From a05c55c7bb6c3373c6bdef5704fbb7b22985373f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 22 Oct 2025 11:04:44 +0200 Subject: [PATCH] drop kvm patch from older kernels --- ...nt-access-to-vcpu-events-before-init.patch | 86 ------------------- queue-5.10/series | 1 - ...nt-access-to-vcpu-events-before-init.patch | 86 ------------------- queue-5.15/series | 1 - ...nt-access-to-vcpu-events-before-init.patch | 86 ------------------- queue-6.1/series | 1 - ...nt-access-to-vcpu-events-before-init.patch | 86 ------------------- queue-6.12/series | 1 - ...nt-access-to-vcpu-events-before-init.patch | 86 ------------------- queue-6.6/series | 1 - 10 files changed, 435 deletions(-) delete mode 100644 queue-5.10/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch delete mode 100644 queue-5.15/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch delete mode 100644 queue-6.1/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch delete mode 100644 queue-6.12/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch delete mode 100644 queue-6.6/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch diff --git a/queue-5.10/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch b/queue-5.10/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch deleted file mode 100644 index 088f3cc91c..0000000000 --- a/queue-5.10/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 0aa1b76fe1429629215a7c79820e4b96233ac4a3 Mon Sep 17 00:00:00 2001 -From: Oliver Upton -Date: Tue, 30 Sep 2025 01:52:37 -0700 -Subject: KVM: arm64: Prevent access to vCPU events before init - -From: Oliver Upton - -commit 0aa1b76fe1429629215a7c79820e4b96233ac4a3 upstream. - -Another day, another syzkaller bug. KVM erroneously allows userspace to -pend vCPU events for a vCPU that hasn't been initialized yet, leading to -KVM interpreting a bunch of uninitialized garbage for routing / -injecting the exception. - -In one case the injection code and the hyp disagree on whether the vCPU -has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, -tripping the BUG() in exception_target_el() during the next injection: - - kernel BUG at arch/arm64/kvm/inject_fault.c:40! - Internal error: Oops - BUG: 00000000f2000800 [#1] SMP - CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT - Hardware name: linux,dummy-virt (DT) - pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) - pc : exception_target_el+0x88/0x8c - lr : pend_serror_exception+0x18/0x13c - sp : ffff800082f03a10 - x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 - x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 - x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 - x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 - x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 - x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 - x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 - x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 - x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 - x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 - Call trace: - exception_target_el+0x88/0x8c (P) - kvm_inject_serror_esr+0x40/0x3b4 - __kvm_arm_vcpu_set_events+0xf0/0x100 - kvm_arch_vcpu_ioctl+0x180/0x9d4 - kvm_vcpu_ioctl+0x60c/0x9f4 - __arm64_sys_ioctl+0xac/0x104 - invoke_syscall+0x48/0x110 - el0_svc_common.constprop.0+0x40/0xe0 - do_el0_svc+0x1c/0x28 - el0_svc+0x34/0xf0 - el0t_64_sync_handler+0xa0/0xe4 - el0t_64_sync+0x198/0x19c - Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) - -Reject the ioctls outright as no sane VMM would call these before -KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been -thrown away by the eventual reset of the vCPU's state. - -Cc: stable@vger.kernel.org # 6.17 -Fixes: b7b27facc7b5 ("arm/arm64: KVM: Add KVM_GET/SET_VCPU_EVENTS") -Signed-off-by: Oliver Upton -Signed-off-by: Marc Zyngier -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm64/kvm/arm.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/arch/arm64/kvm/arm.c -+++ b/arch/arm64/kvm/arm.c -@@ -1209,6 +1209,9 @@ long kvm_arch_vcpu_ioctl(struct file *fi - case KVM_GET_VCPU_EVENTS: { - struct kvm_vcpu_events events; - -+ if (!kvm_vcpu_initialized(vcpu)) -+ return -ENOEXEC; -+ - if (kvm_arm_vcpu_get_events(vcpu, &events)) - return -EINVAL; - -@@ -1220,6 +1223,9 @@ long kvm_arch_vcpu_ioctl(struct file *fi - case KVM_SET_VCPU_EVENTS: { - struct kvm_vcpu_events events; - -+ if (!kvm_vcpu_initialized(vcpu)) -+ return -ENOEXEC; -+ - if (copy_from_user(&events, argp, sizeof(events))) - return -EFAULT; - diff --git a/queue-5.10/series b/queue-5.10/series index e5c6ca9969..e61982d0a5 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -225,7 +225,6 @@ media-cx18-add-missing-check-after-dma-map.patch media-pci-ivtv-add-check-for-dma-map-result.patch mm-slab-make-__free-kfree-accept-error-pointers.patch wifi-rt2x00-use-explicitly-signed-or-unsigned-types.patch -kvm-arm64-prevent-access-to-vcpu-events-before-init.patch jbd2-ensure-that-all-ongoing-i-o-complete-before-freeing-blocks.patch ext4-detect-invalid-inline_data-extents-flag-combination.patch pwm-berlin-fix-wrong-register-in-suspend-resume.patch diff --git a/queue-5.15/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch b/queue-5.15/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch deleted file mode 100644 index 71cac7859c..0000000000 --- a/queue-5.15/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 0aa1b76fe1429629215a7c79820e4b96233ac4a3 Mon Sep 17 00:00:00 2001 -From: Oliver Upton -Date: Tue, 30 Sep 2025 01:52:37 -0700 -Subject: KVM: arm64: Prevent access to vCPU events before init - -From: Oliver Upton - -commit 0aa1b76fe1429629215a7c79820e4b96233ac4a3 upstream. - -Another day, another syzkaller bug. KVM erroneously allows userspace to -pend vCPU events for a vCPU that hasn't been initialized yet, leading to -KVM interpreting a bunch of uninitialized garbage for routing / -injecting the exception. - -In one case the injection code and the hyp disagree on whether the vCPU -has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, -tripping the BUG() in exception_target_el() during the next injection: - - kernel BUG at arch/arm64/kvm/inject_fault.c:40! - Internal error: Oops - BUG: 00000000f2000800 [#1] SMP - CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT - Hardware name: linux,dummy-virt (DT) - pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) - pc : exception_target_el+0x88/0x8c - lr : pend_serror_exception+0x18/0x13c - sp : ffff800082f03a10 - x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 - x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 - x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 - x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 - x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 - x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 - x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 - x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 - x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 - x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 - Call trace: - exception_target_el+0x88/0x8c (P) - kvm_inject_serror_esr+0x40/0x3b4 - __kvm_arm_vcpu_set_events+0xf0/0x100 - kvm_arch_vcpu_ioctl+0x180/0x9d4 - kvm_vcpu_ioctl+0x60c/0x9f4 - __arm64_sys_ioctl+0xac/0x104 - invoke_syscall+0x48/0x110 - el0_svc_common.constprop.0+0x40/0xe0 - do_el0_svc+0x1c/0x28 - el0_svc+0x34/0xf0 - el0t_64_sync_handler+0xa0/0xe4 - el0t_64_sync+0x198/0x19c - Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) - -Reject the ioctls outright as no sane VMM would call these before -KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been -thrown away by the eventual reset of the vCPU's state. - -Cc: stable@vger.kernel.org # 6.17 -Fixes: b7b27facc7b5 ("arm/arm64: KVM: Add KVM_GET/SET_VCPU_EVENTS") -Signed-off-by: Oliver Upton -Signed-off-by: Marc Zyngier -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm64/kvm/arm.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/arch/arm64/kvm/arm.c -+++ b/arch/arm64/kvm/arm.c -@@ -1313,6 +1313,9 @@ long kvm_arch_vcpu_ioctl(struct file *fi - case KVM_GET_VCPU_EVENTS: { - struct kvm_vcpu_events events; - -+ if (!kvm_vcpu_initialized(vcpu)) -+ return -ENOEXEC; -+ - if (kvm_arm_vcpu_get_events(vcpu, &events)) - return -EINVAL; - -@@ -1324,6 +1327,9 @@ long kvm_arch_vcpu_ioctl(struct file *fi - case KVM_SET_VCPU_EVENTS: { - struct kvm_vcpu_events events; - -+ if (!kvm_vcpu_initialized(vcpu)) -+ return -ENOEXEC; -+ - if (copy_from_user(&events, argp, sizeof(events))) - return -EFAULT; - diff --git a/queue-5.15/series b/queue-5.15/series index 8e599fb1d3..c1d78ab658 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -1,5 +1,4 @@ r8152-add-error-handling-in-rtl8152_driver_init.patch -kvm-arm64-prevent-access-to-vcpu-events-before-init.patch jbd2-ensure-that-all-ongoing-i-o-complete-before-freeing-blocks.patch ext4-detect-invalid-inline_data-extents-flag-combination.patch btrfs-fix-clearing-of-btrfs_fs_reloc_running-if-relocation-already-running.patch diff --git a/queue-6.1/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch b/queue-6.1/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch deleted file mode 100644 index bbe65fc62a..0000000000 --- a/queue-6.1/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 0aa1b76fe1429629215a7c79820e4b96233ac4a3 Mon Sep 17 00:00:00 2001 -From: Oliver Upton -Date: Tue, 30 Sep 2025 01:52:37 -0700 -Subject: KVM: arm64: Prevent access to vCPU events before init - -From: Oliver Upton - -commit 0aa1b76fe1429629215a7c79820e4b96233ac4a3 upstream. - -Another day, another syzkaller bug. KVM erroneously allows userspace to -pend vCPU events for a vCPU that hasn't been initialized yet, leading to -KVM interpreting a bunch of uninitialized garbage for routing / -injecting the exception. - -In one case the injection code and the hyp disagree on whether the vCPU -has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, -tripping the BUG() in exception_target_el() during the next injection: - - kernel BUG at arch/arm64/kvm/inject_fault.c:40! - Internal error: Oops - BUG: 00000000f2000800 [#1] SMP - CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT - Hardware name: linux,dummy-virt (DT) - pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) - pc : exception_target_el+0x88/0x8c - lr : pend_serror_exception+0x18/0x13c - sp : ffff800082f03a10 - x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 - x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 - x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 - x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 - x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 - x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 - x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 - x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 - x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 - x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 - Call trace: - exception_target_el+0x88/0x8c (P) - kvm_inject_serror_esr+0x40/0x3b4 - __kvm_arm_vcpu_set_events+0xf0/0x100 - kvm_arch_vcpu_ioctl+0x180/0x9d4 - kvm_vcpu_ioctl+0x60c/0x9f4 - __arm64_sys_ioctl+0xac/0x104 - invoke_syscall+0x48/0x110 - el0_svc_common.constprop.0+0x40/0xe0 - do_el0_svc+0x1c/0x28 - el0_svc+0x34/0xf0 - el0t_64_sync_handler+0xa0/0xe4 - el0t_64_sync+0x198/0x19c - Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) - -Reject the ioctls outright as no sane VMM would call these before -KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been -thrown away by the eventual reset of the vCPU's state. - -Cc: stable@vger.kernel.org # 6.17 -Fixes: b7b27facc7b5 ("arm/arm64: KVM: Add KVM_GET/SET_VCPU_EVENTS") -Signed-off-by: Oliver Upton -Signed-off-by: Marc Zyngier -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm64/kvm/arm.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/arch/arm64/kvm/arm.c -+++ b/arch/arm64/kvm/arm.c -@@ -1409,6 +1409,9 @@ long kvm_arch_vcpu_ioctl(struct file *fi - case KVM_GET_VCPU_EVENTS: { - struct kvm_vcpu_events events; - -+ if (!kvm_vcpu_initialized(vcpu)) -+ return -ENOEXEC; -+ - if (kvm_arm_vcpu_get_events(vcpu, &events)) - return -EINVAL; - -@@ -1420,6 +1423,9 @@ long kvm_arch_vcpu_ioctl(struct file *fi - case KVM_SET_VCPU_EVENTS: { - struct kvm_vcpu_events events; - -+ if (!kvm_vcpu_initialized(vcpu)) -+ return -ENOEXEC; -+ - if (copy_from_user(&events, argp, sizeof(events))) - return -EFAULT; - diff --git a/queue-6.1/series b/queue-6.1/series index 57f4e439fb..3a8ac0b3f2 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -1,6 +1,5 @@ smb-client-fix-refcount-leak-for-cifs_sb_tlink.patch r8152-add-error-handling-in-rtl8152_driver_init.patch -kvm-arm64-prevent-access-to-vcpu-events-before-init.patch jbd2-ensure-that-all-ongoing-i-o-complete-before-freeing-blocks.patch ext4-wait-for-ongoing-i-o-to-complete-before-freeing-blocks.patch ext4-detect-invalid-inline_data-extents-flag-combination.patch diff --git a/queue-6.12/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch b/queue-6.12/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch deleted file mode 100644 index 45a52979d0..0000000000 --- a/queue-6.12/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 0aa1b76fe1429629215a7c79820e4b96233ac4a3 Mon Sep 17 00:00:00 2001 -From: Oliver Upton -Date: Tue, 30 Sep 2025 01:52:37 -0700 -Subject: KVM: arm64: Prevent access to vCPU events before init - -From: Oliver Upton - -commit 0aa1b76fe1429629215a7c79820e4b96233ac4a3 upstream. - -Another day, another syzkaller bug. KVM erroneously allows userspace to -pend vCPU events for a vCPU that hasn't been initialized yet, leading to -KVM interpreting a bunch of uninitialized garbage for routing / -injecting the exception. - -In one case the injection code and the hyp disagree on whether the vCPU -has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, -tripping the BUG() in exception_target_el() during the next injection: - - kernel BUG at arch/arm64/kvm/inject_fault.c:40! - Internal error: Oops - BUG: 00000000f2000800 [#1] SMP - CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT - Hardware name: linux,dummy-virt (DT) - pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) - pc : exception_target_el+0x88/0x8c - lr : pend_serror_exception+0x18/0x13c - sp : ffff800082f03a10 - x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 - x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 - x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 - x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 - x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 - x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 - x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 - x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 - x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 - x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 - Call trace: - exception_target_el+0x88/0x8c (P) - kvm_inject_serror_esr+0x40/0x3b4 - __kvm_arm_vcpu_set_events+0xf0/0x100 - kvm_arch_vcpu_ioctl+0x180/0x9d4 - kvm_vcpu_ioctl+0x60c/0x9f4 - __arm64_sys_ioctl+0xac/0x104 - invoke_syscall+0x48/0x110 - el0_svc_common.constprop.0+0x40/0xe0 - do_el0_svc+0x1c/0x28 - el0_svc+0x34/0xf0 - el0t_64_sync_handler+0xa0/0xe4 - el0t_64_sync+0x198/0x19c - Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) - -Reject the ioctls outright as no sane VMM would call these before -KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been -thrown away by the eventual reset of the vCPU's state. - -Cc: stable@vger.kernel.org # 6.17 -Fixes: b7b27facc7b5 ("arm/arm64: KVM: Add KVM_GET/SET_VCPU_EVENTS") -Signed-off-by: Oliver Upton -Signed-off-by: Marc Zyngier -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm64/kvm/arm.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/arch/arm64/kvm/arm.c -+++ b/arch/arm64/kvm/arm.c -@@ -1760,6 +1760,9 @@ long kvm_arch_vcpu_ioctl(struct file *fi - case KVM_GET_VCPU_EVENTS: { - struct kvm_vcpu_events events; - -+ if (!kvm_vcpu_initialized(vcpu)) -+ return -ENOEXEC; -+ - if (kvm_arm_vcpu_get_events(vcpu, &events)) - return -EINVAL; - -@@ -1771,6 +1774,9 @@ long kvm_arch_vcpu_ioctl(struct file *fi - case KVM_SET_VCPU_EVENTS: { - struct kvm_vcpu_events events; - -+ if (!kvm_vcpu_initialized(vcpu)) -+ return -ENOEXEC; -+ - if (copy_from_user(&events, argp, sizeof(events))) - return -EFAULT; - diff --git a/queue-6.12/series b/queue-6.12/series index 621b5803d0..2781a7403b 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -3,7 +3,6 @@ rust-cfi-only-64-bit-arm-and-x86-support-cfi_clang.patch smb-client-fix-refcount-leak-for-cifs_sb_tlink.patch slab-reset-slab-obj_ext-when-freeing-and-it-is-objexts_alloc_fail.patch r8152-add-error-handling-in-rtl8152_driver_init.patch -kvm-arm64-prevent-access-to-vcpu-events-before-init.patch f2fs-fix-wrong-block-mapping-for-multi-devices.patch jbd2-ensure-that-all-ongoing-i-o-complete-before-freeing-blocks.patch ext4-wait-for-ongoing-i-o-to-complete-before-freeing-blocks.patch diff --git a/queue-6.6/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch b/queue-6.6/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch deleted file mode 100644 index f3ac7a7f66..0000000000 --- a/queue-6.6/kvm-arm64-prevent-access-to-vcpu-events-before-init.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 0aa1b76fe1429629215a7c79820e4b96233ac4a3 Mon Sep 17 00:00:00 2001 -From: Oliver Upton -Date: Tue, 30 Sep 2025 01:52:37 -0700 -Subject: KVM: arm64: Prevent access to vCPU events before init - -From: Oliver Upton - -commit 0aa1b76fe1429629215a7c79820e4b96233ac4a3 upstream. - -Another day, another syzkaller bug. KVM erroneously allows userspace to -pend vCPU events for a vCPU that hasn't been initialized yet, leading to -KVM interpreting a bunch of uninitialized garbage for routing / -injecting the exception. - -In one case the injection code and the hyp disagree on whether the vCPU -has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, -tripping the BUG() in exception_target_el() during the next injection: - - kernel BUG at arch/arm64/kvm/inject_fault.c:40! - Internal error: Oops - BUG: 00000000f2000800 [#1] SMP - CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT - Hardware name: linux,dummy-virt (DT) - pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) - pc : exception_target_el+0x88/0x8c - lr : pend_serror_exception+0x18/0x13c - sp : ffff800082f03a10 - x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 - x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 - x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 - x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 - x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 - x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 - x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 - x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 - x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 - x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 - Call trace: - exception_target_el+0x88/0x8c (P) - kvm_inject_serror_esr+0x40/0x3b4 - __kvm_arm_vcpu_set_events+0xf0/0x100 - kvm_arch_vcpu_ioctl+0x180/0x9d4 - kvm_vcpu_ioctl+0x60c/0x9f4 - __arm64_sys_ioctl+0xac/0x104 - invoke_syscall+0x48/0x110 - el0_svc_common.constprop.0+0x40/0xe0 - do_el0_svc+0x1c/0x28 - el0_svc+0x34/0xf0 - el0t_64_sync_handler+0xa0/0xe4 - el0t_64_sync+0x198/0x19c - Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) - -Reject the ioctls outright as no sane VMM would call these before -KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been -thrown away by the eventual reset of the vCPU's state. - -Cc: stable@vger.kernel.org # 6.17 -Fixes: b7b27facc7b5 ("arm/arm64: KVM: Add KVM_GET/SET_VCPU_EVENTS") -Signed-off-by: Oliver Upton -Signed-off-by: Marc Zyngier -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm64/kvm/arm.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/arch/arm64/kvm/arm.c -+++ b/arch/arm64/kvm/arm.c -@@ -1492,6 +1492,9 @@ long kvm_arch_vcpu_ioctl(struct file *fi - case KVM_GET_VCPU_EVENTS: { - struct kvm_vcpu_events events; - -+ if (!kvm_vcpu_initialized(vcpu)) -+ return -ENOEXEC; -+ - if (kvm_arm_vcpu_get_events(vcpu, &events)) - return -EINVAL; - -@@ -1503,6 +1506,9 @@ long kvm_arch_vcpu_ioctl(struct file *fi - case KVM_SET_VCPU_EVENTS: { - struct kvm_vcpu_events events; - -+ if (!kvm_vcpu_initialized(vcpu)) -+ return -ENOEXEC; -+ - if (copy_from_user(&events, argp, sizeof(events))) - return -EFAULT; - diff --git a/queue-6.6/series b/queue-6.6/series index 0f1a42aae3..96320fea7f 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -1,6 +1,5 @@ smb-client-fix-refcount-leak-for-cifs_sb_tlink.patch r8152-add-error-handling-in-rtl8152_driver_init.patch -kvm-arm64-prevent-access-to-vcpu-events-before-init.patch f2fs-fix-wrong-block-mapping-for-multi-devices.patch jbd2-ensure-that-all-ongoing-i-o-complete-before-freeing-blocks.patch ext4-wait-for-ongoing-i-o-to-complete-before-freeing-blocks.patch -- 2.47.3