1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/scripts/mkcompile_h b/scripts/mkcompile_h
-index d1d757c6edf4..7b57571cf574 100755
+index 06c1e9e3bc38..6e7012175600 100755
--- a/scripts/mkcompile_h
+++ b/scripts/mkcompile_h
@@ -34,10 +34,14 @@ else
2 files changed, 111 insertions(+)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index 359b54d2da21..00c9ace3711b 100644
+index 623eed9d3009..cc43987a3238 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -3441,6 +3441,15 @@
+@@ -3447,6 +3447,15 @@
Also, it enforces the PCI Local Bus spec
rule that those bits should be 0 in system reset
events (useful for kexec/kdump cases).
Safety option to keep boot IRQs enabled. This
should never be necessary.
diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
-index c17540b5c979..8f0d62e2a9cf 100644
+index e0fe975bedd5..9434da9dba02 100644
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
-@@ -192,6 +192,106 @@ static int __init pci_apply_final_quirks(void)
+@@ -193,6 +193,106 @@ static int __init pci_apply_final_quirks(void)
}
fs_initcall_sync(pci_apply_final_quirks);
/*
* Decoding should be disabled for a PCI device during BAR sizing to avoid
* conflict. But doing so may cause problems on host bridge and perhaps other
-@@ -4915,6 +5015,8 @@ static const struct pci_dev_acs_enabled {
+@@ -4926,6 +5026,8 @@ static const struct pci_dev_acs_enabled {
{ PCI_VENDOR_ID_CAVIUM, PCI_ANY_ID, pci_quirk_cavium_acs },
/* APM X-Gene */
{ PCI_VENDOR_ID_AMCC, 0xE004, pci_quirk_xgene_acs },
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 26cb1630b86d..85bedd6ebbac 100644
+index cf55dc7bcd03..6c10d2052a75 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -76,7 +76,7 @@ module_param(halt_poll_ns, uint, 0644);
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/dev.c b/net/core/dev.c
-index e393a51b3973..8bbc10603f1f 100644
+index 8069ef56ee0b..6988b538f873 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
-@@ -9349,7 +9349,7 @@ static void netdev_wait_allrefs(struct net_device *dev)
+@@ -9356,7 +9356,7 @@ static void netdev_wait_allrefs(struct net_device *dev)
refcnt = netdev_refcnt_read(dev);
if (refcnt && time_after(jiffies, warning_time + 10 * HZ)) {
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Thu, 29 Jul 2021 18:37:38 +0300
-Subject: [PATCH] UBUNTU: SAUCE: KVM: nSVM: always intercept VMLOAD/VMSAVE when
- nested
-
-If L1 disables VMLOAD/VMSAVE intercepts, and doesn't enable
-Virtual VMLOAD/VMSAVE (currently not supported for the nested hypervisor),
-then VMLOAD/VMSAVE must operate on the L1 physical memory, which is only
-possible by making L0 intercept these instructions.
-
-Failure to do so allowed the nested guest to run VMLOAD/VMSAVE unintercepted,
-and thus read/write portions of the host physical memory.
-
-This fixes CVE-2021-3656, which was discovered by Maxim Levitsky and
-Paolo Bonzini.
-
-Fixes: 89c8a4984fc9 ("KVM: SVM: Enable Virtual VMLOAD VMSAVE feature")
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-CVE-2021-3656
-Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-Acked-by: Stefan Bader <stefan.bader@canonical.com>
-Acked-by: Ben Romer <benjamin.romer@canonical.com>
-Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-(cherry picked from commit 001ba8ebae0d2489b3e671b231daed4ad6f558d2)
-Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
----
- arch/x86/kvm/svm.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index be8a017be58b..3b1b57521d8b 100644
---- a/arch/x86/kvm/svm.c
-+++ b/arch/x86/kvm/svm.c
-@@ -516,6 +516,9 @@ static void recalc_intercepts(struct vcpu_svm *svm)
- c->intercept_dr = h->intercept_dr | g->intercept_dr;
- c->intercept_exceptions = h->intercept_exceptions | g->intercept_exceptions;
- c->intercept = h->intercept | g->intercept;
-+
-+ c->intercept |= (1ULL << INTERCEPT_VMLOAD);
-+ c->intercept |= (1ULL << INTERCEPT_VMSAVE);
- }
-
- static inline struct vmcb *get_host_vmcb(struct vcpu_svm *svm)
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Mon, 16 Aug 2021 22:06:00 +0200
-Subject: [PATCH] KVM: nSVM: avoid picking up unsupported bits from L2 in
- int_ctl (CVE-2021-3653)
-
-BugLink: https://bugs.launchpad.net/bugs/1940134
-
-commit 0f923e07124df069ba68d8bb12324398f4b6b709 upstream.
-
-* Invert the mask of bits that we pick from L2 in
- nested_vmcb02_prepare_control
-
-* Invert and explicitly use VIRQ related bits bitmask in svm_clear_vintr
-
-This fixes a security issue that allowed a malicious L1 to run L2 with
-AVIC enabled, which allowed the L2 to exploit the uninitialized and enabled
-AVIC to read/write the host physical memory at some offsets.
-
-Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler")
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-(cherry picked from commit 4d9059df57cb3b8ff07cea55ba439fa3c846ef80 linux-5.4.y)
-CVE-2021-3653
-Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-Acked-by: Kamal Mostafa <kamal@canonical.com>
-Acked-by: Ian May <ian.may@canonical.com>
-Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-(cherry picked from commit 47aa9272b0ff29c845179e60ecf8cb7a8375b346)
-Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
----
- arch/x86/include/asm/svm.h | 2 ++
- arch/x86/kvm/svm.c | 15 ++++++++-------
- 2 files changed, 10 insertions(+), 7 deletions(-)
-
-diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h
-index 6ece8561ba66..c29d8fb0ffbe 100644
---- a/arch/x86/include/asm/svm.h
-+++ b/arch/x86/include/asm/svm.h
-@@ -119,6 +119,8 @@ struct __attribute__ ((__packed__)) vmcb_control_area {
- #define V_IGN_TPR_SHIFT 20
- #define V_IGN_TPR_MASK (1 << V_IGN_TPR_SHIFT)
-
-+#define V_IRQ_INJECTION_BITS_MASK (V_IRQ_MASK | V_INTR_PRIO_MASK | V_IGN_TPR_MASK)
-+
- #define V_INTR_MASKING_SHIFT 24
- #define V_INTR_MASKING_MASK (1 << V_INTR_MASKING_SHIFT)
-
-diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index 3b1b57521d8b..4f2e4bc4b33b 100644
---- a/arch/x86/kvm/svm.c
-+++ b/arch/x86/kvm/svm.c
-@@ -1446,12 +1446,7 @@ static __init int svm_hardware_setup(void)
- }
- }
-
-- if (vgif) {
-- if (!boot_cpu_has(X86_FEATURE_VGIF))
-- vgif = false;
-- else
-- pr_info("Virtual GIF supported\n");
-- }
-+ vgif = false; /* Disabled for CVE-2021-3653 */
-
- return 0;
-
-@@ -3601,7 +3596,13 @@ static void enter_svm_guest_mode(struct vcpu_svm *svm, u64 vmcb_gpa,
- svm->nested.intercept = nested_vmcb->control.intercept;
-
- svm_flush_tlb(&svm->vcpu, true);
-- svm->vmcb->control.int_ctl = nested_vmcb->control.int_ctl | V_INTR_MASKING_MASK;
-+
-+ svm->vmcb->control.int_ctl &=
-+ V_INTR_MASKING_MASK | V_GIF_ENABLE_MASK | V_GIF_MASK;
-+
-+ svm->vmcb->control.int_ctl |= nested_vmcb->control.int_ctl &
-+ (V_TPR_MASK | V_IRQ_INJECTION_BITS_MASK);
-+
- if (nested_vmcb->control.int_ctl & V_INTR_MASKING_MASK)
- svm->vcpu.arch.hflags |= HF_VINTR_MASK;
- else