2 files changed, 111 insertions(+)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index 52b2f13eb26f..8c1bec09424b 100644
+index ee85be64b680..a38a8e44422e 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -3647,6 +3647,15 @@
+@@ -3653,6 +3653,15 @@
Also, it enforces the PCI Local Bus spec
rule that those bits should be 0 in system reset
events (useful for kexec/kdump cases).
Safety option to keep boot IRQs enabled. This
should never be necessary.
diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
-index fb13b3109a43..ee39f6c3dc3a 100644
+index f32e521ade1e..4f3558d0c00a 100644
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -192,6 +192,106 @@ static int __init pci_apply_final_quirks(void)
/*
* Decoding should be disabled for a PCI device during BAR sizing to avoid
* conflict. But doing so may cause problems on host bridge and perhaps other
-@@ -4770,6 +4870,8 @@ static const struct pci_dev_acs_enabled {
+@@ -4857,6 +4957,8 @@ static const struct pci_dev_acs_enabled {
{ PCI_VENDOR_ID_CAVIUM, PCI_ANY_ID, pci_quirk_cavium_acs },
/* APM X-Gene */
{ PCI_VENDOR_ID_AMCC, 0xE004, pci_quirk_xgene_acs },
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Thu, 29 Jul 2021 17:54:04 +0300
-Subject: [PATCH] UBUNTU: SAUCE: KVM: nSVM: avoid picking up unsupported bits
- from L2 in int_ctl
-
-This fixes CVE-2021-3653 that allowed a malicious L1 to run L2 with
-AVIC enabled, which allowed the L2 to exploit the uninitialized and enabled
-AVIC to read/write the host physical memory at some offsets.
-
-The bug was discovered by Maxim Levitsky.
-
-Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler")
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-CVE-2021-3653
-Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-Acked-by: Stefan Bader <stefan.bader@canonical.com>
-Acked-by: Ben Romer <benjamin.romer@canonical.com>
-Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-(cherry picked from commit d4c8d125f361e6aef5d58490672f7efa83dab257)
-Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
----
- arch/x86/include/asm/svm.h | 2 ++
- arch/x86/kvm/svm/nested.c | 11 +++++++----
- arch/x86/kvm/svm/svm.c | 8 ++++----
- 3 files changed, 13 insertions(+), 8 deletions(-)
-
-diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h
-index 1c561945b426..6278111bbf97 100644
---- a/arch/x86/include/asm/svm.h
-+++ b/arch/x86/include/asm/svm.h
-@@ -178,6 +178,8 @@ struct __attribute__ ((__packed__)) vmcb_control_area {
- #define V_IGN_TPR_SHIFT 20
- #define V_IGN_TPR_MASK (1 << V_IGN_TPR_SHIFT)
-
-+#define V_IRQ_INJECTION_BITS_MASK (V_IRQ_MASK | V_INTR_PRIO_MASK | V_IGN_TPR_MASK)
-+
- #define V_INTR_MASKING_SHIFT 24
- #define V_INTR_MASKING_MASK (1 << V_INTR_MASKING_SHIFT)
-
-diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
-index 0b3bf6e2aeb9..049d3cbbee5a 100644
---- a/arch/x86/kvm/svm/nested.c
-+++ b/arch/x86/kvm/svm/nested.c
-@@ -429,7 +429,10 @@ static void nested_prepare_vmcb_save(struct vcpu_svm *svm, struct vmcb *vmcb12)
-
- static void nested_prepare_vmcb_control(struct vcpu_svm *svm)
- {
-- const u32 mask = V_INTR_MASKING_MASK | V_GIF_ENABLE_MASK | V_GIF_MASK;
-+ const u32 int_ctl_vmcb01_bits =
-+ V_INTR_MASKING_MASK | V_GIF_MASK | V_GIF_ENABLE_MASK;
-+
-+ const u32 int_ctl_vmcb12_bits = V_TPR_MASK | V_IRQ_INJECTION_BITS_MASK;
-
- if (nested_npt_enabled(svm))
- nested_svm_init_mmu_context(&svm->vcpu);
-@@ -437,9 +440,9 @@ static void nested_prepare_vmcb_control(struct vcpu_svm *svm)
- svm->vmcb->control.tsc_offset = svm->vcpu.arch.tsc_offset =
- svm->vcpu.arch.l1_tsc_offset + svm->nested.ctl.tsc_offset;
-
-- svm->vmcb->control.int_ctl =
-- (svm->nested.ctl.int_ctl & ~mask) |
-- (svm->nested.hsave->control.int_ctl & mask);
-+ svm->vmcb->control.int_ctl =
-+ (svm->nested.ctl.int_ctl & int_ctl_vmcb12_bits) |
-+ (svm->nested.hsave->control.int_ctl & int_ctl_vmcb01_bits);
-
- svm->vmcb->control.virt_ext = svm->nested.ctl.virt_ext;
- svm->vmcb->control.int_vector = svm->nested.ctl.int_vector;
-diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
-index 786c0eb8bd29..b676386f877e 100644
---- a/arch/x86/kvm/svm/svm.c
-+++ b/arch/x86/kvm/svm/svm.c
-@@ -1547,17 +1547,17 @@ static void svm_set_vintr(struct vcpu_svm *svm)
-
- static void svm_clear_vintr(struct vcpu_svm *svm)
- {
-- const u32 mask = V_TPR_MASK | V_GIF_ENABLE_MASK | V_GIF_MASK | V_INTR_MASKING_MASK;
- svm_clr_intercept(svm, INTERCEPT_VINTR);
-
- /* Drop int_ctl fields related to VINTR injection. */
-- svm->vmcb->control.int_ctl &= mask;
-+ svm->vmcb->control.int_ctl &= ~V_IRQ_INJECTION_BITS_MASK;
- if (is_guest_mode(&svm->vcpu)) {
-- svm->nested.hsave->control.int_ctl &= mask;
-+ svm->nested.hsave->control.int_ctl &= ~V_IRQ_INJECTION_BITS_MASK;
-
- WARN_ON((svm->vmcb->control.int_ctl & V_TPR_MASK) !=
- (svm->nested.ctl.int_ctl & V_TPR_MASK));
-- svm->vmcb->control.int_ctl |= svm->nested.ctl.int_ctl & ~mask;
-+ svm->vmcb->control.int_ctl |= svm->nested.ctl.int_ctl &
-+ V_IRQ_INJECTION_BITS_MASK;
- }
-
- vmcb_mark_dirty(svm->vmcb, VMCB_INTR);
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Thu, 29 Jul 2021 18:37:38 +0300
-Subject: [PATCH] UBUNTU: SAUCE: KVM: nSVM: always intercept VMLOAD/VMSAVE when
- nested
-
-If L1 disables VMLOAD/VMSAVE intercepts, and doesn't enable
-Virtual VMLOAD/VMSAVE (currently not supported for the nested hypervisor),
-then VMLOAD/VMSAVE must operate on the L1 physical memory, which is only
-possible by making L0 intercept these instructions.
-
-Failure to do so allowed the nested guest to run VMLOAD/VMSAVE unintercepted,
-and thus read/write portions of the host physical memory.
-
-This fixes CVE-2021-3656, which was discovered by Maxim Levitsky and
-Paolo Bonzini.
-
-Fixes: 89c8a4984fc9 ("KVM: SVM: Enable Virtual VMLOAD VMSAVE feature")
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-CVE-2021-3656
-Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-Acked-by: Stefan Bader <stefan.bader@canonical.com>
-Acked-by: Ben Romer <benjamin.romer@canonical.com>
-Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-(cherry picked from commit 7e23c00e809c1669676363962e2ef9df1bd2840b)
-Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
----
- arch/x86/kvm/svm/nested.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
-index 049d3cbbee5a..3bd5c7d6716e 100644
---- a/arch/x86/kvm/svm/nested.c
-+++ b/arch/x86/kvm/svm/nested.c
-@@ -147,6 +147,9 @@ void recalc_intercepts(struct vcpu_svm *svm)
-
- for (i = 0; i < MAX_INTERCEPT; i++)
- c->intercepts[i] |= g->intercepts[i];
-+
-+ vmcb_set_intercept(c, INTERCEPT_VMLOAD);
-+ vmcb_set_intercept(c, INTERCEPT_VMSAVE);
- }
-
- static void copy_vmcb_control_area(struct vmcb_control_area *dst,