From 46df21f71a12d3ac0855b59294c9d7d26b4168bf Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 16 Jun 2020 13:05:13 +0200 Subject: [PATCH] 4.19-stable patches added patches: kvm-arm64-make-vcpu_cp1x-work-on-big-endian-hosts.patch kvm-mips-define-kvm_entryhi_asid-to-cpu_asid_mask-boot_cpu_data.patch kvm-mips-fix-vpn2_mask-definition-for-variable-cpu_vmbits.patch kvm-nsvm-fix-condition-for-filtering-async-pf.patch kvm-nsvm-leave-asid-aside-in-copy_vmcb_control_area.patch kvm-nvmx-consult-only-the-basic-exit-reason-when-routing-nested-exit.patch scsi-megaraid_sas-tm-command-refire-leads-to-controller-firmware-crash.patch video-fbdev-w100fb-fix-a-potential-double-free.patch --- ...e-vcpu_cp1x-work-on-big-endian-hosts.patch | 45 +++++++++++++++ ..._asid-to-cpu_asid_mask-boot_cpu_data.patch | 45 +++++++++++++++ ...k-definition-for-variable-cpu_vmbits.patch | 43 +++++++++++++++ ...fix-condition-for-filtering-async-pf.patch | 36 ++++++++++++ ...asid-aside-in-copy_vmcb_control_area.patch | 32 +++++++++++ ...exit-reason-when-routing-nested-exit.patch | 51 +++++++++++++++++ ...e-leads-to-controller-firmware-crash.patch | 55 +++++++++++++++++++ queue-4.19/series | 8 +++ ...v-w100fb-fix-a-potential-double-free.patch | 50 +++++++++++++++++ 9 files changed, 365 insertions(+) create mode 100644 queue-4.19/kvm-arm64-make-vcpu_cp1x-work-on-big-endian-hosts.patch create mode 100644 queue-4.19/kvm-mips-define-kvm_entryhi_asid-to-cpu_asid_mask-boot_cpu_data.patch create mode 100644 queue-4.19/kvm-mips-fix-vpn2_mask-definition-for-variable-cpu_vmbits.patch create mode 100644 queue-4.19/kvm-nsvm-fix-condition-for-filtering-async-pf.patch create mode 100644 queue-4.19/kvm-nsvm-leave-asid-aside-in-copy_vmcb_control_area.patch create mode 100644 queue-4.19/kvm-nvmx-consult-only-the-basic-exit-reason-when-routing-nested-exit.patch create mode 100644 queue-4.19/scsi-megaraid_sas-tm-command-refire-leads-to-controller-firmware-crash.patch create mode 100644 queue-4.19/video-fbdev-w100fb-fix-a-potential-double-free.patch diff --git a/queue-4.19/kvm-arm64-make-vcpu_cp1x-work-on-big-endian-hosts.patch b/queue-4.19/kvm-arm64-make-vcpu_cp1x-work-on-big-endian-hosts.patch new file mode 100644 index 00000000000..eaaba2e1030 --- /dev/null +++ b/queue-4.19/kvm-arm64-make-vcpu_cp1x-work-on-big-endian-hosts.patch @@ -0,0 +1,45 @@ +From 3204be4109ad681523e3461ce64454c79278450a Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 9 Jun 2020 08:40:35 +0100 +Subject: KVM: arm64: Make vcpu_cp1x() work on Big Endian hosts + +From: Marc Zyngier + +commit 3204be4109ad681523e3461ce64454c79278450a upstream. + +AArch32 CP1x registers are overlayed on their AArch64 counterparts +in the vcpu struct. This leads to an interesting problem as they +are stored in their CPU-local format, and thus a CP1x register +doesn't "hit" the lower 32bit portion of the AArch64 register on +a BE host. + +To workaround this unfortunate situation, introduce a bias trick +in the vcpu_cp1x() accessors which picks the correct half of the +64bit register. + +Cc: stable@vger.kernel.org +Reported-by: James Morse +Tested-by: James Morse +Acked-by: James Morse +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/kvm_host.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/arm64/include/asm/kvm_host.h ++++ b/arch/arm64/include/asm/kvm_host.h +@@ -335,8 +335,10 @@ void vcpu_write_sys_reg(struct kvm_vcpu + * CP14 and CP15 live in the same array, as they are backed by the + * same system registers. + */ +-#define vcpu_cp14(v,r) ((v)->arch.ctxt.copro[(r)]) +-#define vcpu_cp15(v,r) ((v)->arch.ctxt.copro[(r)]) ++#define CPx_BIAS IS_ENABLED(CONFIG_CPU_BIG_ENDIAN) ++ ++#define vcpu_cp14(v,r) ((v)->arch.ctxt.copro[(r) ^ CPx_BIAS]) ++#define vcpu_cp15(v,r) ((v)->arch.ctxt.copro[(r) ^ CPx_BIAS]) + + struct kvm_vm_stat { + ulong remote_tlb_flush; diff --git a/queue-4.19/kvm-mips-define-kvm_entryhi_asid-to-cpu_asid_mask-boot_cpu_data.patch b/queue-4.19/kvm-mips-define-kvm_entryhi_asid-to-cpu_asid_mask-boot_cpu_data.patch new file mode 100644 index 00000000000..fb1b37a684d --- /dev/null +++ b/queue-4.19/kvm-mips-define-kvm_entryhi_asid-to-cpu_asid_mask-boot_cpu_data.patch @@ -0,0 +1,45 @@ +From fe2b73dba47fb6d6922df1ad44e83b1754d5ed4d Mon Sep 17 00:00:00 2001 +From: Xing Li +Date: Sat, 23 May 2020 15:56:28 +0800 +Subject: KVM: MIPS: Define KVM_ENTRYHI_ASID to cpu_asid_mask(&boot_cpu_data) + +From: Xing Li + +commit fe2b73dba47fb6d6922df1ad44e83b1754d5ed4d upstream. + +The code in decode_config4() of arch/mips/kernel/cpu-probe.c + + asid_mask = MIPS_ENTRYHI_ASID; + if (config4 & MIPS_CONF4_AE) + asid_mask |= MIPS_ENTRYHI_ASIDX; + set_cpu_asid_mask(c, asid_mask); + +set asid_mask to cpuinfo->asid_mask. + +So in order to support variable ASID_MASK, KVM_ENTRYHI_ASID should also +be changed to cpu_asid_mask(&boot_cpu_data). + +Cc: Stable #4.9+ +Reviewed-by: Aleksandar Markovic +Signed-off-by: Xing Li +[Huacai: Change current_cpu_data to boot_cpu_data for optimization] +Signed-off-by: Huacai Chen +Message-Id: <1590220602-3547-2-git-send-email-chenhc@lemote.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/kvm_host.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/kvm_host.h ++++ b/arch/mips/include/asm/kvm_host.h +@@ -275,7 +275,7 @@ enum emulation_result { + #define MIPS3_PG_FRAME 0x3fffffc0 + + #define VPN2_MASK 0xffffe000 +-#define KVM_ENTRYHI_ASID MIPS_ENTRYHI_ASID ++#define KVM_ENTRYHI_ASID cpu_asid_mask(&boot_cpu_data) + #define TLB_IS_GLOBAL(x) ((x).tlb_lo[0] & (x).tlb_lo[1] & ENTRYLO_G) + #define TLB_VPN2(x) ((x).tlb_hi & VPN2_MASK) + #define TLB_ASID(x) ((x).tlb_hi & KVM_ENTRYHI_ASID) diff --git a/queue-4.19/kvm-mips-fix-vpn2_mask-definition-for-variable-cpu_vmbits.patch b/queue-4.19/kvm-mips-fix-vpn2_mask-definition-for-variable-cpu_vmbits.patch new file mode 100644 index 00000000000..3293c2db15d --- /dev/null +++ b/queue-4.19/kvm-mips-fix-vpn2_mask-definition-for-variable-cpu_vmbits.patch @@ -0,0 +1,43 @@ +From 5816c76dea116a458f1932eefe064e35403248eb Mon Sep 17 00:00:00 2001 +From: Xing Li +Date: Sat, 23 May 2020 15:56:29 +0800 +Subject: KVM: MIPS: Fix VPN2_MASK definition for variable cpu_vmbits + +From: Xing Li + +commit 5816c76dea116a458f1932eefe064e35403248eb upstream. + +If a CPU support more than 32bit vmbits (which is true for 64bit CPUs), +VPN2_MASK set to fixed 0xffffe000 will lead to a wrong EntryHi in some +functions such as _kvm_mips_host_tlb_inv(). + +The cpu_vmbits definition of 32bit CPU in cpu-features.h is 31, so we +still use the old definition. + +Cc: Stable +Reviewed-by: Aleksandar Markovic +Signed-off-by: Xing Li +[Huacai: Improve commit messages] +Signed-off-by: Huacai Chen +Message-Id: <1590220602-3547-3-git-send-email-chenhc@lemote.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/kvm_host.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/mips/include/asm/kvm_host.h ++++ b/arch/mips/include/asm/kvm_host.h +@@ -274,7 +274,11 @@ enum emulation_result { + #define MIPS3_PG_SHIFT 6 + #define MIPS3_PG_FRAME 0x3fffffc0 + ++#if defined(CONFIG_64BIT) ++#define VPN2_MASK GENMASK(cpu_vmbits - 1, 13) ++#else + #define VPN2_MASK 0xffffe000 ++#endif + #define KVM_ENTRYHI_ASID cpu_asid_mask(&boot_cpu_data) + #define TLB_IS_GLOBAL(x) ((x).tlb_lo[0] & (x).tlb_lo[1] & ENTRYLO_G) + #define TLB_VPN2(x) ((x).tlb_hi & VPN2_MASK) diff --git a/queue-4.19/kvm-nsvm-fix-condition-for-filtering-async-pf.patch b/queue-4.19/kvm-nsvm-fix-condition-for-filtering-async-pf.patch new file mode 100644 index 00000000000..bcbea89e7d2 --- /dev/null +++ b/queue-4.19/kvm-nsvm-fix-condition-for-filtering-async-pf.patch @@ -0,0 +1,36 @@ +From a3535be731c2a343912578465021f50937f7b099 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Sat, 16 May 2020 09:19:06 -0400 +Subject: KVM: nSVM: fix condition for filtering async PF + +From: Paolo Bonzini + +commit a3535be731c2a343912578465021f50937f7b099 upstream. + +Async page faults have to be trapped in the host (L1 in this case), +since the APF reason was passed from L0 to L1 and stored in the L1 APF +data page. This was completely reversed: the page faults were passed +to the guest, a L2 hypervisor. + +Cc: stable@vger.kernel.org +Reviewed-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3229,8 +3229,8 @@ static int nested_svm_exit_special(struc + return NESTED_EXIT_HOST; + break; + case SVM_EXIT_EXCP_BASE + PF_VECTOR: +- /* When we're shadowing, trap PFs, but not async PF */ +- if (!npt_enabled && svm->vcpu.arch.apf.host_apf_reason == 0) ++ /* Trap async PF even if not shadowing */ ++ if (!npt_enabled || svm->vcpu.arch.apf.host_apf_reason) + return NESTED_EXIT_HOST; + break; + default: diff --git a/queue-4.19/kvm-nsvm-leave-asid-aside-in-copy_vmcb_control_area.patch b/queue-4.19/kvm-nsvm-leave-asid-aside-in-copy_vmcb_control_area.patch new file mode 100644 index 00000000000..ad6b97a5074 --- /dev/null +++ b/queue-4.19/kvm-nsvm-leave-asid-aside-in-copy_vmcb_control_area.patch @@ -0,0 +1,32 @@ +From 6c0238c4a62b3a0b1201aeb7e33a4636d552a436 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 20 May 2020 08:02:17 -0400 +Subject: KVM: nSVM: leave ASID aside in copy_vmcb_control_area + +From: Paolo Bonzini + +commit 6c0238c4a62b3a0b1201aeb7e33a4636d552a436 upstream. + +Restoring the ASID from the hsave area on VMEXIT is wrong, because its +value depends on the handling of TLB flushes. Just skipping the field in +copy_vmcb_control_area will do. + +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3319,7 +3319,7 @@ static inline void copy_vmcb_control_are + dst->iopm_base_pa = from->iopm_base_pa; + dst->msrpm_base_pa = from->msrpm_base_pa; + dst->tsc_offset = from->tsc_offset; +- dst->asid = from->asid; ++ /* asid not copied, it is handled manually for svm->vmcb. */ + dst->tlb_ctl = from->tlb_ctl; + dst->int_ctl = from->int_ctl; + dst->int_vector = from->int_vector; diff --git a/queue-4.19/kvm-nvmx-consult-only-the-basic-exit-reason-when-routing-nested-exit.patch b/queue-4.19/kvm-nvmx-consult-only-the-basic-exit-reason-when-routing-nested-exit.patch new file mode 100644 index 00000000000..054c4c76b0f --- /dev/null +++ b/queue-4.19/kvm-nvmx-consult-only-the-basic-exit-reason-when-routing-nested-exit.patch @@ -0,0 +1,51 @@ +From 2ebac8bb3c2d35f5135466490fc8eeaf3f3e2d37 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 27 Feb 2020 09:44:30 -0800 +Subject: KVM: nVMX: Consult only the "basic" exit reason when routing nested exit + +From: Sean Christopherson + +commit 2ebac8bb3c2d35f5135466490fc8eeaf3f3e2d37 upstream. + +Consult only the basic exit reason, i.e. bits 15:0 of vmcs.EXIT_REASON, +when determining whether a nested VM-Exit should be reflected into L1 or +handled by KVM in L0. + +For better or worse, the switch statement in nested_vmx_exit_reflected() +currently defaults to "true", i.e. reflects any nested VM-Exit without +dedicated logic. Because the case statements only contain the basic +exit reason, any VM-Exit with modifier bits set will be reflected to L1, +even if KVM intended to handle it in L0. + +Practically speaking, this only affects EXIT_REASON_MCE_DURING_VMENTRY, +i.e. a #MC that occurs on nested VM-Enter would be incorrectly routed to +L1, as "failed VM-Entry" is the only modifier that KVM can currently +encounter. The SMM modifiers will never be generated as KVM doesn't +support/employ a SMI Transfer Monitor. Ditto for "exit from enclave", +as KVM doesn't yet support virtualizing SGX, i.e. it's impossible to +enter an enclave in a KVM guest (L1 or L2). + +Fixes: 644d711aa0e1 ("KVM: nVMX: Deciding if L0 or L1 should handle an L2 exit") +Cc: Jim Mattson +Cc: Xiaoyao Li +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20200227174430.26371-1-sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -9683,7 +9683,7 @@ static bool nested_vmx_exit_reflected(st + vmcs_read32(VM_EXIT_INTR_ERROR_CODE), + KVM_ISA_VMX); + +- switch (exit_reason) { ++ switch ((u16)exit_reason) { + case EXIT_REASON_EXCEPTION_NMI: + if (is_nmi(intr_info)) + return false; diff --git a/queue-4.19/scsi-megaraid_sas-tm-command-refire-leads-to-controller-firmware-crash.patch b/queue-4.19/scsi-megaraid_sas-tm-command-refire-leads-to-controller-firmware-crash.patch new file mode 100644 index 00000000000..a9fb0b84e55 --- /dev/null +++ b/queue-4.19/scsi-megaraid_sas-tm-command-refire-leads-to-controller-firmware-crash.patch @@ -0,0 +1,55 @@ +From 6fd8525a70221c26823b1c7e912fb21f218fb0c5 Mon Sep 17 00:00:00 2001 +From: Sumit Saxena +Date: Fri, 8 May 2020 14:22:42 +0530 +Subject: scsi: megaraid_sas: TM command refire leads to controller firmware crash + +From: Sumit Saxena + +commit 6fd8525a70221c26823b1c7e912fb21f218fb0c5 upstream. + +When TM command times out, driver invokes the controller reset. Post reset, +driver re-fires pended TM commands which leads to firmware crash. + +Post controller reset, return pended TM commands back to OS. + +Link: https://lore.kernel.org/r/20200508085242.23406-1-chandrakanth.patil@broadcom.com +Cc: stable@vger.kernel.org +Signed-off-by: Sumit Saxena +Signed-off-by: Chandrakanth Patil +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/megaraid/megaraid_sas_fusion.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c ++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c +@@ -3940,6 +3940,7 @@ void megasas_refire_mgmt_cmd(struct mega + struct fusion_context *fusion; + struct megasas_cmd *cmd_mfi; + union MEGASAS_REQUEST_DESCRIPTOR_UNION *req_desc; ++ struct MPI2_RAID_SCSI_IO_REQUEST *scsi_io_req; + u16 smid; + bool refire_cmd = 0; + u8 result; +@@ -3990,6 +3991,11 @@ void megasas_refire_mgmt_cmd(struct mega + break; + } + ++ scsi_io_req = (struct MPI2_RAID_SCSI_IO_REQUEST *) ++ cmd_fusion->io_request; ++ if (scsi_io_req->Function == MPI2_FUNCTION_SCSI_TASK_MGMT) ++ result = RETURN_CMD; ++ + switch (result) { + case REFIRE_CMD: + megasas_fire_cmd_fusion(instance, req_desc); +@@ -4187,7 +4193,6 @@ megasas_issue_tm(struct megasas_instance + if (!timeleft) { + dev_err(&instance->pdev->dev, + "task mgmt type 0x%x timed out\n", type); +- cmd_mfi->flags |= DRV_DCMD_SKIP_REFIRE; + mutex_unlock(&instance->reset_mutex); + rc = megasas_reset_fusion(instance->host, MFI_IO_TIMEOUT_OCR); + mutex_lock(&instance->reset_mutex); diff --git a/queue-4.19/series b/queue-4.19/series index 48b192ba013..b22e14c64ae 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -67,3 +67,11 @@ crypto-virtio-fix-dest-length-calculation-in-__virti.patch selftests-net-in-rxtimestamp-getopt_long-needs-terminating-null-entry.patch ovl-initialize-error-in-ovl_copy_xattr.patch proc-use-new_inode-not-new_inode_pseudo.patch +video-fbdev-w100fb-fix-a-potential-double-free.patch +kvm-nsvm-fix-condition-for-filtering-async-pf.patch +kvm-nsvm-leave-asid-aside-in-copy_vmcb_control_area.patch +kvm-nvmx-consult-only-the-basic-exit-reason-when-routing-nested-exit.patch +kvm-mips-define-kvm_entryhi_asid-to-cpu_asid_mask-boot_cpu_data.patch +kvm-mips-fix-vpn2_mask-definition-for-variable-cpu_vmbits.patch +kvm-arm64-make-vcpu_cp1x-work-on-big-endian-hosts.patch +scsi-megaraid_sas-tm-command-refire-leads-to-controller-firmware-crash.patch diff --git a/queue-4.19/video-fbdev-w100fb-fix-a-potential-double-free.patch b/queue-4.19/video-fbdev-w100fb-fix-a-potential-double-free.patch new file mode 100644 index 00000000000..b6b2ee1952f --- /dev/null +++ b/queue-4.19/video-fbdev-w100fb-fix-a-potential-double-free.patch @@ -0,0 +1,50 @@ +From 18722d48a6bb9c2e8d046214c0a5fd19d0a7c9f6 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Wed, 6 May 2020 20:19:02 +0200 +Subject: video: fbdev: w100fb: Fix a potential double free. + +From: Christophe JAILLET + +commit 18722d48a6bb9c2e8d046214c0a5fd19d0a7c9f6 upstream. + +Some memory is vmalloc'ed in the 'w100fb_save_vidmem' function and freed in +the 'w100fb_restore_vidmem' function. (these functions are called +respectively from the 'suspend' and the 'resume' functions) + +However, it is also freed in the 'remove' function. + +In order to avoid a potential double free, set the corresponding pointer +to NULL once freed in the 'w100fb_restore_vidmem' function. + +Fixes: aac51f09d96a ("[PATCH] w100fb: Rewrite for platform independence") +Cc: Richard Purdie +Cc: Antonino Daplas +Cc: Bartlomiej Zolnierkiewicz +Cc: # v2.6.14+ +Signed-off-by: Christophe JAILLET +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200506181902.193290-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/w100fb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/video/fbdev/w100fb.c ++++ b/drivers/video/fbdev/w100fb.c +@@ -583,6 +583,7 @@ static void w100fb_restore_vidmem(struct + memsize=par->mach->mem->size; + memcpy_toio(remapped_fbuf + (W100_FB_BASE-MEM_WINDOW_BASE), par->saved_extmem, memsize); + vfree(par->saved_extmem); ++ par->saved_extmem = NULL; + } + if (par->saved_intmem) { + memsize=MEM_INT_SIZE; +@@ -591,6 +592,7 @@ static void w100fb_restore_vidmem(struct + else + memcpy_toio(remapped_fbuf + (W100_FB_BASE-MEM_WINDOW_BASE), par->saved_intmem, memsize); + vfree(par->saved_intmem); ++ par->saved_intmem = NULL; + } + } + -- 2.47.3