From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 28 Apr 2025 11:50:53 +0000 (+0200)
Subject: 6.12-stable patches
X-Git-Tag: v5.4.293~71
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=de5cd5c0dd687b6e4eb4caa392672ca4e562c6f1;p=thirdparty%2Fkernel%2Fstable-queue.git

6.12-stable patches

added patches:
	kvm-svm-disable-avic-on-snp-enabled-system-without-hvinusewrallowed-feature.patch
	netfilter-fib-avoid-lookup-if-socket-is-available.patch
---

diff --git a/queue-6.12/kvm-svm-disable-avic-on-snp-enabled-system-without-hvinusewrallowed-feature.patch b/queue-6.12/kvm-svm-disable-avic-on-snp-enabled-system-without-hvinusewrallowed-feature.patch
new file mode 100644
index 0000000000..c27e8fad7a
--- /dev/null
+++ b/queue-6.12/kvm-svm-disable-avic-on-snp-enabled-system-without-hvinusewrallowed-feature.patch
@@ -0,0 +1,82 @@
+From d81cadbe164265337f149cf31c9462d7217c1eed Mon Sep 17 00:00:00 2001
+From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Date: Mon, 4 Nov 2024 07:58:45 +0000
+Subject: KVM: SVM: Disable AVIC on SNP-enabled system without HvInUseWrAllowed feature
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+
+commit d81cadbe164265337f149cf31c9462d7217c1eed upstream.
+
+On SNP-enabled system, VMRUN marks AVIC Backing Page as in-use while
+the guest is running for both secure and non-secure guest. Any hypervisor
+write to the in-use vCPU's AVIC backing page (e.g. to inject an interrupt)
+will generate unexpected #PF in the host.
+
+Currently, attempt to run AVIC guest would result in the following error:
+
+    BUG: unable to handle page fault for address: ff3a442e549cc270
+    #PF: supervisor write access in kernel mode
+    #PF: error_code(0x80000003) - RMP violation
+    PGD b6ee01067 P4D b6ee02067 PUD 10096d063 PMD 11c540063 PTE 80000001149cc163
+    SEV-SNP: PFN 0x1149cc unassigned, dumping non-zero entries in 2M PFN region: [0x114800 - 0x114a00]
+    ...
+
+Newer AMD system is enhanced to allow hypervisor to modify the backing page
+for non-secure guest on SNP-enabled system. This enhancement is available
+when the CPUID Fn8000_001F_EAX bit 30 is set (HvInUseWrAllowed).
+
+This table describes AVIC support matrix w.r.t. SNP enablement:
+
+               | Non-SNP system |     SNP system
+-----------------------------------------------------
+ Non-SNP guest |  AVIC Activate | AVIC Activate iff
+               |                | HvInuseWrAllowed=1
+-----------------------------------------------------
+     SNP guest |      N/A       |    Secure AVIC
+
+Therefore, check and disable AVIC in kvm_amd driver when the feature is not
+available on SNP-enabled system.
+
+See the AMD64 Architecture Programmer’s Manual (APM) Volume 2 for detail.
+(https://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/
+programmer-references/40332.pdf)
+
+Fixes: 216d106c7ff7 ("x86/sev: Add SEV-SNP host initialization support")
+Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Link: https://lore.kernel.org/r/20241104075845.7583-1-suravee.suthikulpanit@amd.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Cc: Naveen N Rao <naveen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/cpufeatures.h |    1 +
+ arch/x86/kvm/svm/avic.c            |    6 ++++++
+ 2 files changed, 7 insertions(+)
+
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -449,6 +449,7 @@
+ #define X86_FEATURE_SME_COHERENT	(19*32+10) /* AMD hardware-enforced cache coherency */
+ #define X86_FEATURE_DEBUG_SWAP		(19*32+14) /* "debug_swap" AMD SEV-ES full debug state swap support */
+ #define X86_FEATURE_SVSM		(19*32+28) /* "svsm" SVSM present */
++#define X86_FEATURE_HV_INUSE_WR_ALLOWED	(19*32+30) /* Allow Write to in-use hypervisor-owned pages */
+ 
+ /* AMD-defined Extended Feature 2 EAX, CPUID level 0x80000021 (EAX), word 20 */
+ #define X86_FEATURE_NO_NESTED_DATA_BP	(20*32+ 0) /* No Nested Data Breakpoints */
+--- a/arch/x86/kvm/svm/avic.c
++++ b/arch/x86/kvm/svm/avic.c
+@@ -1199,6 +1199,12 @@ bool avic_hardware_setup(void)
+ 		return false;
+ 	}
+ 
++	if (cc_platform_has(CC_ATTR_HOST_SEV_SNP) &&
++	    !boot_cpu_has(X86_FEATURE_HV_INUSE_WR_ALLOWED)) {
++		pr_warn("AVIC disabled: missing HvInUseWrAllowed on SNP-enabled system\n");
++		return false;
++	}
++
+ 	if (boot_cpu_has(X86_FEATURE_AVIC)) {
+ 		pr_info("AVIC enabled\n");
+ 	} else if (force_avic) {
diff --git a/queue-6.12/netfilter-fib-avoid-lookup-if-socket-is-available.patch b/queue-6.12/netfilter-fib-avoid-lookup-if-socket-is-available.patch
new file mode 100644
index 0000000000..139512d8f1
--- /dev/null
+++ b/queue-6.12/netfilter-fib-avoid-lookup-if-socket-is-available.patch
@@ -0,0 +1,136 @@
+From eaaff9b6702e99be5d79135f2afa9fc48a0d59e0 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 20 Feb 2025 14:07:01 +0100
+Subject: netfilter: fib: avoid lookup if socket is available
+
+From: Florian Westphal <fw@strlen.de>
+
+commit eaaff9b6702e99be5d79135f2afa9fc48a0d59e0 upstream.
+
+In case the fib match is used from the input hook we can avoid the fib
+lookup if early demux assigned a socket for us: check that the input
+interface matches sk-cached one.
+
+Rework the existing 'lo bypass' logic to first check sk, then
+for loopback interface type to elide the fib lookup.
+
+This speeds up fib matching a little, before:
+93.08 GBit/s (no rules at all)
+75.1  GBit/s ("fib saddr . iif oif missing drop" in prerouting)
+75.62 GBit/s ("fib saddr . iif oif missing drop" in input)
+
+After:
+92.48 GBit/s (no rules at all)
+75.62 GBit/s (fib rule in prerouting)
+90.37 GBit/s (fib rule in input).
+
+Numbers for the 'no rules' and 'prerouting' are expected to
+closely match in-between runs, the 3rd/input test case exercises the
+the 'avoid lookup if cached ifindex in sk matches' case.
+
+Test used iperf3 via veth interface, lo can't be used due to existing
+loopback test.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/netfilter/nft_fib.h   |   21 +++++++++++++++++++++
+ net/ipv4/netfilter/nft_fib_ipv4.c |   11 +++++------
+ net/ipv6/netfilter/nft_fib_ipv6.c |   19 ++++++++++---------
+ 3 files changed, 36 insertions(+), 15 deletions(-)
+
+--- a/include/net/netfilter/nft_fib.h
++++ b/include/net/netfilter/nft_fib.h
+@@ -18,6 +18,27 @@ nft_fib_is_loopback(const struct sk_buff
+ 	return skb->pkt_type == PACKET_LOOPBACK || in->flags & IFF_LOOPBACK;
+ }
+ 
++static inline bool nft_fib_can_skip(const struct nft_pktinfo *pkt)
++{
++	const struct net_device *indev = nft_in(pkt);
++	const struct sock *sk;
++
++	switch (nft_hook(pkt)) {
++	case NF_INET_PRE_ROUTING:
++	case NF_INET_INGRESS:
++	case NF_INET_LOCAL_IN:
++		break;
++	default:
++		return false;
++	}
++
++	sk = pkt->skb->sk;
++	if (sk && sk_fullsock(sk))
++	       return sk->sk_rx_dst_ifindex == indev->ifindex;
++
++	return nft_fib_is_loopback(pkt->skb, indev);
++}
++
+ int nft_fib_dump(struct sk_buff *skb, const struct nft_expr *expr, bool reset);
+ int nft_fib_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+ 		 const struct nlattr * const tb[]);
+--- a/net/ipv4/netfilter/nft_fib_ipv4.c
++++ b/net/ipv4/netfilter/nft_fib_ipv4.c
+@@ -70,6 +70,11 @@ void nft_fib4_eval(const struct nft_expr
+ 	const struct net_device *oif;
+ 	const struct net_device *found;
+ 
++	if (nft_fib_can_skip(pkt)) {
++		nft_fib_store_result(dest, priv, nft_in(pkt));
++		return;
++	}
++
+ 	/*
+ 	 * Do not set flowi4_oif, it restricts results (for example, asking
+ 	 * for oif 3 will get RTN_UNICAST result even if the daddr exits
+@@ -84,12 +89,6 @@ void nft_fib4_eval(const struct nft_expr
+ 	else
+ 		oif = NULL;
+ 
+-	if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&
+-	    nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {
+-		nft_fib_store_result(dest, priv, nft_in(pkt));
+-		return;
+-	}
+-
+ 	iph = skb_header_pointer(pkt->skb, noff, sizeof(_iph), &_iph);
+ 	if (!iph) {
+ 		regs->verdict.code = NFT_BREAK;
+--- a/net/ipv6/netfilter/nft_fib_ipv6.c
++++ b/net/ipv6/netfilter/nft_fib_ipv6.c
+@@ -170,6 +170,11 @@ void nft_fib6_eval(const struct nft_expr
+ 	struct rt6_info *rt;
+ 	int lookup_flags;
+ 
++	if (nft_fib_can_skip(pkt)) {
++		nft_fib_store_result(dest, priv, nft_in(pkt));
++		return;
++	}
++
+ 	if (priv->flags & NFTA_FIB_F_IIF)
+ 		oif = nft_in(pkt);
+ 	else if (priv->flags & NFTA_FIB_F_OIF)
+@@ -181,17 +186,13 @@ void nft_fib6_eval(const struct nft_expr
+ 		return;
+ 	}
+ 
+-	lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif, iph);
+-
+-	if (nft_hook(pkt) == NF_INET_PRE_ROUTING ||
+-	    nft_hook(pkt) == NF_INET_INGRESS) {
+-		if (nft_fib_is_loopback(pkt->skb, nft_in(pkt)) ||
+-		    nft_fib_v6_skip_icmpv6(pkt->skb, pkt->tprot, iph)) {
+-			nft_fib_store_result(dest, priv, nft_in(pkt));
+-			return;
+-		}
++	if (nft_fib_v6_skip_icmpv6(pkt->skb, pkt->tprot, iph)) {
++		nft_fib_store_result(dest, priv, nft_in(pkt));
++		return;
+ 	}
+ 
++	lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif, iph);
++
+ 	*dest = 0;
+ 	rt = (void *)ip6_route_lookup(nft_net(pkt), &fl6, pkt->skb,
+ 				      lookup_flags);
diff --git a/queue-6.12/series b/queue-6.12/series
index 24914e3537..1579742b0e 100644
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -89,3 +89,5 @@ perf-x86-fix-non-sampling-counting-events-on-certain.patch
 loongarch-select-arch_use_memtest.patch
 loongarch-make-regs_irqs_disabled-more-clear.patch
 loongarch-make-do_xyz-exception-handlers-more-robust.patch
+kvm-svm-disable-avic-on-snp-enabled-system-without-hvinusewrallowed-feature.patch
+netfilter-fib-avoid-lookup-if-socket-is-available.patch