From c058ed8e331cab45cc074226e615a1ea5f170150 Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Fri, 27 Aug 2021 09:20:57 +0200 Subject: [PATCH] rebase patches on top of Ubuntu-5.11.0-34.36 (generated with debian/scripts/import-upstream-tag) Signed-off-by: Thomas Lamprecht --- ...ides-for-missing-ACS-capabilities-4..patch | 8 +- ...-default-dynamic-halt-polling-growth.patch | 2 +- ...lock-level-reissue-off-completion-pa.patch | 5 +- ...-nSVM-avoid-picking-up-unsupported-b.patch | 96 ------------------- ...-nSVM-always-intercept-VMLOAD-VMSAVE.patch | 45 --------- 5 files changed, 6 insertions(+), 150 deletions(-) delete mode 100644 patches/kernel/0008-UBUNTU-SAUCE-KVM-nSVM-avoid-picking-up-unsupported-b.patch delete mode 100644 patches/kernel/0009-UBUNTU-SAUCE-KVM-nSVM-always-intercept-VMLOAD-VMSAVE.patch diff --git a/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch b/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch index 164d21c..4b80575 100644 --- a/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch +++ b/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch @@ -55,10 +55,10 @@ Signed-off-by: Thomas Lamprecht 2 files changed, 111 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index 52b2f13eb26f..8c1bec09424b 100644 +index ee85be64b680..a38a8e44422e 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -3647,6 +3647,15 @@ +@@ -3653,6 +3653,15 @@ Also, it enforces the PCI Local Bus spec rule that those bits should be 0 in system reset events (useful for kexec/kdump cases). @@ -75,7 +75,7 @@ index 52b2f13eb26f..8c1bec09424b 100644 Safety option to keep boot IRQs enabled. This should never be necessary. diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c -index fb13b3109a43..ee39f6c3dc3a 100644 +index f32e521ade1e..4f3558d0c00a 100644 --- a/drivers/pci/quirks.c +++ b/drivers/pci/quirks.c @@ -192,6 +192,106 @@ static int __init pci_apply_final_quirks(void) @@ -185,7 +185,7 @@ index fb13b3109a43..ee39f6c3dc3a 100644 /* * Decoding should be disabled for a PCI device during BAR sizing to avoid * conflict. But doing so may cause problems on host bridge and perhaps other -@@ -4770,6 +4870,8 @@ static const struct pci_dev_acs_enabled { +@@ -4857,6 +4957,8 @@ static const struct pci_dev_acs_enabled { { PCI_VENDOR_ID_CAVIUM, PCI_ANY_ID, pci_quirk_cavium_acs }, /* APM X-Gene */ { PCI_VENDOR_ID_AMCC, 0xE004, pci_quirk_xgene_acs }, diff --git a/patches/kernel/0004-kvm-disable-default-dynamic-halt-polling-growth.patch b/patches/kernel/0004-kvm-disable-default-dynamic-halt-polling-growth.patch index 5db6088..8854693 100644 --- a/patches/kernel/0004-kvm-disable-default-dynamic-halt-polling-growth.patch +++ b/patches/kernel/0004-kvm-disable-default-dynamic-halt-polling-growth.patch @@ -13,7 +13,7 @@ Signed-off-by: Thomas Lamprecht 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index 7377346be880..0979e4ab19ae 100644 +index 14e6c73a6031..c191c9e50735 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -77,7 +77,7 @@ module_param(halt_poll_ns, uint, 0644); diff --git a/patches/kernel/0007-io_uring-don-t-block-level-reissue-off-completion-pa.patch b/patches/kernel/0007-io_uring-don-t-block-level-reissue-off-completion-pa.patch index ec9ce57..fad9c67 100644 --- a/patches/kernel/0007-io_uring-don-t-block-level-reissue-off-completion-pa.patch +++ b/patches/kernel/0007-io_uring-don-t-block-level-reissue-off-completion-pa.patch @@ -27,7 +27,7 @@ Signed-off-by: Fabian Ebner 1 file changed, 7 insertions(+) diff --git a/fs/io_uring.c b/fs/io_uring.c -index 2b86b413641a..11f615033c70 100644 +index a0d42aea3aa1..ce5cf51a5667 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -2731,6 +2731,13 @@ static bool io_rw_reissue(struct io_kiocb *req, long res) @@ -44,6 +44,3 @@ index 2b86b413641a..11f615033c70 100644 lockdep_assert_held(&req->ctx->uring_lock); ret = io_sq_thread_acquire_mm_files(req->ctx, req); --- -2.30.2 - diff --git a/patches/kernel/0008-UBUNTU-SAUCE-KVM-nSVM-avoid-picking-up-unsupported-b.patch b/patches/kernel/0008-UBUNTU-SAUCE-KVM-nSVM-avoid-picking-up-unsupported-b.patch deleted file mode 100644 index 696a17f..0000000 --- a/patches/kernel/0008-UBUNTU-SAUCE-KVM-nSVM-avoid-picking-up-unsupported-b.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Maxim Levitsky -Date: Thu, 29 Jul 2021 17:54:04 +0300 -Subject: [PATCH] UBUNTU: SAUCE: KVM: nSVM: avoid picking up unsupported bits - from L2 in int_ctl - -This fixes CVE-2021-3653 that allowed a malicious L1 to run L2 with -AVIC enabled, which allowed the L2 to exploit the uninitialized and enabled -AVIC to read/write the host physical memory at some offsets. - -The bug was discovered by Maxim Levitsky. - -Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler") -Signed-off-by: Maxim Levitsky -Signed-off-by: Paolo Bonzini -CVE-2021-3653 -Signed-off-by: Thadeu Lima de Souza Cascardo -Acked-by: Stefan Bader -Acked-by: Ben Romer -Signed-off-by: Stefan Bader -(cherry picked from commit d4c8d125f361e6aef5d58490672f7efa83dab257) -Signed-off-by: Stoiko Ivanov ---- - arch/x86/include/asm/svm.h | 2 ++ - arch/x86/kvm/svm/nested.c | 11 +++++++---- - arch/x86/kvm/svm/svm.c | 8 ++++---- - 3 files changed, 13 insertions(+), 8 deletions(-) - -diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h -index 1c561945b426..6278111bbf97 100644 ---- a/arch/x86/include/asm/svm.h -+++ b/arch/x86/include/asm/svm.h -@@ -178,6 +178,8 @@ struct __attribute__ ((__packed__)) vmcb_control_area { - #define V_IGN_TPR_SHIFT 20 - #define V_IGN_TPR_MASK (1 << V_IGN_TPR_SHIFT) - -+#define V_IRQ_INJECTION_BITS_MASK (V_IRQ_MASK | V_INTR_PRIO_MASK | V_IGN_TPR_MASK) -+ - #define V_INTR_MASKING_SHIFT 24 - #define V_INTR_MASKING_MASK (1 << V_INTR_MASKING_SHIFT) - -diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c -index 0b3bf6e2aeb9..049d3cbbee5a 100644 ---- a/arch/x86/kvm/svm/nested.c -+++ b/arch/x86/kvm/svm/nested.c -@@ -429,7 +429,10 @@ static void nested_prepare_vmcb_save(struct vcpu_svm *svm, struct vmcb *vmcb12) - - static void nested_prepare_vmcb_control(struct vcpu_svm *svm) - { -- const u32 mask = V_INTR_MASKING_MASK | V_GIF_ENABLE_MASK | V_GIF_MASK; -+ const u32 int_ctl_vmcb01_bits = -+ V_INTR_MASKING_MASK | V_GIF_MASK | V_GIF_ENABLE_MASK; -+ -+ const u32 int_ctl_vmcb12_bits = V_TPR_MASK | V_IRQ_INJECTION_BITS_MASK; - - if (nested_npt_enabled(svm)) - nested_svm_init_mmu_context(&svm->vcpu); -@@ -437,9 +440,9 @@ static void nested_prepare_vmcb_control(struct vcpu_svm *svm) - svm->vmcb->control.tsc_offset = svm->vcpu.arch.tsc_offset = - svm->vcpu.arch.l1_tsc_offset + svm->nested.ctl.tsc_offset; - -- svm->vmcb->control.int_ctl = -- (svm->nested.ctl.int_ctl & ~mask) | -- (svm->nested.hsave->control.int_ctl & mask); -+ svm->vmcb->control.int_ctl = -+ (svm->nested.ctl.int_ctl & int_ctl_vmcb12_bits) | -+ (svm->nested.hsave->control.int_ctl & int_ctl_vmcb01_bits); - - svm->vmcb->control.virt_ext = svm->nested.ctl.virt_ext; - svm->vmcb->control.int_vector = svm->nested.ctl.int_vector; -diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c -index 786c0eb8bd29..b676386f877e 100644 ---- a/arch/x86/kvm/svm/svm.c -+++ b/arch/x86/kvm/svm/svm.c -@@ -1547,17 +1547,17 @@ static void svm_set_vintr(struct vcpu_svm *svm) - - static void svm_clear_vintr(struct vcpu_svm *svm) - { -- const u32 mask = V_TPR_MASK | V_GIF_ENABLE_MASK | V_GIF_MASK | V_INTR_MASKING_MASK; - svm_clr_intercept(svm, INTERCEPT_VINTR); - - /* Drop int_ctl fields related to VINTR injection. */ -- svm->vmcb->control.int_ctl &= mask; -+ svm->vmcb->control.int_ctl &= ~V_IRQ_INJECTION_BITS_MASK; - if (is_guest_mode(&svm->vcpu)) { -- svm->nested.hsave->control.int_ctl &= mask; -+ svm->nested.hsave->control.int_ctl &= ~V_IRQ_INJECTION_BITS_MASK; - - WARN_ON((svm->vmcb->control.int_ctl & V_TPR_MASK) != - (svm->nested.ctl.int_ctl & V_TPR_MASK)); -- svm->vmcb->control.int_ctl |= svm->nested.ctl.int_ctl & ~mask; -+ svm->vmcb->control.int_ctl |= svm->nested.ctl.int_ctl & -+ V_IRQ_INJECTION_BITS_MASK; - } - - vmcb_mark_dirty(svm->vmcb, VMCB_INTR); diff --git a/patches/kernel/0009-UBUNTU-SAUCE-KVM-nSVM-always-intercept-VMLOAD-VMSAVE.patch b/patches/kernel/0009-UBUNTU-SAUCE-KVM-nSVM-always-intercept-VMLOAD-VMSAVE.patch deleted file mode 100644 index 48f3c30..0000000 --- a/patches/kernel/0009-UBUNTU-SAUCE-KVM-nSVM-always-intercept-VMLOAD-VMSAVE.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Maxim Levitsky -Date: Thu, 29 Jul 2021 18:37:38 +0300 -Subject: [PATCH] UBUNTU: SAUCE: KVM: nSVM: always intercept VMLOAD/VMSAVE when - nested - -If L1 disables VMLOAD/VMSAVE intercepts, and doesn't enable -Virtual VMLOAD/VMSAVE (currently not supported for the nested hypervisor), -then VMLOAD/VMSAVE must operate on the L1 physical memory, which is only -possible by making L0 intercept these instructions. - -Failure to do so allowed the nested guest to run VMLOAD/VMSAVE unintercepted, -and thus read/write portions of the host physical memory. - -This fixes CVE-2021-3656, which was discovered by Maxim Levitsky and -Paolo Bonzini. - -Fixes: 89c8a4984fc9 ("KVM: SVM: Enable Virtual VMLOAD VMSAVE feature") -Signed-off-by: Maxim Levitsky -Signed-off-by: Paolo Bonzini -CVE-2021-3656 -Signed-off-by: Thadeu Lima de Souza Cascardo -Acked-by: Stefan Bader -Acked-by: Ben Romer -Signed-off-by: Stefan Bader -(cherry picked from commit 7e23c00e809c1669676363962e2ef9df1bd2840b) -Signed-off-by: Stoiko Ivanov ---- - arch/x86/kvm/svm/nested.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c -index 049d3cbbee5a..3bd5c7d6716e 100644 ---- a/arch/x86/kvm/svm/nested.c -+++ b/arch/x86/kvm/svm/nested.c -@@ -147,6 +147,9 @@ void recalc_intercepts(struct vcpu_svm *svm) - - for (i = 0; i < MAX_INTERCEPT; i++) - c->intercepts[i] |= g->intercepts[i]; -+ -+ vmcb_set_intercept(c, INTERCEPT_VMLOAD); -+ vmcb_set_intercept(c, INTERCEPT_VMSAVE); - } - - static void copy_vmcb_control_area(struct vmcb_control_area *dst, -- 2.39.2