From 74fe66a5d709cdc5f6957e0a6296f412893cf9b4 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Sat, 6 Aug 2022 11:31:12 -0400
Subject: [PATCH] Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 ...m-don-t-null-dereference-ops-destroy.patch | 52 ++++++++++++++++
 ...ndle-compiler-optimizations-in-ucall.patch | 61 +++++++++++++++++++
 queue-5.4/series                              |  2 +
 3 files changed, 115 insertions(+)
 create mode 100644 queue-5.4/kvm-don-t-null-dereference-ops-destroy.patch
 create mode 100644 queue-5.4/selftests-kvm-handle-compiler-optimizations-in-ucall.patch

diff --git a/queue-5.4/kvm-don-t-null-dereference-ops-destroy.patch b/queue-5.4/kvm-don-t-null-dereference-ops-destroy.patch
new file mode 100644
index 00000000000..41ad898812b
--- /dev/null
+++ b/queue-5.4/kvm-don-t-null-dereference-ops-destroy.patch
@@ -0,0 +1,52 @@
+From c4c1a8afd529cb811439fe472a1dfd710f1916d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Jun 2022 03:43:28 +0200
+Subject: KVM: Don't null dereference ops->destroy
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+[ Upstream commit e8bc2427018826e02add7b0ed0fc625a60390ae5 ]
+
+A KVM device cleanup happens in either of two callbacks:
+1) destroy() which is called when the VM is being destroyed;
+2) release() which is called when a device fd is closed.
+
+Most KVM devices use 1) but Book3s's interrupt controller KVM devices
+(XICS, XIVE, XIVE-native) use 2) as they need to close and reopen during
+the machine execution. The error handling in kvm_ioctl_create_device()
+assumes destroy() is always defined which leads to NULL dereference as
+discovered by Syzkaller.
+
+This adds a checks for destroy!=NULL and adds a missing release().
+
+This is not changing kvm_destroy_devices() as devices with defined
+release() should have been removed from the KVM devices list by then.
+
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ virt/kvm/kvm_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index 287444e52ccf..4b445dddb798 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -3329,8 +3329,11 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
+ 		kvm_put_kvm(kvm);
+ 		mutex_lock(&kvm->lock);
+ 		list_del(&dev->vm_node);
++		if (ops->release)
++			ops->release(dev);
+ 		mutex_unlock(&kvm->lock);
+-		ops->destroy(dev);
++		if (ops->destroy)
++			ops->destroy(dev);
+ 		return ret;
+ 	}
+ 
+-- 
+2.35.1
+
diff --git a/queue-5.4/selftests-kvm-handle-compiler-optimizations-in-ucall.patch b/queue-5.4/selftests-kvm-handle-compiler-optimizations-in-ucall.patch
new file mode 100644
index 00000000000..cfbfa58faef
--- /dev/null
+++ b/queue-5.4/selftests-kvm-handle-compiler-optimizations-in-ucall.patch
@@ -0,0 +1,61 @@
+From a0664d286c2ec7914483ead8a722ae41a4b4c06b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jun 2022 18:57:06 +0000
+Subject: selftests: KVM: Handle compiler optimizations in ucall
+
+From: Raghavendra Rao Ananta <rananta@google.com>
+
+[ Upstream commit 9e2f6498efbbc880d7caa7935839e682b64fe5a6 ]
+
+The selftests, when built with newer versions of clang, is found
+to have over optimized guests' ucall() function, and eliminating
+the stores for uc.cmd (perhaps due to no immediate readers). This
+resulted in the userspace side always reading a value of '0', and
+causing multiple test failures.
+
+As a result, prevent the compiler from optimizing the stores in
+ucall() with WRITE_ONCE().
+
+Suggested-by: Ricardo Koller <ricarkol@google.com>
+Suggested-by: Reiji Watanabe <reijiw@google.com>
+Signed-off-by: Raghavendra Rao Ananta <rananta@google.com>
+Message-Id: <20220615185706.1099208-1-rananta@google.com>
+Reviewed-by: Andrew Jones <drjones@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kvm/lib/aarch64/ucall.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/tools/testing/selftests/kvm/lib/aarch64/ucall.c b/tools/testing/selftests/kvm/lib/aarch64/ucall.c
+index 6cd91970fbad..3b2a426070c4 100644
+--- a/tools/testing/selftests/kvm/lib/aarch64/ucall.c
++++ b/tools/testing/selftests/kvm/lib/aarch64/ucall.c
+@@ -73,20 +73,19 @@ void ucall_uninit(struct kvm_vm *vm)
+ 
+ void ucall(uint64_t cmd, int nargs, ...)
+ {
+-	struct ucall uc = {
+-		.cmd = cmd,
+-	};
++	struct ucall uc = {};
+ 	va_list va;
+ 	int i;
+ 
++	WRITE_ONCE(uc.cmd, cmd);
+ 	nargs = nargs <= UCALL_MAX_ARGS ? nargs : UCALL_MAX_ARGS;
+ 
+ 	va_start(va, nargs);
+ 	for (i = 0; i < nargs; ++i)
+-		uc.args[i] = va_arg(va, uint64_t);
++		WRITE_ONCE(uc.args[i], va_arg(va, uint64_t));
+ 	va_end(va);
+ 
+-	*ucall_exit_mmio_addr = (vm_vaddr_t)&uc;
++	WRITE_ONCE(*ucall_exit_mmio_addr, (vm_vaddr_t)&uc);
+ }
+ 
+ uint64_t get_ucall(struct kvm_vm *vm, uint32_t vcpu_id, struct ucall *uc)
+-- 
+2.35.1
+
diff --git a/queue-5.4/series b/queue-5.4/series
index 5ffab210253..f6b34e3622e 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -7,3 +7,5 @@ selftests-bpf-extend-verifier-and-bpf_sock-tests-for-dst_port-loads.patch
 bpf-test_verifier-70-error-message-updates-for-32-bit-right-shift.patch
 selftests-bpf-fix-test_align-verifier-log-patterns.patch
 selftests-bpf-fix-dubious-pointer-arithmetic-test.patch
+kvm-don-t-null-dereference-ops-destroy.patch
+selftests-kvm-handle-compiler-optimizations-in-ucall.patch
-- 
2.47.3