5.15-stable patches

added patches:
	vhost-scsi-protect-vq-log_used-with-vq-mutex.patch
	x86-fix-x86_feature_verw_clear-definition.patch
	x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch

diff --git a/queue-5.15/vhost-scsi-protect-vq-log_used-with-vq-mutex.patch b/queue-5.15/vhost-scsi-protect-vq-log_used-with-vq-mutex.patch
new file mode 100644 (file)
index 0000000..8c26e04
--- /dev/null
+++ b/queue-5.15/vhost-scsi-protect-vq-log_used-with-vq-mutex.patch
@@ -0,0 +1,73 @@
+From f591cf9fce724e5075cc67488c43c6e39e8cbe27 Mon Sep 17 00:00:00 2001
+From: Dongli Zhang <dongli.zhang@oracle.com>
+Date: Wed, 2 Apr 2025 23:29:46 -0700
+Subject: vhost-scsi: protect vq->log_used with vq->mutex
+
+From: Dongli Zhang <dongli.zhang@oracle.com>
+
+commit f591cf9fce724e5075cc67488c43c6e39e8cbe27 upstream.
+
+The vhost-scsi completion path may access vq->log_base when vq->log_used is
+already set to false.
+
+    vhost-thread                       QEMU-thread
+
+vhost_scsi_complete_cmd_work()
+-> vhost_add_used()
+   -> vhost_add_used_n()
+      if (unlikely(vq->log_used))
+                                      QEMU disables vq->log_used
+                                      via VHOST_SET_VRING_ADDR.
+                                      mutex_lock(&vq->mutex);
+                                      vq->log_used = false now!
+                                      mutex_unlock(&vq->mutex);
+
+                                     QEMU gfree(vq->log_base)
+        log_used()
+        -> log_write(vq->log_base)
+
+Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be
+reclaimed via gfree(). As a result, this causes invalid memory writes to
+QEMU userspace.
+
+The control queue path has the same issue.
+
+Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Message-Id: <20250403063028.16045-2-dongli.zhang@oracle.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+[ Resolved conflicts in drivers/vhost/scsi.c
+  bacause vhost_scsi_complete_cmd_work() has been refactored. ]
+Signed-off-by: Xinyu Zheng <zhengxinyu6@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/scsi.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/vhost/scsi.c
++++ b/drivers/vhost/scsi.c
+@@ -563,8 +563,10 @@ static void vhost_scsi_complete_cmd_work
+               ret = copy_to_iter(&v_rsp, sizeof(v_rsp), &iov_iter);
+               if (likely(ret == sizeof(v_rsp))) {
+                       struct vhost_scsi_virtqueue *q;
+-                      vhost_add_used(cmd->tvc_vq, cmd->tvc_vq_desc, 0);
+                       q = container_of(cmd->tvc_vq, struct vhost_scsi_virtqueue, vq);
++                      mutex_lock(&q->vq.mutex);
++                      vhost_add_used(cmd->tvc_vq, cmd->tvc_vq_desc, 0);
++                      mutex_unlock(&q->vq.mutex);
+                       vq = q - vs->vqs;
+                       __set_bit(vq, signal);
+               } else
+@@ -1166,8 +1168,11 @@ static void vhost_scsi_tmf_resp_work(str
+       else
+               resp_code = VIRTIO_SCSI_S_FUNCTION_REJECTED;
+ 
++      mutex_lock(&tmf->svq->vq.mutex);
+       vhost_scsi_send_tmf_resp(tmf->vhost, &tmf->svq->vq, tmf->in_iovs,
+                                tmf->vq_desc, &tmf->resp_iov, resp_code);
++      mutex_unlock(&tmf->svq->vq.mutex);
++
+       vhost_scsi_release_tmf_res(tmf);
+ }
+ 

diff --git a/queue-5.15/x86-fix-x86_feature_verw_clear-definition.patch b/queue-5.15/x86-fix-x86_feature_verw_clear-definition.patch
new file mode 100644 (file)
index 0000000..96c410a
--- /dev/null
+++ b/queue-5.15/x86-fix-x86_feature_verw_clear-definition.patch
@@ -0,0 +1,35 @@
+From jinpu.wang@ionos.com  Tue Jul 15 13:54:40 2025
+From: Jack Wang <jinpu.wang@ionos.com>
+Date: Mon, 14 Jul 2025 21:36:28 +0200
+Subject: x86: Fix X86_FEATURE_VERW_CLEAR definition
+To: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org
+Cc: Borislav Petkov <bp@alien8.de>
+Message-ID: <20250714193628.7273-1-jinpu.wang@ionos.com>
+
+From: Jack Wang <jinpu.wang@ionos.com>
+
+This is a mistake during backport.
+VERW_CLEAR is on bit 5, not bit 10.
+
+Fixes: f2b75f1368af ("x86/bugs: Add a Transient Scheduler Attacks mitigation")
+
+Cc: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Jack Wang <jinpu.wang@ionos.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/cpufeatures.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -418,8 +418,8 @@
+ #define X86_FEATURE_SEV_ES            (19*32+ 3) /* AMD Secure Encrypted Virtualization - Encrypted State */
+ #define X86_FEATURE_SME_COHERENT      (19*32+10) /* "" AMD hardware-enforced cache coherency */
+ 
++#define X86_FEATURE_VERW_CLEAR                (20*32+ 5) /* "" The memory form of VERW mitigates TSA */
+ #define X86_FEATURE_AUTOIBRS          (20*32+ 8) /* "" Automatic IBRS */
+-#define X86_FEATURE_VERW_CLEAR                (20*32+ 10) /* "" The memory form of VERW mitigates TSA */
+ #define X86_FEATURE_SBPB              (20*32+27) /* "" Selective Branch Prediction Barrier */
+ #define X86_FEATURE_IBPB_BRTYPE               (20*32+28) /* "" MSR_PRED_CMD[IBPB] flushes all branch type predictions */
+ #define X86_FEATURE_SRSO_NO           (20*32+29) /* "" CPU is not affected by SRSO */

diff --git a/queue-5.15/x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch b/queue-5.15/x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch
new file mode 100644 (file)
index 0000000..f563c4c
--- /dev/null
+++ b/queue-5.15/x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch
@@ -0,0 +1,55 @@
+From 76303ee8d54bff6d9a6d55997acd88a6c2ba63cf Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 2 Jul 2025 10:32:04 +0200
+Subject: x86/mm: Disable hugetlb page table sharing on 32-bit
+
+From: Jann Horn <jannh@google.com>
+
+commit 76303ee8d54bff6d9a6d55997acd88a6c2ba63cf upstream.
+
+Only select ARCH_WANT_HUGE_PMD_SHARE on 64-bit x86.
+Page table sharing requires at least three levels because it involves
+shared references to PMD tables; 32-bit x86 has either two-level paging
+(without PAE) or three-level paging (with PAE), but even with
+three-level paging, having a dedicated PGD entry for hugetlb is only
+barely possible (because the PGD only has four entries), and it seems
+unlikely anyone's actually using PMD sharing on 32-bit.
+
+Having ARCH_WANT_HUGE_PMD_SHARE enabled on non-PAE 32-bit X86 (which
+has 2-level paging) became particularly problematic after commit
+59d9094df3d7 ("mm: hugetlb: independent PMD page table shared count"),
+since that changes `struct ptdesc` such that the `pt_mm` (for PGDs) and
+the `pt_share_count` (for PMDs) share the same union storage - and with
+2-level paging, PMDs are PGDs.
+
+(For comparison, arm64 also gates ARCH_WANT_HUGE_PMD_SHARE on the
+configuration of page tables such that it is never enabled with 2-level
+paging.)
+
+Closes: https://lore.kernel.org/r/srhpjxlqfna67blvma5frmy3aa@altlinux.org
+Fixes: cfe28c5d63d8 ("x86: mm: Remove x86 version of huge_pmd_share.")
+Reported-by: Vitaly Chikunov <vt@altlinux.org>
+Suggested-by: Dave Hansen <dave.hansen@intel.com>
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Acked-by: Oscar Salvador <osalvador@suse.de>
+Acked-by: David Hildenbrand <david@redhat.com>
+Tested-by: Vitaly Chikunov <vt@altlinux.org>
+Cc:stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20250702-x86-2level-hugetlb-v2-1-1a98096edf92%40google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/Kconfig |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -118,7 +118,7 @@ config X86
+       select ARCH_WANT_DEFAULT_BPF_JIT        if X86_64
+       select ARCH_WANTS_DYNAMIC_TASK_STRUCT
+       select ARCH_WANTS_NO_INSTR
+-      select ARCH_WANT_HUGE_PMD_SHARE
++      select ARCH_WANT_HUGE_PMD_SHARE         if X86_64
+       select ARCH_WANT_LD_ORPHAN_WARN
+       select ARCH_WANTS_THP_SWAP              if X86_64
+       select ARCH_HAS_PARANOID_L1D_FLUSH