From: Greg Kroah-Hartman Date: Mon, 25 Apr 2022 11:33:54 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.9.312~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ebed6aa8a5e7d436321f39dc369d7b4bc59d1d9f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arm_pmu-validate-single-group-leader-events.patch kvm-x86-pend-kvm_req_apicv_update-during-vcpu-creation-to-fix-a-race.patch --- diff --git a/queue-5.10/arm_pmu-validate-single-group-leader-events.patch b/queue-5.10/arm_pmu-validate-single-group-leader-events.patch new file mode 100644 index 00000000000..06f8d19861a --- /dev/null +++ b/queue-5.10/arm_pmu-validate-single-group-leader-events.patch @@ -0,0 +1,54 @@ +From e5c23779f93d45e39a52758ca593bd7e62e9b4be Mon Sep 17 00:00:00 2001 +From: Rob Herring +Date: Fri, 8 Apr 2022 15:33:30 -0500 +Subject: arm_pmu: Validate single/group leader events + +From: Rob Herring + +commit e5c23779f93d45e39a52758ca593bd7e62e9b4be upstream. + +In the case where there is only a cycle counter available (i.e. +PMCR_EL0.N is 0) and an event other than CPU cycles is opened, the open +should fail as the event can never possibly be scheduled. However, the +event validation when an event is opened is skipped when the group +leader is opened. Fix this by always validating the group leader events. + +Reported-by: Al Grant +Cc: Will Deacon +Cc: Mark Rutland +Signed-off-by: Rob Herring +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/20220408203330.4014015-1-robh@kernel.org +Cc: +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + drivers/perf/arm_pmu.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/perf/arm_pmu.c ++++ b/drivers/perf/arm_pmu.c +@@ -398,6 +398,9 @@ validate_group(struct perf_event *event) + if (!validate_event(event->pmu, &fake_pmu, leader)) + return -EINVAL; + ++ if (event == leader) ++ return 0; ++ + for_each_sibling_event(sibling, leader) { + if (!validate_event(event->pmu, &fake_pmu, sibling)) + return -EINVAL; +@@ -487,12 +490,7 @@ __hw_perf_event_init(struct perf_event * + local64_set(&hwc->period_left, hwc->sample_period); + } + +- if (event->group_leader != event) { +- if (validate_group(event) != 0) +- return -EINVAL; +- } +- +- return 0; ++ return validate_group(event); + } + + static int armpmu_event_init(struct perf_event *event) diff --git a/queue-5.10/kvm-x86-pend-kvm_req_apicv_update-during-vcpu-creation-to-fix-a-race.patch b/queue-5.10/kvm-x86-pend-kvm_req_apicv_update-during-vcpu-creation-to-fix-a-race.patch new file mode 100644 index 00000000000..24c8c0cc393 --- /dev/null +++ b/queue-5.10/kvm-x86-pend-kvm_req_apicv_update-during-vcpu-creation-to-fix-a-race.patch @@ -0,0 +1,96 @@ +From 423ecfea77dda83823c71b0fad1c2ddb2af1e5fc Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 20 Apr 2022 01:37:31 +0000 +Subject: KVM: x86: Pend KVM_REQ_APICV_UPDATE during vCPU creation to fix a race + +From: Sean Christopherson + +commit 423ecfea77dda83823c71b0fad1c2ddb2af1e5fc upstream. + +Make a KVM_REQ_APICV_UPDATE request when creating a vCPU with an +in-kernel local APIC and APICv enabled at the module level. Consuming +kvm_apicv_activated() and stuffing vcpu->arch.apicv_active directly can +race with __kvm_set_or_clear_apicv_inhibit(), as vCPU creation happens +before the vCPU is fully onlined, i.e. it won't get the request made to +"all" vCPUs. If APICv is globally inhibited between setting apicv_active +and onlining the vCPU, the vCPU will end up running with APICv enabled +and trigger KVM's sanity check. + +Mark APICv as active during vCPU creation if APICv is enabled at the +module level, both to be optimistic about it's final state, e.g. to avoid +additional VMWRITEs on VMX, and because there are likely bugs lurking +since KVM checks apicv_active in multiple vCPU creation paths. While +keeping the current behavior of consuming kvm_apicv_activated() is +arguably safer from a regression perspective, force apicv_active so that +vCPU creation runs with deterministic state and so that if there are bugs, +they are found sooner than later, i.e. not when some crazy race condition +is hit. + + WARNING: CPU: 0 PID: 484 at arch/x86/kvm/x86.c:9877 vcpu_enter_guest+0x2ae3/0x3ee0 arch/x86/kvm/x86.c:9877 + Modules linked in: + CPU: 0 PID: 484 Comm: syz-executor361 Not tainted 5.16.13 #2 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1~cloud0 04/01/2014 + RIP: 0010:vcpu_enter_guest+0x2ae3/0x3ee0 arch/x86/kvm/x86.c:9877 + Call Trace: + + vcpu_run arch/x86/kvm/x86.c:10039 [inline] + kvm_arch_vcpu_ioctl_run+0x337/0x15e0 arch/x86/kvm/x86.c:10234 + kvm_vcpu_ioctl+0x4d2/0xc80 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3727 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:874 [inline] + __se_sys_ioctl fs/ioctl.c:860 [inline] + __x64_sys_ioctl+0x16d/0x1d0 fs/ioctl.c:860 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The bug was hit by a syzkaller spamming VM creation with 2 vCPUs and a +call to KVM_SET_GUEST_DEBUG. + + r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) + r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) + ioctl$KVM_CAP_SPLIT_IRQCHIP(r1, 0x4068aea3, &(0x7f0000000000)) (async) + r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) (async) + r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x400000000000002) + ioctl$KVM_SET_GUEST_DEBUG(r3, 0x4048ae9b, &(0x7f00000000c0)={0x5dda9c14aa95f5c5}) + ioctl$KVM_RUN(r2, 0xae80, 0x0) + +Reported-by: Gaoning Pan +Reported-by: Yongkang Jia +Fixes: 8df14af42f00 ("kvm: x86: Add support for dynamic APICv activation") +Cc: stable@vger.kernel.org +Cc: Maxim Levitsky +Signed-off-by: Sean Christopherson +Reviewed-by: Maxim Levitsky +Message-Id: <20220420013732.3308816-4-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -10000,8 +10000,21 @@ int kvm_arch_vcpu_create(struct kvm_vcpu + r = kvm_create_lapic(vcpu, lapic_timer_advance_ns); + if (r < 0) + goto fail_mmu_destroy; +- if (kvm_apicv_activated(vcpu->kvm)) ++ ++ /* ++ * Defer evaluating inhibits until the vCPU is first run, as ++ * this vCPU will not get notified of any changes until this ++ * vCPU is visible to other vCPUs (marked online and added to ++ * the set of vCPUs). Opportunistically mark APICv active as ++ * VMX in particularly is highly unlikely to have inhibits. ++ * Ignore the current per-VM APICv state so that vCPU creation ++ * is guaranteed to run with a deterministic value, the request ++ * will ensure the vCPU gets the correct state before VM-Entry. ++ */ ++ if (enable_apicv) { + vcpu->arch.apicv_active = true; ++ kvm_make_request(KVM_REQ_APICV_UPDATE, vcpu); ++ } + } else + static_key_slow_inc(&kvm_no_apic_vcpu); + diff --git a/queue-5.10/series b/queue-5.10/series index 9ca2a0cf912..f06323ad8ce 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -62,6 +62,8 @@ gpio-request-interrupts-after-irq-is-initialized.patch asoc-soc-dapm-fix-two-incorrect-uses-of-list-iterator.patch e1000e-fix-possible-overflow-in-ltr-decoding.patch arc-entry-fix-syscall_trace_exit-argument.patch +arm_pmu-validate-single-group-leader-events.patch +kvm-x86-pend-kvm_req_apicv_update-during-vcpu-creation-to-fix-a-race.patch sched-pelt-fix-attach_entity_load_avg-corner-case.patch perf-core-fix-perf_mmap-fail-when-config_perf_use_vm.patch drm-panel-raspberrypi-touchscreen-avoid-null-deref-i.patch