all-affected-cpus-when-freeing-a-vmcb.patch patches.suse/spi-mediatek-use-correct-mata-xfer_len-when-in-fifo-.patch @@ -45361,6 +45365,7 @@ patches.suse/kvm-s390-fix-kmsg-component-kvm-s390.patch patches.suse/KVM-PPC-Book3S-HV-Fix-race-between-kvm_unmap_hva_ran.patch patches.suse/KVM-PPC-Book3S-PR-Set-hflag-to-indicate-that-POWER9-.patch + patches.suse/KVM-x86-svm-report-MSR_IA32_MCG_EXT_CTL-as-unsupport.patch patches.suse/kvm-Disallow-wraparound-in-kvm_gfn_to_hva_cache_init.patch patches.suse/kvm-Change-offset-in-kvm_write_guest_offset_cached-t.patch patches.suse/kvm-nvmx-nmi-window-and-interrupt-window-exiting-should-wake-l2-from-hlt @@ -46794,6 +46799,7 @@ patches.suse/kvm-x86-fix-single-step-debugging patches.suse/svm-add-warning-message-for-avic-ipi-invalid-target patches.suse/svm-fix-avic-incomplete-ipi-emulation + patches.suse/KVM-nSVM-clear-events-pending-from-svm_complete_inte.patch patches.suse/irqchip-gic-v3-its-Align-PCI-Multi-MSI-allocation-on.patch patches.suse/sched-wait-Fix-rcuwait_wake_up-ordering.patch patches.suse/0001-sched-wake_q-Document-wake_q_add.patch @@ -48849,6 +48855,7 @@ patches.suse/kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu patches.suse/kvm-x86-always-use-32-bit-smram-save-state-for-32-bit-kernels patches.suse/0001-KVM-fix-spectrev1-gadgets.patch + patches.suse/KVM-x86-avoid-misreporting-level-triggered-irqs-as-e.patch patches.suse/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch patches.suse/cfg80211-Handle-WMM-rules-in-regulatory-domain-inter.patch patches.suse/mac80211-fix-memory-accounting-with-A-MSDU-aggregati.patch @@ -51818,6 +51825,7 @@ patches.suse/scsi-libfc-fix-null-pointer-dereference-on-a-null-lport patches.suse/scsi-sd_zbc-Fix-compilation-warning.patch patches.suse/scsi-core-fix-race-on-creating-sense-cache + patches.suse/x86-kvm-avoid-constant-conversion-warning.patch patches.suse/kvm-svm-fix-detection-of-amd-errata-1096 patches.suse/kvm-x86-vpmu-refine-kvm_pmu-err-msg-when-event-creation-failed patches.suse/kvm-nvmx-do-not-use-dangling-shadow-vmcs-after-guest-reset @@ -51825,6 +51833,7 @@ patches.suse/objtool-Rename-elf_open-to-prevent-conflict-with-libelf-from-elftoolchain.patch patches.suse/stacktrace-force-user_ds-for-stack_trace_save_user.patch patches.suse/x86-paravirt-Fix-callee-saved-function-ELF-sizes.patch + patches.suse/x86-kvm-Don-t-call-kvm_spurious_fault-from-.fixup.patch patches.suse/objtool-Track-original-function-across-branches.patch patches.suse/objtool-Convert-insn-type-to-enum.patch patches.suse/objtool-Support-conditional-retpolines.patch @@ -55453,6 +55462,7 @@ patches.suse/0001-ext4-fix-mount-failure-with-quota-configured-as-modu.patch patches.suse/0002-Btrfs-fix-btrfs_wait_ordered_range-so-that-it-waits-.patch patches.suse/floppy-check-FDC-index-for-errors-before-assigning-i.patch + patches.suse/KVM-x86-fix-incorrect-comparison-in-trace-event.patch patches.suse/kvm-svm-fix-potential-memory-leak-in-svm_cpu_init patches.suse/kvm-nvmx-don-t-emulate-instructions-in-guest-mode patches.suse/kvm-nvmx-refactor-io-bitmap-checks-into-helper-function @@ -62071,6 +62081,7 @@ patches.suse/IB-hfi1-Correct-guard-on-eager-buffer-deallocation.patch patches.suse/IB-hfi1-Insure-use-of-smp_processor_id-is-preempt-di.patch patches.suse/IB-hfi1-Fix-leak-of-rcvhdrtail_dummy_kvaddr.patch + patches.suse/libata-add-horkage-for-ASMedia-1092.patch patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch patches.suse/cifs-fix-ntlmssp-auth-when-there-is-no-key-exchange.patch patches.suse/mm-bdi-initialize-bdi_min_ratio-when-bdi-is-unregist.patch @@ -63136,6 +63147,9 @@ patches.suse/scsi-qla2xxx-Use-transport-defined-speed-mask-for-su.patch patches.suse/usb-dwc3-gadget-Stop-processing-more-requests-on-IMI.patch patches.suse/usb-dwc3-gadget-Don-t-set-IMI-for-no_interrupt.patch + patches.suse/KVM-x86-emulator-em_sysexit-should-update-ctxt-mode.patch + patches.suse/KVM-x86-emulator-introduce-emulator_recalc_and_set_m.patch + patches.suse/KVM-x86-emulator-update-the-emulation-mode-after-CR0.patch patches.suse/NFSv4.1-Handle-RECLAIM_COMPLETE-trunking-errors.patch patches.suse/NFSv4.1-We-must-always-send-RECLAIM_COMPLETE-after-a.patch patches.suse/NFSv4.2-Fixup-CLONE-dest-file-size-for-zero-length-c.patch @@ -63345,6 +63359,7 @@ patches.suse/power-supply-da9150-Fix-use-after-free-bug-in-da9150.patch patches.suse/usb-chipidea-core-fix-possible-concurrent-when-switc.patch patches.suse/s390-vfio-ap-fix-memory-leak-in-vfio_ap-device-drive.patch + patches.suse/f2fs-Fix-f2fs_truncate_partial_nodes-ftrace-event.patch patches.suse/xen-netback-don-t-do-grant-copy-across-page-boundary.patch patches.suse/xen-netback-use-same-error-messages-for-same-errors.patch patches.suse/NFSv4-Fix-hangs-when-recovering-open-state-after-a-s.patch @@ -63364,6 +63379,8 @@ patches.suse/USB-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch patches.suse/USB-dwc3-fix-runtime-pm-imbalance-on-unbind.patch patches.suse/usb-chipidea-fix-missing-goto-in-ci_hdrc_probe.patch + patches.suse/ring-buffer-Ensure-proper-resetting-of-atomic-variables-in-ring_buffer_reset_online_cpus.patch + patches.suse/ring-buffer-Sync-IRQ-works-before-buffer-destruction.patch patches.suse/powerpc-rtas-use-memmove-for-potentially-overlapping.patch patches.suse/workqueue-Fix-hung-time-report-of-worker-pools.patch patches.suse/workqueue-Warn-when-a-new-worker-could-not-be-create.patch