From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 4 Apr 2022 07:44:19 +0000 (+0200)
Subject: 5.17-stable patches
X-Git-Tag: v5.17.2~94
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=af99f9658b0b59a8fd058d1b6e3ca5ae88c45c52;p=thirdparty%2Fkernel%2Fstable-queue.git

5.17-stable patches

added patches:
	proc-bootconfig-add-null-pointer-check.patch
	x86-fpu-xstate-fix-the-arch_req_xcomp_perm-implementation.patch
	x86-sev-unroll-string-mmio-with-cc_attr_guest_unroll_string_io.patch
---

diff --git a/queue-5.17/proc-bootconfig-add-null-pointer-check.patch b/queue-5.17/proc-bootconfig-add-null-pointer-check.patch
new file mode 100644
index 00000000000..f15e0eb518a
--- /dev/null
+++ b/queue-5.17/proc-bootconfig-add-null-pointer-check.patch
@@ -0,0 +1,36 @@
+From bed5b60bf67ccd8957b8c0558fead30c4a3f5d3f Mon Sep 17 00:00:00 2001
+From: Lv Ruyi <lv.ruyi@zte.com.cn>
+Date: Tue, 29 Mar 2022 10:40:04 +0000
+Subject: proc: bootconfig: Add null pointer check
+
+From: Lv Ruyi <lv.ruyi@zte.com.cn>
+
+commit bed5b60bf67ccd8957b8c0558fead30c4a3f5d3f upstream.
+
+kzalloc is a memory allocation function which can return NULL when some
+internal memory errors happen. It is safer to add null pointer check.
+
+Link: https://lkml.kernel.org/r/20220329104004.2376879-1-lv.ruyi@zte.com.cn
+
+Cc: stable@vger.kernel.org
+Fixes: c1a3c36017d4 ("proc: bootconfig: Add /proc/bootconfig to show boot config list")
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Reported-by: Zeal Robot <zealci@zte.com.cn>
+Signed-off-by: Lv Ruyi <lv.ruyi@zte.com.cn>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/bootconfig.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/proc/bootconfig.c
++++ b/fs/proc/bootconfig.c
+@@ -32,6 +32,8 @@ static int __init copy_xbc_key_value_lis
+ 	int ret = 0;
+ 
+ 	key = kzalloc(XBC_KEYLEN_MAX, GFP_KERNEL);
++	if (!key)
++		return -ENOMEM;
+ 
+ 	xbc_for_each_key_value(leaf, val) {
+ 		ret = xbc_node_compose_key(leaf, key, XBC_KEYLEN_MAX);
diff --git a/queue-5.17/series b/queue-5.17/series
index 662f6d890bd..7918940bbc8 100644
--- a/queue-5.17/series
+++ b/queue-5.17/series
@@ -1062,3 +1062,6 @@ spi-fix-tegra-qspi-example.patch
 platform-chrome-cros_ec_typec-check-for-ec-device.patch
 platform-x86-asus-wmi-fix-regression-when-probing-for-fan-curve-control.patch
 can-isotp-restore-accidentally-removed-msg_peek-feat.patch
+proc-bootconfig-add-null-pointer-check.patch
+x86-fpu-xstate-fix-the-arch_req_xcomp_perm-implementation.patch
+x86-sev-unroll-string-mmio-with-cc_attr_guest_unroll_string_io.patch
diff --git a/queue-5.17/x86-fpu-xstate-fix-the-arch_req_xcomp_perm-implementation.patch b/queue-5.17/x86-fpu-xstate-fix-the-arch_req_xcomp_perm-implementation.patch
new file mode 100644
index 00000000000..a3b3487b1db
--- /dev/null
+++ b/queue-5.17/x86-fpu-xstate-fix-the-arch_req_xcomp_perm-implementation.patch
@@ -0,0 +1,38 @@
+From 063452fd94d153d4eb38ad58f210f3d37a09cca4 Mon Sep 17 00:00:00 2001
+From: Yang Zhong <yang.zhong@intel.com>
+Date: Sat, 29 Jan 2022 09:36:46 -0800
+Subject: x86/fpu/xstate: Fix the ARCH_REQ_XCOMP_PERM implementation
+
+From: Yang Zhong <yang.zhong@intel.com>
+
+commit 063452fd94d153d4eb38ad58f210f3d37a09cca4 upstream.
+
+ARCH_REQ_XCOMP_PERM is supposed to add the requested feature to the
+permission bitmap of thread_group_leader()->fpu. But the code overwrites
+the bitmap with the requested feature bit only rather than adding it.
+
+Fix the code to add the requested feature bit to the master bitmask.
+
+Fixes: db8268df0983 ("x86/arch_prctl: Add controls for dynamic XSTATE components")
+Signed-off-by: Yang Zhong <yang.zhong@intel.com>
+Signed-off-by: Chang S. Bae <chang.seok.bae@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Paolo Bonzini <bonzini@gnu.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20220129173647.27981-2-chang.seok.bae@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/fpu/xstate.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/fpu/xstate.c
++++ b/arch/x86/kernel/fpu/xstate.c
+@@ -1639,7 +1639,7 @@ static int __xstate_request_perm(u64 per
+ 
+ 	perm = guest ? &fpu->guest_perm : &fpu->perm;
+ 	/* Pairs with the READ_ONCE() in xstate_get_group_perm() */
+-	WRITE_ONCE(perm->__state_perm, requested);
++	WRITE_ONCE(perm->__state_perm, mask);
+ 	/* Protected by sighand lock */
+ 	perm->__state_size = ksize;
+ 	perm->__user_state_size = usize;
diff --git a/queue-5.17/x86-sev-unroll-string-mmio-with-cc_attr_guest_unroll_string_io.patch b/queue-5.17/x86-sev-unroll-string-mmio-with-cc_attr_guest_unroll_string_io.patch
new file mode 100644
index 00000000000..deefa8ba12a
--- /dev/null
+++ b/queue-5.17/x86-sev-unroll-string-mmio-with-cc_attr_guest_unroll_string_io.patch
@@ -0,0 +1,145 @@
+From 4009a4ac82dd95b8cd2b62bd30019476983f0aff Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Mon, 21 Mar 2022 10:33:51 +0100
+Subject: x86/sev: Unroll string mmio with CC_ATTR_GUEST_UNROLL_STRING_IO
+
+From: Joerg Roedel <jroedel@suse.de>
+
+commit 4009a4ac82dd95b8cd2b62bd30019476983f0aff upstream.
+
+The io-specific memcpy/memset functions use string mmio accesses to do
+their work. Under SEV, the hypervisor can't emulate these instructions
+because they read/write directly from/to encrypted memory.
+
+KVM will inject a page fault exception into the guest when it is asked
+to emulate string mmio instructions for an SEV guest:
+
+  BUG: unable to handle page fault for address: ffffc90000065068
+  #PF: supervisor read access in kernel mode
+  #PF: error_code(0x0000) - not-present page
+  PGD 8000100000067 P4D 8000100000067 PUD 80001000fb067 PMD 80001000fc067 PTE 80000000fed40173
+  Oops: 0000 [#1] PREEMPT SMP NOPTI
+  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.17.0-rc7 #3
+
+As string mmio for an SEV guest can not be supported by the
+hypervisor, unroll the instructions for CC_ATTR_GUEST_UNROLL_STRING_IO
+enabled kernels.
+
+This issue appears when kernels are launched in recent libvirt-managed
+SEV virtual machines, because virt-install started to add a tpm-crb
+device to the guest by default and proactively because, raisins:
+
+  https://github.com/virt-manager/virt-manager/commit/eb58c09f488b0633ed1eea012cd311e48864401e
+
+and as that commit says, the default adding of a TPM can be disabled
+with "virt-install ... --tpm none".
+
+The kernel driver for tpm-crb uses memcpy_to/from_io() functions to
+access MMIO memory, resulting in a page-fault injected by KVM and
+crashing the kernel at boot.
+
+  [ bp: Massage and extend commit message. ]
+
+Fixes: d8aa7eea78a1 ('x86/mm: Add Secure Encrypted Virtualization (SEV) support')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20220321093351.23976-1-joro@8bytes.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/lib/iomem.c |   65 ++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 57 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/lib/iomem.c
++++ b/arch/x86/lib/iomem.c
+@@ -22,7 +22,7 @@ static __always_inline void rep_movs(voi
+ 		     : "memory");
+ }
+ 
+-void memcpy_fromio(void *to, const volatile void __iomem *from, size_t n)
++static void string_memcpy_fromio(void *to, const volatile void __iomem *from, size_t n)
+ {
+ 	if (unlikely(!n))
+ 		return;
+@@ -38,9 +38,8 @@ void memcpy_fromio(void *to, const volat
+ 	}
+ 	rep_movs(to, (const void *)from, n);
+ }
+-EXPORT_SYMBOL(memcpy_fromio);
+ 
+-void memcpy_toio(volatile void __iomem *to, const void *from, size_t n)
++static void string_memcpy_toio(volatile void __iomem *to, const void *from, size_t n)
+ {
+ 	if (unlikely(!n))
+ 		return;
+@@ -56,14 +55,64 @@ void memcpy_toio(volatile void __iomem *
+ 	}
+ 	rep_movs((void *)to, (const void *) from, n);
+ }
++
++static void unrolled_memcpy_fromio(void *to, const volatile void __iomem *from, size_t n)
++{
++	const volatile char __iomem *in = from;
++	char *out = to;
++	int i;
++
++	for (i = 0; i < n; ++i)
++		out[i] = readb(&in[i]);
++}
++
++static void unrolled_memcpy_toio(volatile void __iomem *to, const void *from, size_t n)
++{
++	volatile char __iomem *out = to;
++	const char *in = from;
++	int i;
++
++	for (i = 0; i < n; ++i)
++		writeb(in[i], &out[i]);
++}
++
++static void unrolled_memset_io(volatile void __iomem *a, int b, size_t c)
++{
++	volatile char __iomem *mem = a;
++	int i;
++
++	for (i = 0; i < c; ++i)
++		writeb(b, &mem[i]);
++}
++
++void memcpy_fromio(void *to, const volatile void __iomem *from, size_t n)
++{
++	if (cc_platform_has(CC_ATTR_GUEST_UNROLL_STRING_IO))
++		unrolled_memcpy_fromio(to, from, n);
++	else
++		string_memcpy_fromio(to, from, n);
++}
++EXPORT_SYMBOL(memcpy_fromio);
++
++void memcpy_toio(volatile void __iomem *to, const void *from, size_t n)
++{
++	if (cc_platform_has(CC_ATTR_GUEST_UNROLL_STRING_IO))
++		unrolled_memcpy_toio(to, from, n);
++	else
++		string_memcpy_toio(to, from, n);
++}
+ EXPORT_SYMBOL(memcpy_toio);
+ 
+ void memset_io(volatile void __iomem *a, int b, size_t c)
+ {
+-	/*
+-	 * TODO: memset can mangle the IO patterns quite a bit.
+-	 * perhaps it would be better to use a dumb one:
+-	 */
+-	memset((void *)a, b, c);
++	if (cc_platform_has(CC_ATTR_GUEST_UNROLL_STRING_IO)) {
++		unrolled_memset_io(a, b, c);
++	} else {
++		/*
++		 * TODO: memset can mangle the IO patterns quite a bit.
++		 * perhaps it would be better to use a dumb one:
++		 */
++		memset((void *)a, b, c);
++	}
+ }
+ EXPORT_SYMBOL(memset_io);