From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 13 Sep 2025 12:10:18 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Tag: v6.1.153~69
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d54867733aa0760b78e3c0e97a8137dd192a0392;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	kvm-svm-return-tsa_sq_no-and-tsa_l1_no-bits-in-__do_cpuid_func.patch
	kvm-svm-set-synthesized-tsa-cpuid-flags.patch
	kvm-x86-move-open-coded-cpuid-leaf-0x80000021-eax-bit-propagation-code.patch
---

diff --git a/queue-5.15/kvm-svm-return-tsa_sq_no-and-tsa_l1_no-bits-in-__do_cpuid_func.patch b/queue-5.15/kvm-svm-return-tsa_sq_no-and-tsa_l1_no-bits-in-__do_cpuid_func.patch
new file mode 100644
index 0000000000..4c218f4ee9
--- /dev/null
+++ b/queue-5.15/kvm-svm-return-tsa_sq_no-and-tsa_l1_no-bits-in-__do_cpuid_func.patch
@@ -0,0 +1,41 @@
+From stable+bounces-179143-greg=kroah.com@vger.kernel.org Wed Sep 10 02:28:49 2025
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Date: Tue,  9 Sep 2025 20:28:25 -0400
+Subject: KVM: SVM: Return TSA_SQ_NO and TSA_L1_NO bits in __do_cpuid_func()
+To: stable@vger.kernel.org
+Cc: gregkh@linuxfoundation.org, sashal@kernel.org, bp@alien8.de
+Message-ID: <20250910002826.3010884-3-boris.ostrovsky@oracle.com>
+
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+
+Commit c334ae4a545a ("KVM: SVM: Advertise TSA CPUID bits to guests")
+set VERW_CLEAR, TSA_SQ_NO and TSA_L1_NO kvm_caps bits that are
+supposed to be provided to guest when it requests CPUID 0x80000021.
+However, the latter two (in the %ecx register) are instead returned as
+zeroes in __do_cpuid_func().
+
+Return values of TSA_SQ_NO and TSA_L1_NO as set in the kvm_cpu_caps.
+
+This fix is stable-only.
+
+Cc: <stable@vger.kernel.org> # 5.15.y
+Fixes: c334ae4a545a ("KVM: SVM: Advertise TSA CPUID bits to guests")
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/cpuid.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -1014,8 +1014,9 @@ static inline int __do_cpuid_func(struct
+ 		entry->eax = entry->ebx = entry->ecx = entry->edx = 0;
+ 		break;
+ 	case 0x80000021:
+-		entry->ebx = entry->ecx = entry->edx = 0;
++		entry->ebx = entry->edx = 0;
+ 		cpuid_entry_override(entry, CPUID_8000_0021_EAX);
++		cpuid_entry_override(entry, CPUID_8000_0021_ECX);
+ 		break;
+ 	/*Add support for Centaur's CPUID instruction*/
+ 	case 0xC0000000:
diff --git a/queue-5.15/kvm-svm-set-synthesized-tsa-cpuid-flags.patch b/queue-5.15/kvm-svm-set-synthesized-tsa-cpuid-flags.patch
new file mode 100644
index 0000000000..0269f1c258
--- /dev/null
+++ b/queue-5.15/kvm-svm-set-synthesized-tsa-cpuid-flags.patch
@@ -0,0 +1,50 @@
+From stable+bounces-179141-greg=kroah.com@vger.kernel.org Wed Sep 10 02:29:18 2025
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Date: Tue,  9 Sep 2025 20:28:26 -0400
+Subject: KVM: SVM: Set synthesized TSA CPUID flags
+To: stable@vger.kernel.org
+Cc: gregkh@linuxfoundation.org, sashal@kernel.org, bp@alien8.de
+Message-ID: <20250910002826.3010884-4-boris.ostrovsky@oracle.com>
+
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+
+Commit f3f9deccfc68a6b7c8c1cc51e902edba23d309d4 LTS
+
+VERW_CLEAR is supposed to be set only by the hypervisor to denote TSA
+mitigation support to a guest. SQ_NO and L1_NO are both synthesizable,
+and are going to be set by hw CPUID on future machines.
+
+So keep the kvm_cpu_cap_init_kvm_defined() invocation *and* set them
+when synthesized.
+
+This fix is stable-only.
+
+Co-developed-by: Jinpu Wang <jinpu.wang@ionos.com>
+Signed-off-by: Jinpu Wang <jinpu.wang@ionos.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org> # 5.15.y
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/cpuid.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -564,10 +564,15 @@ void kvm_set_cpu_caps(void)
+ 	if (cpu_feature_enabled(X86_FEATURE_SRSO_NO))
+ 		kvm_cpu_cap_set(X86_FEATURE_SRSO_NO);
+ 
++	kvm_cpu_cap_check_and_set(X86_FEATURE_VERW_CLEAR);
++
+ 	kvm_cpu_cap_init_kvm_defined(CPUID_8000_0021_ECX,
+ 		F(TSA_SQ_NO) | F(TSA_L1_NO)
+ 	);
+ 
++	kvm_cpu_cap_check_and_set(X86_FEATURE_TSA_SQ_NO);
++	kvm_cpu_cap_check_and_set(X86_FEATURE_TSA_L1_NO);
++
+ 	/*
+ 	 * Hide RDTSCP and RDPID if either feature is reported as supported but
+ 	 * probing MSR_TSC_AUX failed.  This is purely a sanity check and
diff --git a/queue-5.15/kvm-x86-move-open-coded-cpuid-leaf-0x80000021-eax-bit-propagation-code.patch b/queue-5.15/kvm-x86-move-open-coded-cpuid-leaf-0x80000021-eax-bit-propagation-code.patch
new file mode 100644
index 0000000000..435b0c7276
--- /dev/null
+++ b/queue-5.15/kvm-x86-move-open-coded-cpuid-leaf-0x80000021-eax-bit-propagation-code.patch
@@ -0,0 +1,90 @@
+From stable+bounces-179142-greg=kroah.com@vger.kernel.org Wed Sep 10 02:28:48 2025
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Date: Tue,  9 Sep 2025 20:28:24 -0400
+Subject: KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code
+To: stable@vger.kernel.org
+Cc: gregkh@linuxfoundation.org, sashal@kernel.org, bp@alien8.de
+Message-ID: <20250910002826.3010884-2-boris.ostrovsky@oracle.com>
+
+From: Kim Phillips <kim.phillips@amd.com>
+
+Commit c35ac8c4bf600ee23bacb20f863aa7830efb23fb upstream
+
+Move code from __do_cpuid_func() to kvm_set_cpu_caps() in preparation for adding
+the features in their native leaf.
+
+Also drop the bit description comments as it will be more self-describing once
+the individual features are added.
+
+Whilst there, switch to using the more efficient cpu_feature_enabled() instead
+of static_cpu_has().
+
+Note, LFENCE_RDTSC and "NULL selector clears base" are currently synthetic,
+Linux-defined feature flags as Linux tracking of the features predates AMD's
+definition.  Keep the manual propagation of the flags from their synthetic
+counterparts until the kernel fully converts to AMD's definition, otherwise KVM
+would stop synthesizing the flags as intended.
+
+Signed-off-by: Kim Phillips <kim.phillips@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Sean Christopherson <seanjc@google.com>
+Link: https://lore.kernel.org/r/20230124163319.2277355-3-kim.phillips@amd.com
+
+Move setting of VERW_CLEAR bit to the new
+kvm_cpu_cap_mask(CPUID_8000_0021_EAX, ...) site.
+
+Cc: <stable@vger.kernel.org> # 5.15.y
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/cpuid.c |   25 ++++++++++++-------------
+ 1 file changed, 12 insertions(+), 13 deletions(-)
+
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -544,6 +544,17 @@ void kvm_set_cpu_caps(void)
+ 		0 /* SME */ | F(SEV) | 0 /* VM_PAGE_FLUSH */ | F(SEV_ES) |
+ 		F(SME_COHERENT));
+ 
++	kvm_cpu_cap_mask(CPUID_8000_0021_EAX,
++		BIT(0) /* NO_NESTED_DATA_BP */ |
++		BIT(2) /* LFENCE Always serializing */ | 0 /* SmmPgCfgLock */ |
++		BIT(5) /* The memory form of VERW mitigates TSA */ |
++		BIT(6) /* NULL_SEL_CLR_BASE */ | 0 /* PrefetchCtlMsr */
++	);
++	if (cpu_feature_enabled(X86_FEATURE_LFENCE_RDTSC))
++		kvm_cpu_caps[CPUID_8000_0021_EAX] |= BIT(2) /* LFENCE Always serializing */;
++	if (!static_cpu_has_bug(X86_BUG_NULL_SEG))
++		kvm_cpu_caps[CPUID_8000_0021_EAX] |= BIT(6) /* NULL_SEL_CLR_BASE */;
++
+ 	kvm_cpu_cap_mask(CPUID_C000_0001_EDX,
+ 		F(XSTORE) | F(XSTORE_EN) | F(XCRYPT) | F(XCRYPT_EN) |
+ 		F(ACE2) | F(ACE2_EN) | F(PHE) | F(PHE_EN) |
+@@ -553,8 +564,6 @@ void kvm_set_cpu_caps(void)
+ 	if (cpu_feature_enabled(X86_FEATURE_SRSO_NO))
+ 		kvm_cpu_cap_set(X86_FEATURE_SRSO_NO);
+ 
+-	kvm_cpu_cap_mask(CPUID_8000_0021_EAX, F(VERW_CLEAR));
+-
+ 	kvm_cpu_cap_init_kvm_defined(CPUID_8000_0021_ECX,
+ 		F(TSA_SQ_NO) | F(TSA_L1_NO)
+ 	);
+@@ -1006,17 +1015,7 @@ static inline int __do_cpuid_func(struct
+ 		break;
+ 	case 0x80000021:
+ 		entry->ebx = entry->ecx = entry->edx = 0;
+-		/*
+-		 * Pass down these bits:
+-		 *    EAX      0      NNDBP, Processor ignores nested data breakpoints
+-		 *    EAX      2      LAS, LFENCE always serializing
+-		 *    EAX      6      NSCB, Null selector clear base
+-		 *
+-		 * Other defined bits are for MSRs that KVM does not expose:
+-		 *   EAX      3      SPCL, SMM page configuration lock
+-		 *   EAX      13     PCMSR, Prefetch control MSR
+-		 */
+-		entry->eax &= BIT(0) | BIT(2) | BIT(6);
++		cpuid_entry_override(entry, CPUID_8000_0021_EAX);
+ 		break;
+ 	/*Add support for Centaur's CPUID instruction*/
+ 	case 0xC0000000:
diff --git a/queue-5.15/series b/queue-5.15/series
index b8de571919..0ae138e305 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -15,3 +15,6 @@ tracing-fix-tracing_marker-may-trigger-page-fault-du.patch
 nfsv4-flexfiles-fix-layout-merge-mirror-check.patch
 s390-cpum_cf-deny-all-sampling-events-by-counter-pmu.patch
 tcp_bpf-call-sk_msg_free-when-tcp_bpf_send_verdict-f.patch
+kvm-x86-move-open-coded-cpuid-leaf-0x80000021-eax-bit-propagation-code.patch
+kvm-svm-return-tsa_sq_no-and-tsa_l1_no-bits-in-__do_cpuid_func.patch
+kvm-svm-set-synthesized-tsa-cpuid-flags.patch