April 2025 - Linux-stable-mirror

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.293 release. There are 179 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 01 May 2025 16:10:15 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.293-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.293-rc1 Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> MIPS: cm: Fix warning if MIPS_CM is disabled Marek Behún <kabel(a)kernel.org> crypto: atmel-sha204a - Set hwrng quality to lowest possible Ian Abbott <abbotti(a)mev.co.uk> comedi: jr3_pci: Fix synchronous deletion of timer David Hildenbrand <david(a)redhat.com> s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues Meir Elisha <meir.elisha(a)volumez.com> md/raid1: Add check for missing source disk in process_checks() Igor Pylypiv <ipylypiv(a)google.com> scsi: pm80xx: Set phy_attached to zero when device is gone Josh Poimboeuf <jpoimboe(a)kernel.org> x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline Jean-Marc Eurin <jmeurin(a)google.com> ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls Ming Lei <ming.lei(a)redhat.com> selftests: ublk: fix test_stripe_04 Xiaogang Chen <xiaogang.chen(a)amd.com> udmabuf: fix a buf size overflow issue during udmabuf creation Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> KVM: s390: Don't use %pK through tracepoints Oleg Nesterov <oleg(a)redhat.com> sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP Arnd Bergmann <arnd(a)arndb.de> ntb: reduce stack usage in idt_scan_mws Al Viro <viro(a)zeniv.linux.org.uk> qibfs: fix _another_ leak Chenyuan Yang <chenyuan0y(a)gmail.com> usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() Vinicius Costa Gomes <vinicius.gomes(a)intel.com> dmaengine: dmatest: Fix dmatest waiting less when interrupted Alexander Stein <alexander.stein(a)mailbox.org> usb: host: max3421-hcd: Add missing spi_device_id table Yu-Chun Lin <eleanor15x(a)gmail.com> parisc: PDT: Fix missing prototype warning Heiko Stuebner <heiko(a)sntech.de> clk: check for disabled clock-provider in of_clk_get_hw_from_clkspec() Herbert Xu <herbert(a)gondor.apana.org.au> crypto: null - Use spin lock instead of mutex Gregory CLEMENT <gregory.clement(a)bootlin.com> MIPS: cm: Detect CM quirks from device tree Oliver Neukum <oneukum(a)suse.com> USB: VLI disk crashes if LPM is used Miao Li <limiao(a)kylinos.cn> usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive Miao Li <limiao(a)kylinos.cn> usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive Frode Isaksen <frode(a)meta.com> usb: dwc3: gadget: check that event count does not exceed event buffer length Huacai Chen <chenhuacai(a)loongson.cn> USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) Ralph Siemsen <ralph.siemsen(a)linaro.org> usb: cdns3: Fix deadlock when using NCM gadget Craig Hesling <craig(a)hesling.com> USB: serial: simple: add OWON HDS200 series oscilloscope support Adam Xue <zxue(a)semtech.com> USB: serial: option: add Sierra Wireless EM9291 Michael Ehrenreich <michideep(a)gmail.com> USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe Ryo Takakura <ryotkkr98(a)gmail.com> serial: sifive: lock port in startup()/shutdown() callbacks Oliver Neukum <oneukum(a)suse.com> USB: storage: quirk for ADATA Portable HDD CH94 Haoxiang Li <haoxiang_li2024(a)163.com> mcb: fix a double free bug in chameleon_parse_gdd() Halil Pasic <pasic(a)linux.ibm.com> virtio_console: fix missing byte order handling for cols and rows Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: hfsc: Fix a UAF vulnerability in class handling Tung Nguyen <tung.quang.nguyen(a)est.tech> tipc: fix NULL pointer dereference in tipc_mon_reinit_self() Qingfang Deng <qingfang.deng(a)siflower.com.cn> net: phy: leds: fix memory leak Henry Martin <bsdhenrymartin(a)gmail.com> cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() Denis Arefev <arefev(a)swemel.ru> drm/amd/pm: Prevent division by zero Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error Damien Le Moal <dlemoal(a)kernel.org> misc: pci_endpoint_test: Use INTX instead of LEGACY Bjorn Helgaas <bhelgaas(a)google.com> PCI: Rename PCI_IRQ_LEGACY to PCI_IRQ_INTX Sergiu Cuciurean <sergiu.cuciurean(a)analog.com> iio: adc: ad7768-1: Fix conversion result sign Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: fix VTU methods for 6320 family Matthew Majewski <mattwmajewski(a)gmail.com> media: vim2m: print device name after registering device Acs, Jakub <acsjakub(a)amazon.de> ext4: fix OOB read when checking dotdot dir Theodore Ts'o <tytso(a)mit.edu> ext4: optimize __ext4_check_dir_entry() Theodore Ts'o <tytso(a)mit.edu> ext4: don't over-report free space or inodes in statvfs Chengguang Xu <cgxu519(a)mykernel.net> ext4: code cleanup for ext4_statfs_project() Jan Kara <jack(a)suse.cz> ext4: simplify checking quota limits in ext4_statfs() Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> platform/x86: ISST: Correct command storage data length WangYuli <wangyuli(a)uniontech.com> MIPS: ds1287: Match ds1287_set_base_clock() function types WangYuli <wangyuli(a)uniontech.com> MIPS: cevt-ds1287: Add missing ds1287.h include WangYuli <wangyuli(a)uniontech.com> MIPS: dec: Declare which_prom() as static Xie Yongji <xieyongji(a)bytedance.com> virtio-net: Add validation for used length Bart Van Assche <bvanassche(a)acm.org> RDMA/srpt: Support specifying the srpt_service_guid parameter Ilya Maximets <i.maximets(a)ovn.org> openvswitch: fix lockup on tx to unregistering netdev with carrier Felix Huettner <felix.huettner(a)mail.schwarz> net: openvswitch: fix race on port output Seunghwan Baek <sh8267.baek(a)samsung.com> mmc: cqhci: Fix checking of CQHCI_HALT state WangYuli <wangyuli(a)uniontech.com> nvmet-fc: Remove unused functions Martin Kepplinger <martin.kepplinger(a)puri.sm> usb: dwc3: support continuous runtime PM with dual role Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Nathan Chancellor <natechancellor(a)gmail.com> powerpc/prom_init: Use -ffreestanding to avoid a reference to bcmp Nathan Chancellor <nathan(a)kernel.org> kbuild: Add '-fno-builtin-wcslen' Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Reference count policy in cpufreq_update_limits() Rolf Eike Beer <eb(a)emlix.com> drm/sti: remove duplicate object names Chris Bainbridge <chris.bainbridge(a)gmail.com> drm/nouveau: prime: fix ttm_bo_delayed_delete oops Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/repaper: fix integer overflows in repeat functions Thorsten Leemhuis <linux(a)leemhuis.info> module: sign with sha512 instead of sha1 by default Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR Dapeng Mi <dapeng1.mi(a)linux.intel.com> perf/x86/intel: Allow to update user space GPRs from PEBS records Xiangsheng Hou <xiangsheng.hou(a)mediatek.com> virtiofs: add filesystem context source name check Nathan Chancellor <nathan(a)kernel.org> riscv: Avoid fortify warning in syscall_get_arguments() Edward Adam Davis <eadavis(a)qq.com> isofs: Prevent the use of too small fid Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> i2c: cros-ec-tunnel: defer probe if parent EC is not present Vasiliy Kovalev <kovalev(a)altlinux.org> hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key Johannes Kimmel <kernel(a)bareminimum.eu> btrfs: correctly escape subvol in btrfs_show_options() Eric Biggers <ebiggers(a)google.com> nfs: add missing selections of CONFIG_CRC32 Jeff Layton <jlayton(a)kernel.org> nfs: move nfs_fhandle_hash to common include file Chuck Lever <chuck.lever(a)oracle.com> NFSD: Constify @fh argument of knfsd_fh_hash() Denis Arefev <arefev(a)swemel.ru> asus-laptop: Fix an uninitialized variable Andreas Gruenbacher <agruenba(a)redhat.com> writeback: fix false warning in inode_to_wb() Jonas Gorski <jonas.gorski(a)gmail.com> net: b53: enable BPDU reception for management port Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: fix nested key length validation in the set() action Johannes Berg <johannes.berg(a)intel.com> Revert "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" Dan Carpenter <dan.carpenter(a)linaro.org> Bluetooth: btrtl: Prevent potential NULL dereference Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address Yue Haibing <yuehaibing(a)huawei.com> RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() Miaoqian Lin <linmq006(a)gmail.com> scsi: iscsi: Fix missing scsi_host_put() in error path Abdun Nihaal <abdun.nihaal(a)gmail.com> wifi: wl1251: fix memory leak in wl1251_tx_work Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Purge vif txq in ieee80211_do_stop() Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() Abdun Nihaal <abdun.nihaal(a)gmail.com> wifi: at76c50x: fix use after free access in at76_disconnect Kaixin Wang <kxwang23(a)m.fudan.edu.cn> HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition Daniel Golle <daniel(a)makrotopia.org> pwm: mediatek: always use bus clock for PWM on MT7622 Arseniy Krasnov <avkrasnov(a)salutedevices.com> Bluetooth: hci_uart: Fix another race during initialization Myrrh Periwinkle <myrrhperiwinkle(a)qtmlabs.xyz> x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() Ma Ke <make24(a)iscas.ac.cn> PCI: Fix reference leak in pci_alloc_child_bus() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakages in of_irq_init() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakages in of_irq_count() Fedor Pchelkin <pchelkin(a)ispras.ru> ntb: use 64-bit arithmetic for the MSI doorbell mask Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> gpio: zynq: Fix wakeup source leaks on device unbind zhoumin <teczm(a)foxmail.com> ftrace: Add cond_resched() to ftrace_graph_set_hash() Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: set ti->error on memory allocation failure Tom Lendacky <thomas.lendacky(a)amd.com> crypto: ccp - Fix check for the primary ASP device Trevor Woerner <twoerner(a)gmail.com> thermal/drivers/rockchip: Add missing rk3328 mapping entry Ricardo Cañuelo Navarro <rcn(a)igalia.com> sctp: detect and prevent references to a freed transport in sendmsg Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock Ryan Roberts <ryan.roberts(a)arm.com> sparc/mm: disable preemption in lazy mmu mode Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string Wentao Liang <vulab(a)iscas.ac.cn> mtd: rawnand: Add status chack in r852_ready() Wentao Liang <vulab(a)iscas.ac.cn> mtd: inftlcore: Add error check for inftl_read_oob() T Pratham <t-pratham(a)ti.com> lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Boqun Feng <boqun.feng(a)gmail.com> locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() Jan Kara <jack(a)suse.cz> jbd2: remove wrong sb->s_sequence check Manjunatha Venkatesh <manjunatha.venkatesh(a)nxp.com> i3c: Add NULL pointer check in i3c_master_queue_ibi() Artem Sadovnikov <a.sadovnikov(a)ispras.ru> ext4: fix off-by-one error in do_split Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> wifi: mac80211: fix integer overflow in hwmp_route_info_get() Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi_parser: add check to avoid out of bound access Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ov7251: Set enable GPIO low in probe Karina Yankevich <k.yankevich(a)omp.ru> media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() Murad Masimov <m.masimov(a)mt-integration.ru> media: streamzap: prevent processing IR data on URB failure Kamal Dasu <kamal.dasu(a)broadcom.com> mtd: rawnand: brcmnand: fix PM resume warning Douglas Anderson <dianders(a)chromium.org> arm64: cputype: Add MIDR_CORTEX_A76AE Jan Beulich <jbeulich(a)suse.com> xenfs/xensyms: respect hypervisor's "next" indication Yuan Can <yuancan(a)huawei.com> media: siano: Fix error handling in smsdvb_module_init() Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi: add check to handle incorrect queue size Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi: add a check to handle OOB in sfr region Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> media: i2c: adv748x: Fix test pattern selection mask Jann Horn <jannh(a)google.com> ext4: don't treat fhandle lookup of ea_inode as FS corruption Eric Biggers <ebiggers(a)google.com> ext4: reject casefold inode flag without casefold feature Willem de Bruijn <willemb(a)google.com> bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags Ben Dooks <ben.dooks(a)sifive.com> bpf: Add endian modifiers to fix endian warnings Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: fsl-ftm: Handle clk_get_rate() returning 0 Josh Poimboeuf <jpoimboe(a)kernel.org> pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() Fabien Parent <fparent(a)baylibre.com> pwm: mediatek: Always use bus clock Leonid Arapov <arapovl839(a)gmail.com> fbdev: omapfb: Add 'plane' value check AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Fix pqm_destroy_queue race with GPU reset David Yat Sin <David.YatSin(a)amd.com> drm/amdkfd: clamp queue size to minimum Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add new quirk for GPD Win 2 Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add support for AYANEO 2S Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm: allow encoder mode_set even when connectors change for crtc Arseniy Krasnov <avkrasnov(a)salutedevices.com> Bluetooth: hci_uart: fix race during initialization Gabriele Paoloni <gpaoloni(a)redhat.com> tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Stanislav Fomichev <sdf(a)fomichev.me> net: vlan: don't propagate flags on open Icenowy Zheng <uwu(a)icenowy.me> wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Kai Mäkisara <Kai.Makisara(a)kolumbus.fi> scsi: st: Fix array overflow in st_setup() Bhupesh <bhupesh(a)igalia.com> ext4: ignore xattrs past end Ojaswin Mujoo <ojaswin(a)linux.ibm.com> ext4: protect ext4_release_dquot against freezing Daniel Kral <d.kral(a)proxmox.com> ahci: add PCI ID for Marvell 88SE9215 SATA Controller Niklas Cassel <cassel(a)kernel.org> ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Edward Adam Davis <eadavis(a)qq.com> jfs: add sanity check for agwidth in dbMount Edward Adam Davis <eadavis(a)qq.com> jfs: Prevent copying of nlink with value 0 from disk inode Rand Deeb <rand.sec96(a)gmail.com> fs/jfs: Prevent integer overflow in AG size calculation Rand Deeb <rand.sec96(a)gmail.com> fs/jfs: cast inactags to s64 to prevent potential overflow Jason Xing <kerneljasonxing(a)gmail.com> page_pool: avoid infinite loop to schedule delayed worker Ricard Wanderlof <ricard2013(a)butoba.net> ALSA: usb-audio: Fix CME quirk for UF series keyboards Maxim Mikityanskiy <maxtram95(a)gmail.com> ALSA: hda: intel: Fix Optimus when GPU has no sound Tomasz Pakuła <forest10pl(a)gmail.com> HID: pidff: Fix null pointer dereference in pidff_find_fields Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Do not send effect envelope if it's empty Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Convert infinite length from Linux API to PID standard Kees Cook <kees(a)kernel.org> xen/mcelog: Add __nonstring annotations for unterminated strings Mark Rutland <mark.rutland(a)arm.com> perf: arm_pmu: Don't disable counter in armpmu_add() Max Grobecker <max(a)grobecker.info> x86/cpu: Don't clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine Zhongqiu Han <quic_zhonhan(a)quicinc.com> pm: cpupower: bench: Prevent NULL dereference on malloc failure Arnaud Lecomte <contact(a)arnaud-lcm.com> net: ppp: Add bound checking for skb data on ppp_sync_txmung Wentao Liang <vulab(a)iscas.ac.cn> ata: sata_sx4: Add error handling in pdc20621_i2c_read() Hannes Reinecke <hare(a)suse.de> ata: sata_sx4: Drop pointless VPRINTK() calls and convert the remaining ones Cong Wang <xiyou.wangcong(a)gmail.com> codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Tung Nguyen <tung.quang.nguyen(a)est.tech> tipc: fix memory leak in tipc_link_xmit Henry Martin <bsdhenrymartin(a)gmail.com> ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() ------------- Diffstat: Makefile | 7 +- arch/arm64/boot/dts/mediatek/mt8173.dtsi | 6 +- arch/arm64/include/asm/cputype.h | 2 + arch/mips/dec/prom/init.c | 2 +- arch/mips/include/asm/ds1287.h | 2 +- arch/mips/include/asm/mips-cm.h | 22 ++++ arch/mips/kernel/cevt-ds1287.c | 1 + arch/mips/kernel/mips-cm.c | 14 +++ arch/parisc/kernel/pdt.c | 2 + arch/powerpc/kernel/Makefile | 1 + arch/riscv/include/asm/syscall.h | 7 +- arch/s390/kvm/trace-s390.h | 4 +- arch/sparc/mm/tlb.c | 5 +- arch/x86/events/intel/ds.c | 8 +- arch/x86/events/intel/uncore_snbep.c | 16 +-- arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/bugs.c | 8 +- arch/x86/kernel/e820.c | 17 ++- crypto/crypto_null.c | 37 ++++--- drivers/acpi/pptt.c | 4 +- drivers/ata/ahci.c | 2 + drivers/ata/libata-eh.c | 11 +- drivers/ata/pata_pxa.c | 6 ++ drivers/ata/sata_sx4.c | 118 ++++++++------------- drivers/bluetooth/btrtl.c | 2 + drivers/bluetooth/hci_ldisc.c | 19 +++- drivers/bluetooth/hci_uart.h | 1 + drivers/char/virtio_console.c | 7 +- drivers/clk/clk.c | 4 + drivers/cpufreq/cpufreq.c | 8 ++ drivers/cpufreq/scpi-cpufreq.c | 13 ++- drivers/crypto/atmel-sha204a.c | 7 +- drivers/crypto/ccp/sp-pci.c | 15 +-- drivers/dma-buf/udmabuf.c | 2 +- drivers/dma/dmatest.c | 6 +- drivers/gpio/gpio-zynq.c | 1 + drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 ++ .../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 2 +- .../gpu/drm/amd/powerplay/hwmgr/vega20_thermal.c | 2 +- drivers/gpu/drm/drm_atomic_helper.c | 2 +- drivers/gpu/drm/drm_panel_orientation_quirks.c | 10 +- drivers/gpu/drm/mediatek/mtk_dpi.c | 9 ++ drivers/gpu/drm/nouveau/nouveau_bo.c | 3 + drivers/gpu/drm/nouveau/nouveau_gem.c | 3 - drivers/gpu/drm/sti/Makefile | 2 - drivers/gpu/drm/tiny/repaper.c | 4 +- drivers/hid/usbhid/hid-pidff.c | 60 +++++++---- drivers/hsi/clients/ssi_protocol.c | 1 + drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 + drivers/i3c/master.c | 3 + drivers/iio/adc/ad7768-1.c | 5 +- drivers/infiniband/hw/qib/qib_fs.c | 1 + drivers/infiniband/hw/usnic/usnic_ib_main.c | 14 +-- drivers/infiniband/ulp/srpt/ib_srpt.c | 8 +- drivers/mcb/mcb-parse.c | 2 +- drivers/md/dm-integrity.c | 3 + drivers/md/raid1.c | 26 +++-- drivers/media/common/siano/smsdvb-main.c | 2 + drivers/media/i2c/adv748x/adv748x.h | 2 +- drivers/media/i2c/ov7251.c | 4 +- drivers/media/platform/qcom/venus/hfi_parser.c | 2 + drivers/media/platform/qcom/venus/hfi_venus.c | 18 +++- drivers/media/platform/vim2m.c | 6 +- drivers/media/rc/streamzap.c | 68 ++++++------ drivers/media/v4l2-core/v4l2-dv-timings.c | 4 +- drivers/misc/pci_endpoint_test.c | 36 ++++--- drivers/mmc/host/cqhci.c | 2 +- drivers/mtd/inftlcore.c | 9 +- drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +- drivers/mtd/nand/raw/r852.c | 3 + drivers/net/dsa/b53/b53_common.c | 10 ++ drivers/net/dsa/mv88e6xxx/chip.c | 25 ++++- drivers/net/phy/phy_led_triggers.c | 23 ++-- drivers/net/ppp/ppp_synctty.c | 5 + drivers/net/virtio_net.c | 22 ++-- drivers/net/wireless/atmel/at76c50x-usb.c | 2 +- drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 + drivers/net/wireless/ti/wl1251/tx.c | 4 +- drivers/ntb/hw/idt/ntb_hw_idt.c | 18 ++-- drivers/ntb/ntb_transport.c | 2 +- drivers/nvme/target/fc.c | 14 --- drivers/of/irq.c | 13 ++- drivers/pci/probe.c | 5 +- drivers/perf/arm_pmu.c | 8 +- drivers/platform/x86/asus-laptop.c | 9 +- .../x86/intel_speed_select_if/isst_if_common.c | 2 +- drivers/pwm/pwm-fsl-ftm.c | 6 ++ drivers/pwm/pwm-mediatek.c | 20 +++- drivers/s390/virtio/virtio_ccw.c | 16 ++- drivers/scsi/pm8001/pm8001_sas.c | 1 + drivers/scsi/scsi_transport_iscsi.c | 7 +- drivers/scsi/st.c | 2 +- drivers/staging/comedi/drivers/jr3_pci.c | 15 ++- drivers/thermal/rockchip_thermal.c | 1 + drivers/tty/serial/sifive.c | 6 ++ drivers/usb/cdns3/gadget.c | 2 + drivers/usb/core/quirks.c | 9 ++ drivers/usb/dwc3/core.c | 11 +- drivers/usb/dwc3/gadget.c | 6 ++ drivers/usb/gadget/udc/aspeed-vhub/dev.c | 3 + drivers/usb/host/max3421-hcd.c | 7 ++ drivers/usb/host/ohci-pci.c | 23 ++++ drivers/usb/serial/ftdi_sio.c | 2 + drivers/usb/serial/ftdi_sio_ids.h | 5 + drivers/usb/serial/option.c | 3 + drivers/usb/serial/usb-serial-simple.c | 7 ++ drivers/usb/storage/unusual_uas.h | 7 ++ drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 6 +- drivers/xen/xenfs/xensyms.c | 4 +- fs/Kconfig | 1 + fs/btrfs/super.c | 3 +- fs/ext4/dir.c | 12 ++- fs/ext4/inode.c | 69 ++++++++---- fs/ext4/namei.c | 2 +- fs/ext4/super.c | 61 ++++++----- fs/ext4/xattr.c | 11 +- fs/fuse/virtio_fs.c | 3 + fs/hfs/bnode.c | 6 ++ fs/hfsplus/bnode.c | 6 ++ fs/isofs/export.c | 2 +- fs/jbd2/journal.c | 1 - fs/jfs/jfs_dmap.c | 10 +- fs/jfs/jfs_imap.c | 2 +- fs/nfs/Kconfig | 2 +- fs/nfs/internal.h | 22 ---- fs/nfs/nfs4session.h | 4 - fs/nfsd/Kconfig | 1 + fs/nfsd/nfsfh.h | 12 +-- include/linux/backing-dev.h | 1 + include/linux/nfs.h | 13 +++ include/linux/pci.h | 4 +- include/net/sctp/structs.h | 3 +- include/uapi/linux/kfd_ioctl.h | 2 + include/uapi/linux/pcitest.h | 3 +- include/xen/interface/xen-mca.h | 2 +- init/Kconfig | 3 +- kernel/locking/lockdep.c | 3 + kernel/trace/ftrace.c | 1 + kernel/trace/trace_events.c | 4 +- lib/sg_split.c | 2 - mm/vmscan.c | 2 +- net/8021q/vlan_dev.c | 31 +----- net/bluetooth/hci_event.c | 5 +- net/core/dev.c | 1 + net/core/filter.c | 80 +++++++------- net/core/page_pool.c | 8 +- net/ipv4/inet_connection_sock.c | 19 +++- net/mac80211/iface.c | 3 + net/mac80211/mesh_hwmp.c | 14 ++- net/openvswitch/actions.c | 4 +- net/openvswitch/flow_netlink.c | 3 +- net/sched/sch_codel.c | 5 +- net/sched/sch_fq_codel.c | 6 +- net/sched/sch_hfsc.c | 23 ++-- net/sctp/socket.c | 22 ++-- net/sctp/transport.c | 2 + net/tipc/link.c | 1 + net/tipc/monitor.c | 3 +- sound/pci/hda/hda_intel.c | 15 ++- sound/usb/midi.c | 80 ++++++++++++-- tools/power/cpupower/bench/parse.c | 4 + tools/testing/selftests/ublk/test_stripe_04.sh | 24 +++++ 162 files changed, 1121 insertions(+), 557 deletions(-)

6 months

6
184
0 0

[PATCH 0/1] mm: Fix regression after THP PTE optimization on Xen PV Dom0

by Petr Vaněk

Hi all, I have found a problem in recent kernels 6.9+ when running under the Xen hypervisor as a PV dom0. In my setup (PV Dom0 with 4G RAM, using XFS), I shrink memory to 256M via the balloon driver after boot: xl mem-set Domain-0 256m Once memory is reduced, even running a simple command like ls usually triggers the following warning: [ 27.963562] [ T2553] page: refcount:88 mapcount:21 mapping:ffff88813ff6f6a8 index:0x110 pfn:0x10085c [ 27.963564] [ T2553] head: order:2 mapcount:83 entire_mapcount:0 nr_pages_mapped:4 pincount:0 [ 27.963565] [ T2553] memcg:ffff888003573000 [ 27.963567] [ T2553] aops:0xffffffff8226fd20 ino:82467c dentry name(?):"libc.so.6" [ 27.963570] [ T2553] flags: 0x2000000000416c(referenced|uptodate|lru|active|private|head|node=0|zone=2) [ 27.963573] [ T2553] raw: 002000000000416c ffffea0004021e88 ffffea0004021908 ffff88813ff6f6a8 [ 27.963574] [ T2553] raw: 0000000000000110 ffff88811bf06b60 0000005800000014 ffff888003573000 [ 27.963576] [ T2553] head: 002000000000416c ffffea0004021e88 ffffea0004021908 ffff88813ff6f6a8 [ 27.963577] [ T2553] head: 0000000000000110 ffff88811bf06b60 0000005800000014 ffff888003573000 [ 27.963578] [ T2553] head: 0020000000000202 ffffea0004021701 0000000400000052 00000000ffffffff [ 27.963580] [ T2553] head: 0000000300000003 8000000300000002 0000000000000014 0000000000000004 [ 27.963581] [ T2553] page dumped because: VM_WARN_ON_FOLIO((_Generic((page + nr_pages - 1), const struct page *: (const struct folio *)_compound_head(page + nr_pages - 1), struct page *: (struct folio *)_compound_head(page + nr_pages - 1))) != folio) [ 27.963590] [ T2553] ------------[ cut here ]------------ [ 27.963591] [ T2553] WARNING: CPU: 1 PID: 2553 at include/linux/rmap.h:427 __folio_rmap_sanity_checks+0x1a0/0x270 [ 27.963596] [ T2553] CPU: 1 UID: 0 PID: 2553 Comm: ls Not tainted 6.15.0-rc4-00002-ge0363f942651 #270 PREEMPT(undef) [ 27.963599] [ T2553] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-20240910_120124-localhost 04/01/2014 [ 27.963601] [ T2553] RIP: e030:__folio_rmap_sanity_checks+0x1a0/0x270 [ 27.963603] [ T2553] Code: 89 df e8 b3 7d fd ff 0f 0b e9 eb fe ff ff 48 8d 42 ff 48 39 c3 0f 84 0e ff ff ff 48 c7 c6 e8 49 5b 82 48 89 df e8 90 7d fd ff <0f> 0b e9 f8 fe ff ff 41 f7 c4 ff 0f 00 00 0f 85 b2 fe ff ff 49 8b [ 27.963605] [ T2553] RSP: e02b:ffffc90040f8fac0 EFLAGS: 00010246 [ 27.963608] [ T2553] RAX: 00000000000000e5 RBX: ffffea0004021700 RCX: 0000000000000000 [ 27.963609] [ T2553] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00000000ffffffff [ 27.963610] [ T2553] RBP: ffffc90040f8fae0 R08: 00000000ffffdfff R09: ffffffff82929308 [ 27.963612] [ T2553] R10: ffffffff82879360 R11: 0000000000000002 R12: ffffea0004021700 [ 27.963613] [ T2553] R13: 0000000000000005 R14: 0000000000000000 R15: 0000000000000005 [ 27.963625] [ T2553] FS: 00007ff06dafe740(0000) GS:ffff8880b7ccb000(0000) knlGS:0000000000000000 [ 27.963627] [ T2553] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.963628] [ T2553] CR2: 000055deb932f630 CR3: 0000000002844000 CR4: 0000000000050660 [ 27.963630] [ T2553] Call Trace: [ 27.963632] [ T2553] <TASK> [ 27.963633] [ T2553] folio_remove_rmap_ptes+0x24/0x2b0 [ 27.963635] [ T2553] unmap_page_range+0x132e/0x17e0 [ 27.963638] [ T2553] unmap_single_vma+0x81/0xd0 [ 27.963640] [ T2553] unmap_vmas+0xb5/0x180 [ 27.963642] [ T2553] exit_mmap+0x10c/0x460 [ 27.963644] [ T2553] mmput+0x59/0x120 [ 27.963647] [ T2553] do_exit+0x2d1/0xbd0 [ 27.963649] [ T2553] do_group_exit+0x2f/0x90 [ 27.963651] [ T2553] __x64_sys_exit_group+0x13/0x20 [ 27.963652] [ T2553] x64_sys_call+0x126b/0x1d70 [ 27.963655] [ T2553] do_syscall_64+0x54/0x120 [ 27.963657] [ T2553] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 27.963659] [ T2553] RIP: 0033:0x7ff06dbdbe9d [ 27.963660] [ T2553] Code: Unable to access opcode bytes at 0x7ff06dbdbe73. [ 27.963661] [ T2553] RSP: 002b:00007ffde44f9ac8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 [ 27.963664] [ T2553] RAX: ffffffffffffffda RBX: 00007ff06dce4fa8 RCX: 00007ff06dbdbe9d [ 27.963665] [ T2553] RDX: 00000000000000e7 RSI: ffffffffffffff88 RDI: 0000000000000000 [ 27.963666] [ T2553] RBP: 0000000000000000 R08: 00007ffde44f9a70 R09: 00007ffde44f99ff [ 27.963667] [ T2553] R10: 00007ffde44f9980 R11: 0000000000000206 R12: 00007ff06dce3680 [ 27.963668] [ T2553] R13: 00007ff06dd010e0 R14: 0000000000000002 R15: 00007ff06dce4fc0 [ 27.963670] [ T2553] </TASK> [ 27.963671] [ T2553] ---[ end trace 0000000000000000 ]--- Later on bigger problems start to appear: [ 69.035059] [ T2593] BUG: Bad page map in process ls pte:10006c125 pmd:1003dc067 [ 69.035061] [ T2593] page: refcount:8 mapcount:20 mapping:ffff88813fd736a8 index:0x110 pfn:0x10006c [ 69.035064] [ T2593] head: order:2 mapcount:-2 entire_mapcount:0 nr_pages_mapped:8388532 pincount:0 [ 69.035066] [ T2593] memcg:ffff888003573000 [ 69.035067] [ T2593] aops:0xffffffff8226fd20 ino:82467c dentry name(?):"libc.so.6" [ 69.035069] [ T2593] flags: 0x2000000000416c(referenced|uptodate|lru|active|private|head|node=0|zone=2) [ 69.035072] [ T2593] raw: 002000000000416c ffffea0004002348 ffffea0004001d08 ffff88813fd736a8 [ 69.035074] [ T2593] raw: 0000000000000110 ffff888100d19860 0000000800000013 ffff888003573000 [ 69.035076] [ T2593] head: 002000000000416c ffffea0004002348 ffffea0004001d08 ffff88813fd736a8 [ 69.035078] [ T2593] head: 0000000000000110 ffff888100d19860 0000000800000013 ffff888003573000 [ 69.035079] [ T2593] head: 0020000000000202 ffffea0004001b01 ffffffb4fffffffd 00000000ffffffff [ 69.035081] [ T2593] head: 0000000300000003 0000000500000002 0000000000000013 0000000000000004 [ 69.035082] [ T2593] page dumped because: bad pte [ 69.035083] [ T2593] addr:00007f6524b96000 vm_flags:00000075 anon_vma:0000000000000000 mapping:ffff88813fd736a8 index:110 [ 69.035086] [ T2593] file:libc.so.6 fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio The system eventually becomes unusable and typically crashes. I was able to bisect this issue to the commit: 10ebac4f95e7 ("mm/memory: optimize unmap/zap with PTE-mapped THP"). If I understand correctly, the folio from the first warning has 4 pages, but folio_pte_batch incorrectly counts 5 pages, because expected_pte and pte are both zero-valued PTEs, and the loop is not broken in such a case because pte_same() returns true. [ 27.963266] [ T2553] folio_pte_batch debug: printing PTE values starting at addr=0x7ff06dc11000 [ 27.963268] [ T2553] PTE[ 0] = 000000010085c125 [ 27.963272] [ T2553] PTE[ 1] = 000000010085d125 [ 27.963274] [ T2553] PTE[ 2] = 000000010085e125 [ 27.963276] [ T2553] PTE[ 3] = 000000010085f125 [ 27.963277] [ T2553] PTE[ 4] = 0000000000000000 <-- not present [ 27.963279] [ T2553] PTE[ 5] = 0000000102e47125 [ 27.963281] [ T2553] PTE[ 6] = 0000000102e48125 [ 27.963283] [ T2553] PTE[ 7] = 0000000102e49125 As a consequence, zap_present_folio_ptes() is called with nr = 5, which later calls folio_remove_rmap_ptes(), where __folio_rmap_sanity_checks() emits the warning log. The patch in the following message fixes the problem for me. It adds a check that breaks the loop when encountering non-present PTE, before the !pte_same() check. I still don't fully understand how the zero-valued PTE appears there or why this issue is triggered only when xen-balloon driver shrinks the memory. I wasn't able to reproduce it without shrinking. Cheers, Petr Petr Vaněk (1): mm: Fix folio_pte_batch() overcount with zero PTEs mm/internal.h | 2 ++ 1 file changed, 2 insertions(+) -- 2.48.1

6 months

3
19
0 0

FAILED: patch "[PATCH] KVM: x86: Load DR6 with guest value only before entering" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x c2fee09fc167c74a64adb08656cb993ea475197e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025021815-protract-greasily-cdea@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c2fee09fc167c74a64adb08656cb993ea475197e Mon Sep 17 00:00:00 2001 From: Sean Christopherson <seanjc(a)google.com> Date: Fri, 24 Jan 2025 17:18:33 -0800 Subject: [PATCH] KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Move the conditional loading of hardware DR6 with the guest's DR6 value out of the core .vcpu_run() loop to fix a bug where KVM can load hardware with a stale vcpu->arch.dr6. When the guest accesses a DR and host userspace isn't debugging the guest, KVM disables DR interception and loads the guest's values into hardware on VM-Enter and saves them on VM-Exit. This allows the guest to access DRs at will, e.g. so that a sequence of DR accesses to configure a breakpoint only generates one VM-Exit. For DR0-DR3, the logic/behavior is identical between VMX and SVM, and also identical between KVM_DEBUGREG_BP_ENABLED (userspace debugging the guest) and KVM_DEBUGREG_WONT_EXIT (guest using DRs), and so KVM handles loading DR0-DR3 in common code, _outside_ of the core kvm_x86_ops.vcpu_run() loop. But for DR6, the guest's value doesn't need to be loaded into hardware for KVM_DEBUGREG_BP_ENABLED, and SVM provides a dedicated VMCB field whereas VMX requires software to manually load the guest value, and so loading the guest's value into DR6 is handled by {svm,vmx}_vcpu_run(), i.e. is done _inside_ the core run loop. Unfortunately, saving the guest values on VM-Exit is initiated by common x86, again outside of the core run loop. If the guest modifies DR6 (in hardware, when DR interception is disabled), and then the next VM-Exit is a fastpath VM-Exit, KVM will reload hardware DR6 with vcpu->arch.dr6 and clobber the guest's actual value. The bug shows up primarily with nested VMX because KVM handles the VMX preemption timer in the fastpath, and the window between hardware DR6 being modified (in guest context) and DR6 being read by guest software is orders of magnitude larger in a nested setup. E.g. in non-nested, the VMX preemption timer would need to fire precisely between #DB injection and the #DB handler's read of DR6, whereas with a KVM-on-KVM setup, the window where hardware DR6 is "dirty" extends all the way from L1 writing DR6 to VMRESUME (in L1). L1's view: ========== <L1 disables DR interception> CPU 0/KVM-7289 [023] d.... 2925.640961: kvm_entry: vcpu 0 A: L1 Writes DR6 CPU 0/KVM-7289 [023] d.... 2925.640963: <hack>: Set DRs, DR6 = 0xffff0ff1 B: CPU 0/KVM-7289 [023] d.... 2925.640967: kvm_exit: vcpu 0 reason EXTERNAL_INTERRUPT intr_info 0x800000ec D: L1 reads DR6, arch.dr6 = 0 CPU 0/KVM-7289 [023] d.... 2925.640969: <hack>: Sync DRs, DR6 = 0xffff0ff0 CPU 0/KVM-7289 [023] d.... 2925.640976: kvm_entry: vcpu 0 L2 reads DR6, L1 disables DR interception CPU 0/KVM-7289 [023] d.... 2925.640980: kvm_exit: vcpu 0 reason DR_ACCESS info1 0x0000000000000216 CPU 0/KVM-7289 [023] d.... 2925.640983: kvm_entry: vcpu 0 CPU 0/KVM-7289 [023] d.... 2925.640983: <hack>: Set DRs, DR6 = 0xffff0ff0 L2 detects failure CPU 0/KVM-7289 [023] d.... 2925.640987: kvm_exit: vcpu 0 reason HLT L1 reads DR6 (confirms failure) CPU 0/KVM-7289 [023] d.... 2925.640990: <hack>: Sync DRs, DR6 = 0xffff0ff0 L0's view: ========== L2 reads DR6, arch.dr6 = 0 CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216 CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216 L2 => L1 nested VM-Exit CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit_inject: reason: DR_ACCESS ext_inf1: 0x0000000000000216 CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_entry: vcpu 23 CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_exit: vcpu 23 reason VMREAD CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_entry: vcpu 23 CPU 23/KVM-5046 [001] d.... 3410.005612: kvm_exit: vcpu 23 reason VMREAD CPU 23/KVM-5046 [001] d.... 3410.005612: kvm_entry: vcpu 23 L1 writes DR7, L0 disables DR interception CPU 23/KVM-5046 [001] d.... 3410.005612: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000007 CPU 23/KVM-5046 [001] d.... 3410.005613: kvm_entry: vcpu 23 L0 writes DR6 = 0 (arch.dr6) CPU 23/KVM-5046 [001] d.... 3410.005613: <hack>: Set DRs, DR6 = 0xffff0ff0 A: <L1 writes DR6 = 1, no interception, arch.dr6 is still '0'> B: CPU 23/KVM-5046 [001] d.... 3410.005614: kvm_exit: vcpu 23 reason PREEMPTION_TIMER CPU 23/KVM-5046 [001] d.... 3410.005614: kvm_entry: vcpu 23 C: L0 writes DR6 = 0 (arch.dr6) CPU 23/KVM-5046 [001] d.... 3410.005614: <hack>: Set DRs, DR6 = 0xffff0ff0 L1 => L2 nested VM-Enter CPU 23/KVM-5046 [001] d.... 3410.005616: kvm_exit: vcpu 23 reason VMRESUME L0 reads DR6, arch.dr6 = 0 Reported-by: John Stultz <jstultz(a)google.com> Closes: https://lkml.kernel.org/r/CANDhNCq5_F3HfFYABqFGCA1bPd_%2BxgNj-iDQhH4tDk%2Bw… Fixes: 375e28ffc0cf ("KVM: X86: Set host DR6 only on VMX and for KVM_DEBUGREG_WONT_EXIT") Fixes: d67668e9dd76 ("KVM: x86, SVM: isolate vcpu->arch.dr6 from vmcb->save.dr6") Cc: stable(a)vger.kernel.org Cc: Jim Mattson <jmattson(a)google.com> Tested-by: John Stultz <jstultz(a)google.com> Link: https://lore.kernel.org/r/20250125011833.3644371-1-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/include/asm/kvm-x86-ops.h b/arch/x86/include/asm/kvm-x86-ops.h index c35550581da0..823c0434bbad 100644 --- a/arch/x86/include/asm/kvm-x86-ops.h +++ b/arch/x86/include/asm/kvm-x86-ops.h @@ -48,6 +48,7 @@ KVM_X86_OP(set_idt) KVM_X86_OP(get_gdt) KVM_X86_OP(set_gdt) KVM_X86_OP(sync_dirty_debug_regs) +KVM_X86_OP(set_dr6) KVM_X86_OP(set_dr7) KVM_X86_OP(cache_reg) KVM_X86_OP(get_rflags) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index b15cde0a9b5c..0b7af5902ff7 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1696,6 +1696,7 @@ struct kvm_x86_ops { void (*get_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void (*set_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void (*sync_dirty_debug_regs)(struct kvm_vcpu *vcpu); + void (*set_dr6)(struct kvm_vcpu *vcpu, unsigned long value); void (*set_dr7)(struct kvm_vcpu *vcpu, unsigned long value); void (*cache_reg)(struct kvm_vcpu *vcpu, enum kvm_reg reg); unsigned long (*get_rflags)(struct kvm_vcpu *vcpu); diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 7640a84e554a..a713c803a3a3 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -1991,11 +1991,11 @@ static void new_asid(struct vcpu_svm *svm, struct svm_cpu_data *sd) svm->asid = sd->next_asid++; } -static void svm_set_dr6(struct vcpu_svm *svm, unsigned long value) +static void svm_set_dr6(struct kvm_vcpu *vcpu, unsigned long value) { - struct vmcb *vmcb = svm->vmcb; + struct vmcb *vmcb = to_svm(vcpu)->vmcb; - if (svm->vcpu.arch.guest_state_protected) + if (vcpu->arch.guest_state_protected) return; if (unlikely(value != vmcb->save.dr6)) { @@ -4247,10 +4247,8 @@ static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu, * Run with all-zero DR6 unless needed, so that we can get the exact cause * of a #DB. */ - if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) - svm_set_dr6(svm, vcpu->arch.dr6); - else - svm_set_dr6(svm, DR6_ACTIVE_LOW); + if (likely(!(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT))) + svm_set_dr6(vcpu, DR6_ACTIVE_LOW); clgi(); kvm_load_guest_xsave_state(vcpu); @@ -5043,6 +5041,7 @@ static struct kvm_x86_ops svm_x86_ops __initdata = { .set_idt = svm_set_idt, .get_gdt = svm_get_gdt, .set_gdt = svm_set_gdt, + .set_dr6 = svm_set_dr6, .set_dr7 = svm_set_dr7, .sync_dirty_debug_regs = svm_sync_dirty_debug_regs, .cache_reg = svm_cache_reg, diff --git a/arch/x86/kvm/vmx/main.c b/arch/x86/kvm/vmx/main.c index 2427f918e763..43ee9ed11291 100644 --- a/arch/x86/kvm/vmx/main.c +++ b/arch/x86/kvm/vmx/main.c @@ -61,6 +61,7 @@ struct kvm_x86_ops vt_x86_ops __initdata = { .set_idt = vmx_set_idt, .get_gdt = vmx_get_gdt, .set_gdt = vmx_set_gdt, + .set_dr6 = vmx_set_dr6, .set_dr7 = vmx_set_dr7, .sync_dirty_debug_regs = vmx_sync_dirty_debug_regs, .cache_reg = vmx_cache_reg, diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index f72835e85b6d..6c56d5235f0f 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -5648,6 +5648,12 @@ void vmx_sync_dirty_debug_regs(struct kvm_vcpu *vcpu) set_debugreg(DR6_RESERVED, 6); } +void vmx_set_dr6(struct kvm_vcpu *vcpu, unsigned long val) +{ + lockdep_assert_irqs_disabled(); + set_debugreg(vcpu->arch.dr6, 6); +} + void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val) { vmcs_writel(GUEST_DR7, val); @@ -7417,10 +7423,6 @@ fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit) vmx->loaded_vmcs->host_state.cr4 = cr4; } - /* When KVM_DEBUGREG_WONT_EXIT, dr6 is accessible in guest. */ - if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) - set_debugreg(vcpu->arch.dr6, 6); - /* When single-stepping over STI and MOV SS, we must clear the * corresponding interruptibility bits in the guest state. Otherwise * vmentry fails as it then expects bit 14 (BS) in pending debug diff --git a/arch/x86/kvm/vmx/x86_ops.h b/arch/x86/kvm/vmx/x86_ops.h index ce3295a67c04..430773a5ef8e 100644 --- a/arch/x86/kvm/vmx/x86_ops.h +++ b/arch/x86/kvm/vmx/x86_ops.h @@ -73,6 +73,7 @@ void vmx_get_idt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void vmx_set_idt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void vmx_get_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void vmx_set_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); +void vmx_set_dr6(struct kvm_vcpu *vcpu, unsigned long val); void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val); void vmx_sync_dirty_debug_regs(struct kvm_vcpu *vcpu); void vmx_cache_reg(struct kvm_vcpu *vcpu, enum kvm_reg reg); diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 8e77e61d4fbd..02159c967d29 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -10961,6 +10961,9 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) set_debugreg(vcpu->arch.eff_db[1], 1); set_debugreg(vcpu->arch.eff_db[2], 2); set_debugreg(vcpu->arch.eff_db[3], 3); + /* When KVM_DEBUGREG_WONT_EXIT, dr6 is accessible in guest. */ + if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) + kvm_x86_call(set_dr6)(vcpu, vcpu->arch.dr6); } else if (unlikely(hw_breakpoint_active())) { set_debugreg(0, 7); }

6 months, 1 week

3
2
0 0

FAILED: patch "[PATCH] KVM: x86: Load DR6 with guest value only before entering" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x c2fee09fc167c74a64adb08656cb993ea475197e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025021809-census-mammal-224b@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c2fee09fc167c74a64adb08656cb993ea475197e Mon Sep 17 00:00:00 2001 From: Sean Christopherson <seanjc(a)google.com> Date: Fri, 24 Jan 2025 17:18:33 -0800 Subject: [PATCH] KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Move the conditional loading of hardware DR6 with the guest's DR6 value out of the core .vcpu_run() loop to fix a bug where KVM can load hardware with a stale vcpu->arch.dr6. When the guest accesses a DR and host userspace isn't debugging the guest, KVM disables DR interception and loads the guest's values into hardware on VM-Enter and saves them on VM-Exit. This allows the guest to access DRs at will, e.g. so that a sequence of DR accesses to configure a breakpoint only generates one VM-Exit. For DR0-DR3, the logic/behavior is identical between VMX and SVM, and also identical between KVM_DEBUGREG_BP_ENABLED (userspace debugging the guest) and KVM_DEBUGREG_WONT_EXIT (guest using DRs), and so KVM handles loading DR0-DR3 in common code, _outside_ of the core kvm_x86_ops.vcpu_run() loop. But for DR6, the guest's value doesn't need to be loaded into hardware for KVM_DEBUGREG_BP_ENABLED, and SVM provides a dedicated VMCB field whereas VMX requires software to manually load the guest value, and so loading the guest's value into DR6 is handled by {svm,vmx}_vcpu_run(), i.e. is done _inside_ the core run loop. Unfortunately, saving the guest values on VM-Exit is initiated by common x86, again outside of the core run loop. If the guest modifies DR6 (in hardware, when DR interception is disabled), and then the next VM-Exit is a fastpath VM-Exit, KVM will reload hardware DR6 with vcpu->arch.dr6 and clobber the guest's actual value. The bug shows up primarily with nested VMX because KVM handles the VMX preemption timer in the fastpath, and the window between hardware DR6 being modified (in guest context) and DR6 being read by guest software is orders of magnitude larger in a nested setup. E.g. in non-nested, the VMX preemption timer would need to fire precisely between #DB injection and the #DB handler's read of DR6, whereas with a KVM-on-KVM setup, the window where hardware DR6 is "dirty" extends all the way from L1 writing DR6 to VMRESUME (in L1). L1's view: ========== <L1 disables DR interception> CPU 0/KVM-7289 [023] d.... 2925.640961: kvm_entry: vcpu 0 A: L1 Writes DR6 CPU 0/KVM-7289 [023] d.... 2925.640963: <hack>: Set DRs, DR6 = 0xffff0ff1 B: CPU 0/KVM-7289 [023] d.... 2925.640967: kvm_exit: vcpu 0 reason EXTERNAL_INTERRUPT intr_info 0x800000ec D: L1 reads DR6, arch.dr6 = 0 CPU 0/KVM-7289 [023] d.... 2925.640969: <hack>: Sync DRs, DR6 = 0xffff0ff0 CPU 0/KVM-7289 [023] d.... 2925.640976: kvm_entry: vcpu 0 L2 reads DR6, L1 disables DR interception CPU 0/KVM-7289 [023] d.... 2925.640980: kvm_exit: vcpu 0 reason DR_ACCESS info1 0x0000000000000216 CPU 0/KVM-7289 [023] d.... 2925.640983: kvm_entry: vcpu 0 CPU 0/KVM-7289 [023] d.... 2925.640983: <hack>: Set DRs, DR6 = 0xffff0ff0 L2 detects failure CPU 0/KVM-7289 [023] d.... 2925.640987: kvm_exit: vcpu 0 reason HLT L1 reads DR6 (confirms failure) CPU 0/KVM-7289 [023] d.... 2925.640990: <hack>: Sync DRs, DR6 = 0xffff0ff0 L0's view: ========== L2 reads DR6, arch.dr6 = 0 CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216 CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216 L2 => L1 nested VM-Exit CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit_inject: reason: DR_ACCESS ext_inf1: 0x0000000000000216 CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_entry: vcpu 23 CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_exit: vcpu 23 reason VMREAD CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_entry: vcpu 23 CPU 23/KVM-5046 [001] d.... 3410.005612: kvm_exit: vcpu 23 reason VMREAD CPU 23/KVM-5046 [001] d.... 3410.005612: kvm_entry: vcpu 23 L1 writes DR7, L0 disables DR interception CPU 23/KVM-5046 [001] d.... 3410.005612: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000007 CPU 23/KVM-5046 [001] d.... 3410.005613: kvm_entry: vcpu 23 L0 writes DR6 = 0 (arch.dr6) CPU 23/KVM-5046 [001] d.... 3410.005613: <hack>: Set DRs, DR6 = 0xffff0ff0 A: <L1 writes DR6 = 1, no interception, arch.dr6 is still '0'> B: CPU 23/KVM-5046 [001] d.... 3410.005614: kvm_exit: vcpu 23 reason PREEMPTION_TIMER CPU 23/KVM-5046 [001] d.... 3410.005614: kvm_entry: vcpu 23 C: L0 writes DR6 = 0 (arch.dr6) CPU 23/KVM-5046 [001] d.... 3410.005614: <hack>: Set DRs, DR6 = 0xffff0ff0 L1 => L2 nested VM-Enter CPU 23/KVM-5046 [001] d.... 3410.005616: kvm_exit: vcpu 23 reason VMRESUME L0 reads DR6, arch.dr6 = 0 Reported-by: John Stultz <jstultz(a)google.com> Closes: https://lkml.kernel.org/r/CANDhNCq5_F3HfFYABqFGCA1bPd_%2BxgNj-iDQhH4tDk%2Bw… Fixes: 375e28ffc0cf ("KVM: X86: Set host DR6 only on VMX and for KVM_DEBUGREG_WONT_EXIT") Fixes: d67668e9dd76 ("KVM: x86, SVM: isolate vcpu->arch.dr6 from vmcb->save.dr6") Cc: stable(a)vger.kernel.org Cc: Jim Mattson <jmattson(a)google.com> Tested-by: John Stultz <jstultz(a)google.com> Link: https://lore.kernel.org/r/20250125011833.3644371-1-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/include/asm/kvm-x86-ops.h b/arch/x86/include/asm/kvm-x86-ops.h index c35550581da0..823c0434bbad 100644 --- a/arch/x86/include/asm/kvm-x86-ops.h +++ b/arch/x86/include/asm/kvm-x86-ops.h @@ -48,6 +48,7 @@ KVM_X86_OP(set_idt) KVM_X86_OP(get_gdt) KVM_X86_OP(set_gdt) KVM_X86_OP(sync_dirty_debug_regs) +KVM_X86_OP(set_dr6) KVM_X86_OP(set_dr7) KVM_X86_OP(cache_reg) KVM_X86_OP(get_rflags) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index b15cde0a9b5c..0b7af5902ff7 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1696,6 +1696,7 @@ struct kvm_x86_ops { void (*get_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void (*set_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void (*sync_dirty_debug_regs)(struct kvm_vcpu *vcpu); + void (*set_dr6)(struct kvm_vcpu *vcpu, unsigned long value); void (*set_dr7)(struct kvm_vcpu *vcpu, unsigned long value); void (*cache_reg)(struct kvm_vcpu *vcpu, enum kvm_reg reg); unsigned long (*get_rflags)(struct kvm_vcpu *vcpu); diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 7640a84e554a..a713c803a3a3 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -1991,11 +1991,11 @@ static void new_asid(struct vcpu_svm *svm, struct svm_cpu_data *sd) svm->asid = sd->next_asid++; } -static void svm_set_dr6(struct vcpu_svm *svm, unsigned long value) +static void svm_set_dr6(struct kvm_vcpu *vcpu, unsigned long value) { - struct vmcb *vmcb = svm->vmcb; + struct vmcb *vmcb = to_svm(vcpu)->vmcb; - if (svm->vcpu.arch.guest_state_protected) + if (vcpu->arch.guest_state_protected) return; if (unlikely(value != vmcb->save.dr6)) { @@ -4247,10 +4247,8 @@ static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu, * Run with all-zero DR6 unless needed, so that we can get the exact cause * of a #DB. */ - if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) - svm_set_dr6(svm, vcpu->arch.dr6); - else - svm_set_dr6(svm, DR6_ACTIVE_LOW); + if (likely(!(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT))) + svm_set_dr6(vcpu, DR6_ACTIVE_LOW); clgi(); kvm_load_guest_xsave_state(vcpu); @@ -5043,6 +5041,7 @@ static struct kvm_x86_ops svm_x86_ops __initdata = { .set_idt = svm_set_idt, .get_gdt = svm_get_gdt, .set_gdt = svm_set_gdt, + .set_dr6 = svm_set_dr6, .set_dr7 = svm_set_dr7, .sync_dirty_debug_regs = svm_sync_dirty_debug_regs, .cache_reg = svm_cache_reg, diff --git a/arch/x86/kvm/vmx/main.c b/arch/x86/kvm/vmx/main.c index 2427f918e763..43ee9ed11291 100644 --- a/arch/x86/kvm/vmx/main.c +++ b/arch/x86/kvm/vmx/main.c @@ -61,6 +61,7 @@ struct kvm_x86_ops vt_x86_ops __initdata = { .set_idt = vmx_set_idt, .get_gdt = vmx_get_gdt, .set_gdt = vmx_set_gdt, + .set_dr6 = vmx_set_dr6, .set_dr7 = vmx_set_dr7, .sync_dirty_debug_regs = vmx_sync_dirty_debug_regs, .cache_reg = vmx_cache_reg, diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index f72835e85b6d..6c56d5235f0f 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -5648,6 +5648,12 @@ void vmx_sync_dirty_debug_regs(struct kvm_vcpu *vcpu) set_debugreg(DR6_RESERVED, 6); } +void vmx_set_dr6(struct kvm_vcpu *vcpu, unsigned long val) +{ + lockdep_assert_irqs_disabled(); + set_debugreg(vcpu->arch.dr6, 6); +} + void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val) { vmcs_writel(GUEST_DR7, val); @@ -7417,10 +7423,6 @@ fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit) vmx->loaded_vmcs->host_state.cr4 = cr4; } - /* When KVM_DEBUGREG_WONT_EXIT, dr6 is accessible in guest. */ - if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) - set_debugreg(vcpu->arch.dr6, 6); - /* When single-stepping over STI and MOV SS, we must clear the * corresponding interruptibility bits in the guest state. Otherwise * vmentry fails as it then expects bit 14 (BS) in pending debug diff --git a/arch/x86/kvm/vmx/x86_ops.h b/arch/x86/kvm/vmx/x86_ops.h index ce3295a67c04..430773a5ef8e 100644 --- a/arch/x86/kvm/vmx/x86_ops.h +++ b/arch/x86/kvm/vmx/x86_ops.h @@ -73,6 +73,7 @@ void vmx_get_idt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void vmx_set_idt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void vmx_get_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void vmx_set_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); +void vmx_set_dr6(struct kvm_vcpu *vcpu, unsigned long val); void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val); void vmx_sync_dirty_debug_regs(struct kvm_vcpu *vcpu); void vmx_cache_reg(struct kvm_vcpu *vcpu, enum kvm_reg reg); diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 8e77e61d4fbd..02159c967d29 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -10961,6 +10961,9 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) set_debugreg(vcpu->arch.eff_db[1], 1); set_debugreg(vcpu->arch.eff_db[2], 2); set_debugreg(vcpu->arch.eff_db[3], 3); + /* When KVM_DEBUGREG_WONT_EXIT, dr6 is accessible in guest. */ + if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) + kvm_x86_call(set_dr6)(vcpu, vcpu->arch.dr6); } else if (unlikely(hw_breakpoint_active())) { set_debugreg(0, 7); }

6 months, 1 week

3
2
0 0

FAILED: patch "[PATCH] KVM: x86: Load DR6 with guest value only before entering" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x c2fee09fc167c74a64adb08656cb993ea475197e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025021812-candied-hamper-7f08@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c2fee09fc167c74a64adb08656cb993ea475197e Mon Sep 17 00:00:00 2001 From: Sean Christopherson <seanjc(a)google.com> Date: Fri, 24 Jan 2025 17:18:33 -0800 Subject: [PATCH] KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Move the conditional loading of hardware DR6 with the guest's DR6 value out of the core .vcpu_run() loop to fix a bug where KVM can load hardware with a stale vcpu->arch.dr6. When the guest accesses a DR and host userspace isn't debugging the guest, KVM disables DR interception and loads the guest's values into hardware on VM-Enter and saves them on VM-Exit. This allows the guest to access DRs at will, e.g. so that a sequence of DR accesses to configure a breakpoint only generates one VM-Exit. For DR0-DR3, the logic/behavior is identical between VMX and SVM, and also identical between KVM_DEBUGREG_BP_ENABLED (userspace debugging the guest) and KVM_DEBUGREG_WONT_EXIT (guest using DRs), and so KVM handles loading DR0-DR3 in common code, _outside_ of the core kvm_x86_ops.vcpu_run() loop. But for DR6, the guest's value doesn't need to be loaded into hardware for KVM_DEBUGREG_BP_ENABLED, and SVM provides a dedicated VMCB field whereas VMX requires software to manually load the guest value, and so loading the guest's value into DR6 is handled by {svm,vmx}_vcpu_run(), i.e. is done _inside_ the core run loop. Unfortunately, saving the guest values on VM-Exit is initiated by common x86, again outside of the core run loop. If the guest modifies DR6 (in hardware, when DR interception is disabled), and then the next VM-Exit is a fastpath VM-Exit, KVM will reload hardware DR6 with vcpu->arch.dr6 and clobber the guest's actual value. The bug shows up primarily with nested VMX because KVM handles the VMX preemption timer in the fastpath, and the window between hardware DR6 being modified (in guest context) and DR6 being read by guest software is orders of magnitude larger in a nested setup. E.g. in non-nested, the VMX preemption timer would need to fire precisely between #DB injection and the #DB handler's read of DR6, whereas with a KVM-on-KVM setup, the window where hardware DR6 is "dirty" extends all the way from L1 writing DR6 to VMRESUME (in L1). L1's view: ========== <L1 disables DR interception> CPU 0/KVM-7289 [023] d.... 2925.640961: kvm_entry: vcpu 0 A: L1 Writes DR6 CPU 0/KVM-7289 [023] d.... 2925.640963: <hack>: Set DRs, DR6 = 0xffff0ff1 B: CPU 0/KVM-7289 [023] d.... 2925.640967: kvm_exit: vcpu 0 reason EXTERNAL_INTERRUPT intr_info 0x800000ec D: L1 reads DR6, arch.dr6 = 0 CPU 0/KVM-7289 [023] d.... 2925.640969: <hack>: Sync DRs, DR6 = 0xffff0ff0 CPU 0/KVM-7289 [023] d.... 2925.640976: kvm_entry: vcpu 0 L2 reads DR6, L1 disables DR interception CPU 0/KVM-7289 [023] d.... 2925.640980: kvm_exit: vcpu 0 reason DR_ACCESS info1 0x0000000000000216 CPU 0/KVM-7289 [023] d.... 2925.640983: kvm_entry: vcpu 0 CPU 0/KVM-7289 [023] d.... 2925.640983: <hack>: Set DRs, DR6 = 0xffff0ff0 L2 detects failure CPU 0/KVM-7289 [023] d.... 2925.640987: kvm_exit: vcpu 0 reason HLT L1 reads DR6 (confirms failure) CPU 0/KVM-7289 [023] d.... 2925.640990: <hack>: Sync DRs, DR6 = 0xffff0ff0 L0's view: ========== L2 reads DR6, arch.dr6 = 0 CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216 CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216 L2 => L1 nested VM-Exit CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit_inject: reason: DR_ACCESS ext_inf1: 0x0000000000000216 CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_entry: vcpu 23 CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_exit: vcpu 23 reason VMREAD CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_entry: vcpu 23 CPU 23/KVM-5046 [001] d.... 3410.005612: kvm_exit: vcpu 23 reason VMREAD CPU 23/KVM-5046 [001] d.... 3410.005612: kvm_entry: vcpu 23 L1 writes DR7, L0 disables DR interception CPU 23/KVM-5046 [001] d.... 3410.005612: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000007 CPU 23/KVM-5046 [001] d.... 3410.005613: kvm_entry: vcpu 23 L0 writes DR6 = 0 (arch.dr6) CPU 23/KVM-5046 [001] d.... 3410.005613: <hack>: Set DRs, DR6 = 0xffff0ff0 A: <L1 writes DR6 = 1, no interception, arch.dr6 is still '0'> B: CPU 23/KVM-5046 [001] d.... 3410.005614: kvm_exit: vcpu 23 reason PREEMPTION_TIMER CPU 23/KVM-5046 [001] d.... 3410.005614: kvm_entry: vcpu 23 C: L0 writes DR6 = 0 (arch.dr6) CPU 23/KVM-5046 [001] d.... 3410.005614: <hack>: Set DRs, DR6 = 0xffff0ff0 L1 => L2 nested VM-Enter CPU 23/KVM-5046 [001] d.... 3410.005616: kvm_exit: vcpu 23 reason VMRESUME L0 reads DR6, arch.dr6 = 0 Reported-by: John Stultz <jstultz(a)google.com> Closes: https://lkml.kernel.org/r/CANDhNCq5_F3HfFYABqFGCA1bPd_%2BxgNj-iDQhH4tDk%2Bw… Fixes: 375e28ffc0cf ("KVM: X86: Set host DR6 only on VMX and for KVM_DEBUGREG_WONT_EXIT") Fixes: d67668e9dd76 ("KVM: x86, SVM: isolate vcpu->arch.dr6 from vmcb->save.dr6") Cc: stable(a)vger.kernel.org Cc: Jim Mattson <jmattson(a)google.com> Tested-by: John Stultz <jstultz(a)google.com> Link: https://lore.kernel.org/r/20250125011833.3644371-1-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/include/asm/kvm-x86-ops.h b/arch/x86/include/asm/kvm-x86-ops.h index c35550581da0..823c0434bbad 100644 --- a/arch/x86/include/asm/kvm-x86-ops.h +++ b/arch/x86/include/asm/kvm-x86-ops.h @@ -48,6 +48,7 @@ KVM_X86_OP(set_idt) KVM_X86_OP(get_gdt) KVM_X86_OP(set_gdt) KVM_X86_OP(sync_dirty_debug_regs) +KVM_X86_OP(set_dr6) KVM_X86_OP(set_dr7) KVM_X86_OP(cache_reg) KVM_X86_OP(get_rflags) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index b15cde0a9b5c..0b7af5902ff7 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1696,6 +1696,7 @@ struct kvm_x86_ops { void (*get_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void (*set_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void (*sync_dirty_debug_regs)(struct kvm_vcpu *vcpu); + void (*set_dr6)(struct kvm_vcpu *vcpu, unsigned long value); void (*set_dr7)(struct kvm_vcpu *vcpu, unsigned long value); void (*cache_reg)(struct kvm_vcpu *vcpu, enum kvm_reg reg); unsigned long (*get_rflags)(struct kvm_vcpu *vcpu); diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 7640a84e554a..a713c803a3a3 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -1991,11 +1991,11 @@ static void new_asid(struct vcpu_svm *svm, struct svm_cpu_data *sd) svm->asid = sd->next_asid++; } -static void svm_set_dr6(struct vcpu_svm *svm, unsigned long value) +static void svm_set_dr6(struct kvm_vcpu *vcpu, unsigned long value) { - struct vmcb *vmcb = svm->vmcb; + struct vmcb *vmcb = to_svm(vcpu)->vmcb; - if (svm->vcpu.arch.guest_state_protected) + if (vcpu->arch.guest_state_protected) return; if (unlikely(value != vmcb->save.dr6)) { @@ -4247,10 +4247,8 @@ static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu, * Run with all-zero DR6 unless needed, so that we can get the exact cause * of a #DB. */ - if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) - svm_set_dr6(svm, vcpu->arch.dr6); - else - svm_set_dr6(svm, DR6_ACTIVE_LOW); + if (likely(!(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT))) + svm_set_dr6(vcpu, DR6_ACTIVE_LOW); clgi(); kvm_load_guest_xsave_state(vcpu); @@ -5043,6 +5041,7 @@ static struct kvm_x86_ops svm_x86_ops __initdata = { .set_idt = svm_set_idt, .get_gdt = svm_get_gdt, .set_gdt = svm_set_gdt, + .set_dr6 = svm_set_dr6, .set_dr7 = svm_set_dr7, .sync_dirty_debug_regs = svm_sync_dirty_debug_regs, .cache_reg = svm_cache_reg, diff --git a/arch/x86/kvm/vmx/main.c b/arch/x86/kvm/vmx/main.c index 2427f918e763..43ee9ed11291 100644 --- a/arch/x86/kvm/vmx/main.c +++ b/arch/x86/kvm/vmx/main.c @@ -61,6 +61,7 @@ struct kvm_x86_ops vt_x86_ops __initdata = { .set_idt = vmx_set_idt, .get_gdt = vmx_get_gdt, .set_gdt = vmx_set_gdt, + .set_dr6 = vmx_set_dr6, .set_dr7 = vmx_set_dr7, .sync_dirty_debug_regs = vmx_sync_dirty_debug_regs, .cache_reg = vmx_cache_reg, diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index f72835e85b6d..6c56d5235f0f 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -5648,6 +5648,12 @@ void vmx_sync_dirty_debug_regs(struct kvm_vcpu *vcpu) set_debugreg(DR6_RESERVED, 6); } +void vmx_set_dr6(struct kvm_vcpu *vcpu, unsigned long val) +{ + lockdep_assert_irqs_disabled(); + set_debugreg(vcpu->arch.dr6, 6); +} + void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val) { vmcs_writel(GUEST_DR7, val); @@ -7417,10 +7423,6 @@ fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit) vmx->loaded_vmcs->host_state.cr4 = cr4; } - /* When KVM_DEBUGREG_WONT_EXIT, dr6 is accessible in guest. */ - if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) - set_debugreg(vcpu->arch.dr6, 6); - /* When single-stepping over STI and MOV SS, we must clear the * corresponding interruptibility bits in the guest state. Otherwise * vmentry fails as it then expects bit 14 (BS) in pending debug diff --git a/arch/x86/kvm/vmx/x86_ops.h b/arch/x86/kvm/vmx/x86_ops.h index ce3295a67c04..430773a5ef8e 100644 --- a/arch/x86/kvm/vmx/x86_ops.h +++ b/arch/x86/kvm/vmx/x86_ops.h @@ -73,6 +73,7 @@ void vmx_get_idt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void vmx_set_idt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void vmx_get_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void vmx_set_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); +void vmx_set_dr6(struct kvm_vcpu *vcpu, unsigned long val); void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val); void vmx_sync_dirty_debug_regs(struct kvm_vcpu *vcpu); void vmx_cache_reg(struct kvm_vcpu *vcpu, enum kvm_reg reg); diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 8e77e61d4fbd..02159c967d29 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -10961,6 +10961,9 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) set_debugreg(vcpu->arch.eff_db[1], 1); set_debugreg(vcpu->arch.eff_db[2], 2); set_debugreg(vcpu->arch.eff_db[3], 3); + /* When KVM_DEBUGREG_WONT_EXIT, dr6 is accessible in guest. */ + if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) + kvm_x86_call(set_dr6)(vcpu, vcpu->arch.dr6); } else if (unlikely(hw_breakpoint_active())) { set_debugreg(0, 7); }

6 months, 1 week

3
2
0 0

Re: [PATCH] Handle Ice Lake MONITOR erratum

by Christian Ludloff

> [ICX143 in https://cdrdv2.intel.com/v1/dl/getContent/637780] > There is no equivalent erratum for the "Xeon D" Ice Lakes so > INTEL_ICELAKE_D is not affected. There is ICXD80 in... https://www.intel.com/content/www/us/en/content-details/714069/intel-xeon-d… https://www.intel.com/content/www/us/en/content-details/714071/intel-xeon-d… And although the ICL spec update... https://edc.intel.com/content/www/us/en/design/ipla/software-development-pl… ...doesn't seem to have a MONITOR erratum, it might be a good idea for Intel to double check. -- Christian

6 months, 1 week

2
1
0 0

[PATCH v5] Restrict devmem for confidential VMs

by Dan Williams

Changes since v3 [1] (note v4 was a partial re-roll, but more feedback came in requiring a v5): - Fix a kbuild robot report for a missing header include of cc_platform.h - Switch to selecting STRICT_DEVMEM and IOSTRICT_DEVMEM rather than "depends on". (Naveen) - Clarify the "SEPT violation" vs "crash" and other changelog fixups for devmem maintainers and other arch maintainers. (Dave) - Drop patch numbering since patch2 is a fix and has no dependencies on patch1 [1]: http://lore.kernel.org/174491711228.1395340.3647010925173796093.stgit@dwill… --- The original response to Nikolay's report of a "crash" (unhandled SEPT violation) triggered by /dev/mem access to private memory was "let's just turn off /dev/mem". After some machinations of x86_platform_ops to block a subset of problematic access, spelunking the history of devmem_is_allowed() returning "2" to enable some compatibility benefits while blocking access, and discovering that userspace depends buggy kernel behavior for mmap(2) of the first 1MB of memory on x86, the proposal has circled back to "disable /dev/mem". Require both STRICT_DEVMEM and IO_STRICT_DEVMEM for x86 confidential guests to close /dev/mem hole while still allowing for userspace mapping of PCI MMIO as long as the kernel and userspace are not mapping the range at the same time. The range_is_allowed() cleanup is not strictly necessary, but might as well close a 17 year-old "TODO". Dan Williams (2): x86/devmem: Remove duplicate range_is_allowed() definition x86/devmem: Drop /dev/mem access for confidential guests arch/x86/Kconfig | 4 ++++ arch/x86/mm/pat/memtype.c | 31 ++++--------------------------- drivers/char/mem.c | 28 ++++++++++------------------ include/linux/io.h | 21 +++++++++++++++++++++ 4 files changed, 39 insertions(+), 45 deletions(-) base-commit: 0af2f6be1b4281385b618cb86ad946eded089ac8 -- 2.49.0

6 months, 1 week

4
10
0 0

[PATCH 6.1 00/16] xfs backports for 6.1.y from 6.10

by Leah Rumancik

Hello again, This is the 6.1.y backports set from 6.10 which corresponds to the 6.6.y backports set from here: https://lore.kernel.org/all/20241002174108.64615-1-catherine.hoang@oracle.c… The following patches were included: f43bd357fde0 xfs: fix error returns from xfs_bmapi_write 4bcef72d96b5 xfs: fix xfs_bmap_add_extent_delay_real for partial conversions c299188b443a xfs: remove a racy if_bytes check in xfs_reflink_end_cow_extent c13c21f77824 xfs: require XFS_SB_FEAT_INCOMPAT_LOG_XATTRS for attr log intent item recovey 0934046e3392 xfs: check opcode and iovec count match in xlog_recover_attri_commit_pass2 9716cdcc2f9e xfs: validate recovered name buffers when recovering xattr items 20adb1e2f069 xfs: revert commit 44af6c7e59b12 f24ba2183148 xfs: match lock mode in xfs_buffered_write_iomap_begin() 0f726c17dfd8 xfs: make the seq argument to xfs_bmapi_convert_delalloc() optional 36081fd0ee37 xfs: make xfs_bmapi_convert_delalloc() to allocate the target offset 4c99f3026cf2 xfs: convert delayed extents to unwritten when zeroing post eof blocks 0aca73915dc1 xfs: allow symlinks with short remote targets 0e52b98bf041 xfs: make sure sb_fdblocks is non-negative 2bc2d49c36c2 xfs: fix freeing speculative preallocations for preallocated files 3eeac3311683 xfs: allow unlinked symlinks and dirs with zero size 9a0ab4fc28ed xfs: restrict when we try to align cow fork delalloc to cowextsz hints The following patches were omitted: cad051826d83 xfs: fix missing check for invalid attr flags scrub db460c26f0b0 xfs: check shortform attr entry flags specifically scrub 5689d2345a01 xfs: enforce one namespace per attribute doesn't cherry pick cleanly, it is some refactoring and isn't a dependency for other patches, lets skip it for now 7c03b124353a xfs: use dontcache for grabbing inodes during scrub scrub 740a427e8f45 xfs: fix unlink vs cluster buffer instantiation race already in 6.1.y No fixes were found on mainline for any of the patches being ported. The auto group was run 1x on each of these configs: xfs/4k xfs/1k xfs/logdev xfs/realtime xfs/quota xfs/v4 xfs/dax xfs/adv xfs/dirblock_8k and no regressions were seen. This set has already been ack'd on the xfs-stable list. Let me know if you see any issues. Thanks, Leah Christoph Hellwig (4): xfs: fix error returns from xfs_bmapi_write xfs: fix xfs_bmap_add_extent_delay_real for partial conversions xfs: remove a racy if_bytes check in xfs_reflink_end_cow_extent xfs: fix freeing speculative preallocations for preallocated files Darrick J. Wong (7): xfs: require XFS_SB_FEAT_INCOMPAT_LOG_XATTRS for attr log intent item recovery xfs: check opcode and iovec count match in xlog_recover_attri_commit_pass2 xfs: validate recovered name buffers when recovering xattr items xfs: revert commit 44af6c7e59b12 xfs: allow symlinks with short remote targets xfs: allow unlinked symlinks and dirs with zero size xfs: restrict when we try to align cow fork delalloc to cowextsz hints Wengang Wang (1): xfs: make sure sb_fdblocks is non-negative Zhang Yi (4): xfs: match lock mode in xfs_buffered_write_iomap_begin() xfs: make the seq argument to xfs_bmapi_convert_delalloc() optional xfs: make xfs_bmapi_convert_delalloc() to allocate the target offset xfs: convert delayed extents to unwritten when zeroing post eof blocks fs/xfs/libxfs/xfs_attr_remote.c | 1 - fs/xfs/libxfs/xfs_bmap.c | 130 ++++++++++++++++++++++++++------ fs/xfs/libxfs/xfs_da_btree.c | 20 ++--- fs/xfs/libxfs/xfs_inode_buf.c | 47 ++++++++++-- fs/xfs/libxfs/xfs_sb.c | 7 +- fs/xfs/scrub/attr.c | 5 ++ fs/xfs/xfs_aops.c | 54 ++++--------- fs/xfs/xfs_attr_item.c | 88 ++++++++++++++++++--- fs/xfs/xfs_bmap_util.c | 61 +++++++++------ fs/xfs/xfs_bmap_util.h | 2 +- fs/xfs/xfs_dquot.c | 1 - fs/xfs/xfs_icache.c | 2 +- fs/xfs/xfs_inode.c | 14 +--- fs/xfs/xfs_iomap.c | 81 +++++++++++--------- fs/xfs/xfs_reflink.c | 20 ----- fs/xfs/xfs_rtalloc.c | 2 - 16 files changed, 342 insertions(+), 193 deletions(-) -- 2.49.0.906.g1f30a19c02-goog

6 months, 1 week

2
32
0 0

[PATCH stable 6.6 00/10] bpf: track changes_pkt_data property for global functions

by Shung-Hsi Yu

Fix the bypassing of invalid packet pointer check in 6.6 by backporting the entire "bpf: track changes_pkt_data property for global functions" series[1], along with the follow up, "bpf: fix NPE when computing changes_pkt_data of program w/o subprograms" series[2]; both from Eduard. I had ran the BPF selftests after backporting, confirmed that newly added BPF selftests passes, and that no new failure observed in BPF selftests (dummy_st_ops, ns_current_pid_tgid, test_bpf_ma, and test_bpffs are failing even without this patchset applied). See [3] for the full log. #50/1 changes_pkt_data_freplace/changes_pkt_data_with_changes_pkt_data:OK #50/2 changes_pkt_data_freplace/changes_pkt_data_with_does_not_change_pkt_data:OK #50/3 changes_pkt_data_freplace/does_not_change_pkt_data_with_changes_pkt_data:OK #50/4 changes_pkt_data_freplace/does_not_change_pkt_data_with_does_not_change_pkt_data:OK #50/5 changes_pkt_data_freplace/main_changes_with_changes_pkt_data:OK #50/6 changes_pkt_data_freplace/main_changes_with_does_not_change_pkt_data:OK #50/7 changes_pkt_data_freplace/main_does_not_change_with_changes_pkt_data:OK #50/8 changes_pkt_data_freplace/main_does_not_change_with_does_not_change_pkt_data:OK #395/57 verifier_sock/invalidate_pkt_pointers_from_global_func:OK #395/58 verifier_sock/invalidate_pkt_pointers_by_tail_call:OK 1: https://lore.kernel.org/all/20241210041100.1898468-1-eddyz87@gmail.com/ 2: https://lore.kernel.org/all/20241212070711.427443-1-eddyz87@gmail.com/ 3: https://github.com/shunghsiyu/libbpf/actions/runs/14747347842/job/413971041… Eduard Zingerman (10): bpf: add find_containing_subprog() utility function bpf: refactor bpf_helper_changes_pkt_data to use helper number bpf: track changes_pkt_data property for global functions selftests/bpf: test for changing packet data from global functions bpf: check changes_pkt_data property for extension programs selftests/bpf: freplace tests for tracking of changes_packet_data bpf: consider that tail calls invalidate packet pointers selftests/bpf: validate that tail call invalidates packet pointers bpf: fix null dereference when computing changes_pkt_data of prog w/o subprogs selftests/bpf: extend changes_pkt_data with cases w/o subprograms include/linux/bpf.h | 1 + include/linux/bpf_verifier.h | 1 + include/linux/filter.h | 2 +- kernel/bpf/core.c | 2 +- kernel/bpf/verifier.c | 81 +++++++++++-- net/core/filter.c | 63 +++++------ .../bpf/prog_tests/changes_pkt_data.c | 107 ++++++++++++++++++ .../selftests/bpf/progs/changes_pkt_data.c | 39 +++++++ .../bpf/progs/changes_pkt_data_freplace.c | 18 +++ .../selftests/bpf/progs/verifier_sock.c | 56 +++++++++ 10 files changed, 324 insertions(+), 46 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/changes_pkt_data.c create mode 100644 tools/testing/selftests/bpf/progs/changes_pkt_data.c create mode 100644 tools/testing/selftests/bpf/progs/changes_pkt_data_freplace.c -- 2.49.0

6 months, 1 week

2
20
0 0

[PATCH 6.12.y 0/6] Bluetooth: btusb: add a bunch of USB device IDs for Qualcomm WCN785x

by Alexander Tsoy

This was tested on a device with USB ID 2c7c:0130

6 months, 1 week

2
12
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror April 2025