Rebase patches to 6.8.0-49.49

debian/patches/pve/0009-allow-opt-in-to-allow-pass-through-on-broken-hardwar.patch

@@ -11,7 +11,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 5 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
-index c4c6240d14f9..5e037a9ea6a6 100644
+index 31ff09cc5737..9e8cdd7298d3 100644
 --- a/drivers/iommu/intel/iommu.c
 +++ b/drivers/iommu/intel/iommu.c
 @@ -234,6 +234,7 @@ static int dmar_map_gfx = 1;

debian/patches/pve/0013-cifs-fix-pagecache-leak-when-do-writepages.patch

@@ -47,7 +47,7 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  1 file changed, 13 insertions(+), 3 deletions(-)
 
 diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c
-index af5c476db6e6..8aee0f520300 100644
+index 438d68d681b1..dc5165b16956 100644
 --- a/fs/smb/client/file.c
 +++ b/fs/smb/client/file.c
 @@ -2845,17 +2845,21 @@ static ssize_t cifs_write_back_from_locked_folio(struct address_space *mapping,

debian/patches/pve/0013-x86-CPU-AMD-Improve-the-erratum-1386-workaround.patch

@@ -1,79 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-Date: Sun, 24 Mar 2024 20:51:35 +0100
-Subject: [PATCH] x86/CPU/AMD: Improve the erratum 1386 workaround
-
-Disable XSAVES only on machines which haven't loaded the microcode
-revision containing the erratum fix.
-
-This will come in handy when running archaic OSes as guests. OSes whose
-brilliant programmers thought that CPUID is overrated and one should not
-query it but use features directly, ala shoot first, ask questions
-later... but only if you're alive after the shooting.
-
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Tested-by: "Maciej S. Szmigiero" <maciej.szmigiero@oracle.com>
-Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
-Link: https://lore.kernel.org/r/20240324200525.GBZgCHhYFsBj12PrKv@fat_crate.local
----
- arch/x86/include/asm/cpu_device_id.h |  8 ++++++++
- arch/x86/kernel/cpu/amd.c            | 12 ++++++++++++
- 2 files changed, 20 insertions(+)
-
-diff --git a/arch/x86/include/asm/cpu_device_id.h b/arch/x86/include/asm/cpu_device_id.h
-index e8e3dbe7f173..b6325ee30871 100644
---- a/arch/x86/include/asm/cpu_device_id.h
-+++ b/arch/x86/include/asm/cpu_device_id.h
-@@ -288,6 +288,14 @@ struct x86_cpu_desc {
- 	.x86_microcode_rev	= (revision),			\
- }
- 
-+#define AMD_CPU_DESC(fam, model, stepping, revision) {		\
-+	.x86_family		= (fam),			\
-+	.x86_vendor		= X86_VENDOR_AMD,		\
-+	.x86_model		= (model),			\
-+	.x86_stepping		= (stepping),			\
-+	.x86_microcode_rev	= (revision),			\
-+}
-+
- extern const struct x86_cpu_id *x86_match_cpu(const struct x86_cpu_id *match);
- extern bool x86_cpu_has_min_microcode_rev(const struct x86_cpu_desc *table);
- 
-diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
-index 0838ea579eb0..ca6096dcc5c6 100644
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -13,6 +13,7 @@
- #include <asm/apic.h>
- #include <asm/cacheinfo.h>
- #include <asm/cpu.h>
-+#include <asm/cpu_device_id.h>
- #include <asm/spec-ctrl.h>
- #include <asm/smp.h>
- #include <asm/numa.h>
-@@ -925,6 +926,11 @@ static void init_amd_bd(struct cpuinfo_x86 *c)
- 	clear_rdrand_cpuid_bit(c);
- }
- 
-+static const struct x86_cpu_desc erratum_1386_microcode[] = {
-+	AMD_CPU_DESC(0x17,  0x1, 0x2, 0x0800126e),
-+	AMD_CPU_DESC(0x17, 0x31, 0x0, 0x08301052),
-+};
-+
- static void fix_erratum_1386(struct cpuinfo_x86 *c)
- {
- 	/*
-@@ -934,7 +940,13 @@ static void fix_erratum_1386(struct cpuinfo_x86 *c)
- 	 *
- 	 * Affected parts all have no supervisor XSAVE states, meaning that
- 	 * the XSAVEC instruction (which works fine) is equivalent.
-+	 *
-+	 * Clear the feature flag only on microcode revisions which
-+	 * don't have the fix.
- 	 */
-+	if (x86_cpu_has_min_microcode_rev(erratum_1386_microcode))
-+		return;
-+
- 	clear_cpu_cap(c, X86_FEATURE_XSAVES);
- }
- 

debian/patches/pve/0016-SUNRPC-Fix-backchannel-reply-again.patch

@@ -1,58 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Chuck Lever <chuck.lever@oracle.com>
-Date: Wed, 19 Jun 2024 09:51:08 -0400
-Subject: [PATCH] SUNRPC: Fix backchannel reply, again
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[ Upstream commit 6ddc9deacc1312762c2edd9de00ce76b00f69f7c ]
-
-I still see "RPC: Could not send backchannel reply error: -110"
-quite often, along with slow-running tests. Debugging shows that the
-backchannel is still stumbling when it has to queue a callback reply
-on a busy transport.
-
-Note that every one of these timeouts causes a connection loss by
-virtue of the xprt_conditional_disconnect() call in that arm of
-call_cb_transmit_status().
-
-I found that setting to_maxval is necessary to get the RPC timeout
-logic to behave whenever to_exponential is not set.
-
-Fixes: 57331a59ac0d ("NFSv4.1: Use the nfs_client's rpc timeouts for backchannel")
-Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
-Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
-Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
-(cherry picked from commit bd1e42e0f2567c911d3df761cf7a33b021fdceeb)
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
----
- net/sunrpc/svc.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
-index bd61e257cda6..bac1886f07da 100644
---- a/net/sunrpc/svc.c
-+++ b/net/sunrpc/svc.c
-@@ -1546,9 +1546,11 @@ void svc_process(struct svc_rqst *rqstp)
-  */
- void svc_process_bc(struct rpc_rqst *req, struct svc_rqst *rqstp)
- {
-+	struct rpc_timeout timeout = {
-+		.to_increment		= 0,
-+	};
- 	struct rpc_task *task;
- 	int proc_error;
--	struct rpc_timeout timeout;
- 
- 	/* Build the svc_rqst used by the common processing routine */
- 	rqstp->rq_xid = req->rq_xid;
-@@ -1601,6 +1603,7 @@ void svc_process_bc(struct rpc_rqst *req, struct svc_rqst *rqstp)
- 		timeout.to_initval = req->rq_xprt->timeout->to_initval;
- 		timeout.to_retries = req->rq_xprt->timeout->to_retries;
- 	}
-+	timeout.to_maxval = timeout.to_initval;
- 	memcpy(&req->rq_snd_buf, &rqstp->rq_res, sizeof(req->rq_snd_buf));
- 	task = rpc_run_bc_task(req, &timeout);
- 

debian/patches/pve/0017-io_uring-rw-treat-EOPNOTSUPP-for-IOCB_NOWAIT-like-EA.patch

@@ -0,0 +1,45 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Tue, 10 Sep 2024 08:30:57 -0600
+Subject: [PATCH] io_uring/rw: treat -EOPNOTSUPP for IOCB_NOWAIT like -EAGAIN
+
+Some file systems, ocfs2 in this case, will return -EOPNOTSUPP for
+an IOCB_NOWAIT read/write attempt. While this can be argued to be
+correct, the usual return value for something that requires blocking
+issue is -EAGAIN.
+
+A refactoring io_uring commit dropped calling kiocb_done() for
+negative return values, which is otherwise where we already do that
+transformation. To ensure we catch it in both spots, check it in
+__io_read() itself as well.
+
+Reported-by: Robert Sander <r.sander@heinlein-support.de>
+Link: https://fosstodon.org/@gurubert@mastodon.gurubert.de/113112431889638440
+Cc: stable@vger.kernel.org
+Fixes: a08d195b586a ("io_uring/rw: split io_read() into a helper")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+(cherry picked from commit c0a9d496e0fece67db777bd48550376cf2960c47)
+Signed-off-by: Daniel Kral <d.kral@proxmox.com>
+---
+ io_uring/rw.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/io_uring/rw.c b/io_uring/rw.c
+index c3c154790e45..ed7f67097572 100644
+--- a/io_uring/rw.c
++++ b/io_uring/rw.c
+@@ -825,6 +825,14 @@ static int __io_read(struct io_kiocb *req, unsigned int issue_flags)
+ 
+ 	ret = io_iter_do_read(rw, &s->iter);
+ 
++	/*
++	 * Some file systems like to return -EOPNOTSUPP for an IOCB_NOWAIT
++	 * issue, even though they should be returning -EAGAIN. To be safe,
++	 * retry from blocking context for either.
++	 */
++	if (ret == -EOPNOTSUPP && force_nonblock)
++		ret = -EAGAIN;
++
+ 	if (ret == -EAGAIN || (req->flags & REQ_F_REISSUE)) {
+ 		req->flags &= ~REQ_F_REISSUE;
+ 		/*

debian/patches/pve/0017-tap-add-missing-verification-for-short-frame.patch

@@ -1,52 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Si-Wei Liu <si-wei.liu@oracle.com>
-Date: Wed, 24 Jul 2024 10:04:51 -0700
-Subject: [PATCH] tap: add missing verification for short frame
-
-The cited commit missed to check against the validity of the frame length
-in the tap_get_user_xdp() path, which could cause a corrupted skb to be
-sent downstack. Even before the skb is transmitted, the
-tap_get_user_xdp()-->skb_set_network_header() may assume the size is more
-than ETH_HLEN. Once transmitted, this could either cause out-of-bound
-access beyond the actual length, or confuse the underlayer with incorrect
-or inconsistent header length in the skb metadata.
-
-In the alternative path, tap_get_user() already prohibits short frame which
-has the length less than Ethernet header size from being transmitted.
-
-This is to drop any frame shorter than the Ethernet header size just like
-how tap_get_user() does.
-
-CVE: CVE-2024-41090
-Link: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/
-Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()")
-Cc: stable@vger.kernel.org
-Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
-Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
-Reviewed-by: Willem de Bruijn <willemb@google.com>
-Reviewed-by: Paolo Abeni <pabeni@redhat.com>
-Reviewed-by: Jason Wang <jasowang@redhat.com>
-Link: https://patch.msgid.link/20240724170452.16837-2-dongli.zhang@oracle.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-(cherry picked from commit ed7f2afdd0e043a397677e597ced0830b83ba0b3)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- drivers/net/tap.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/net/tap.c b/drivers/net/tap.c
-index 9f0495e8df4d..feeeac715c18 100644
---- a/drivers/net/tap.c
-+++ b/drivers/net/tap.c
-@@ -1177,6 +1177,11 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp)
- 	struct sk_buff *skb;
- 	int err, depth;
- 
-+	if (unlikely(xdp->data_end - xdp->data < ETH_HLEN)) {
-+		err = -EINVAL;
-+		goto err;
-+	}
-+
- 	if (q->flags & IFF_VNET_HDR)
- 		vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz);
- 

debian/patches/pve/0018-netfs-reset-subreq-iov-iter-before-tail-clean.patch

@@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Christian Ebner <c.ebner@proxmox.com>
+Date: Wed, 2 Oct 2024 15:24:31 +0200
+Subject: [PATCH] netfs: reset subreq iov iter before tail clean
+
+Make sure the iter is at the correct location when cleaning up tail
+bytes for incomplete read subrequests.
+
+Fixes: 92b6cc5d ("netfs: Add iov_iters to (sub)requests to describe various buffers")
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219237
+
+Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
+---
+ fs/netfs/io.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/netfs/io.c b/fs/netfs/io.c
+index 4261ad6c55b6..27c9e441d21e 100644
+--- a/fs/netfs/io.c
++++ b/fs/netfs/io.c
+@@ -516,6 +516,7 @@ void netfs_subreq_terminated(struct netfs_io_subrequest *subreq,
+ 
+ incomplete:
+ 	if (test_bit(NETFS_SREQ_CLEAR_TAIL, &subreq->flags)) {
++		netfs_reset_subreq_iter(rreq, subreq);
+ 		netfs_clear_unread(subreq);
+ 		subreq->transferred = subreq->len;
+ 		goto complete;

debian/patches/pve/0018-tun-add-missing-verification-for-short-frame.patch

@@ -1,51 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Dongli Zhang <dongli.zhang@oracle.com>
-Date: Wed, 24 Jul 2024 10:04:52 -0700
-Subject: [PATCH] tun: add missing verification for short frame
-
-The cited commit missed to check against the validity of the frame length
-in the tun_xdp_one() path, which could cause a corrupted skb to be sent
-downstack. Even before the skb is transmitted, the
-tun_xdp_one-->eth_type_trans() may access the Ethernet header although it
-can be less than ETH_HLEN. Once transmitted, this could either cause
-out-of-bound access beyond the actual length, or confuse the underlayer
-with incorrect or inconsistent header length in the skb metadata.
-
-In the alternative path, tun_get_user() already prohibits short frame which
-has the length less than Ethernet header size from being transmitted for
-IFF_TAP.
-
-This is to drop any frame shorter than the Ethernet header size just like
-how tun_get_user() does.
-
-CVE: CVE-2024-41091
-Inspired-by: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/
-Fixes: 043d222f93ab ("tuntap: accept an array of XDP buffs through sendmsg()")
-Cc: stable@vger.kernel.org
-Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
-Reviewed-by: Si-Wei Liu <si-wei.liu@oracle.com>
-Reviewed-by: Willem de Bruijn <willemb@google.com>
-Reviewed-by: Paolo Abeni <pabeni@redhat.com>
-Reviewed-by: Jason Wang <jasowang@redhat.com>
-Link: https://patch.msgid.link/20240724170452.16837-3-dongli.zhang@oracle.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-(cherry picked from commit 049584807f1d797fc3078b68035450a9769eb5c3)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- drivers/net/tun.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/net/tun.c b/drivers/net/tun.c
-index 86515f0c2b6c..e9cd3b810e2c 100644
---- a/drivers/net/tun.c
-+++ b/drivers/net/tun.c
-@@ -2459,6 +2459,9 @@ static int tun_xdp_one(struct tun_struct *tun,
- 	bool skb_xdp = false;
- 	struct page *page;
- 
-+	if (unlikely(datasize < ETH_HLEN))
-+		return -EINVAL;
-+
- 	xdp_prog = rcu_dereference(tun->xdp_prog);
- 	if (xdp_prog) {
- 		if (gso->gso_type) {

debian/patches/pve/0019-x86-CPU-AMD-Clear-virtualized-VMLOAD-VMSAVE-on-Zen4-.patch

@@ -0,0 +1,44 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Tue, 5 Nov 2024 10:02:34 -0600
+Subject: [PATCH] x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client
+
+A number of Zen4 client SoCs advertise the ability to use virtualized
+VMLOAD/VMSAVE, but using these instructions is reported to be a cause
+of a random host reboot.
+
+These instructions aren't intended to be advertised on Zen4 client
+so clear the capability.
+
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: stable@vger.kernel.org
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=219009
+(cherry picked from commit a5ca1dc46a6b610dd4627d8b633d6c84f9724ef0)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ arch/x86/kernel/cpu/amd.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index 1e0fe5f8ab84..ee87f997d31f 100644
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -924,6 +924,17 @@ static void init_amd_zen4(struct cpuinfo_x86 *c)
+ {
+ 	if (!cpu_has(c, X86_FEATURE_HYPERVISOR))
+ 		msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT);
++
++	/*
++	 * These Zen4 SoCs advertise support for virtualized VMLOAD/VMSAVE
++	 * in some BIOS versions but they can lead to random host reboots.
++	 */
++	switch (c->x86_model) {
++	case 0x18 ... 0x1f:
++	case 0x60 ... 0x7f:
++		clear_cpu_cap(c, X86_FEATURE_V_VMSAVE_VMLOAD);
++		break;
++	}
+ }
+ 
+ static void init_amd_zen5(struct cpuinfo_x86 *c)

debian/patches/series.linux

@@ -10,11 +10,10 @@ pve/0009-allow-opt-in-to-allow-pass-through-on-broken-hardwar.patch
 pve/0010-KVM-nSVM-Advertise-support-for-flush-by-ASID.patch
 pve/0011-revert-memfd-improve-userspace-warnings-for-missing-.patch
 pve/0012-apparmor-expect-msg_namelen-0-for-recvmsg-calls.patch
-pve/0013-x86-CPU-AMD-Improve-the-erratum-1386-workaround.patch
-pve/0014-cifs-fix-pagecache-leak-when-do-writepages.patch
-pve/0015-drm-amdgpu-pm-Don-t-use-OD-table-on-Arcturus.patch
-pve/0016-SUNRPC-Fix-backchannel-reply-again.patch
-pve/0017-tap-add-missing-verification-for-short-frame.patch
-pve/0018-tun-add-missing-verification-for-short-frame.patch
-pve/0019-apparmor-fix-possible-NULL-pointer-dereference.patch
-pve/0020-PCI-pciehp-Retain-Power-Indicator-bits-for-userspace.patch
+pve/0013-cifs-fix-pagecache-leak-when-do-writepages.patch
+pve/0014-drm-amdgpu-pm-Don-t-use-OD-table-on-Arcturus.patch
+pve/0015-apparmor-fix-possible-NULL-pointer-dereference.patch
+pve/0016-PCI-pciehp-Retain-Power-Indicator-bits-for-userspace.patch
+pve/0017-io_uring-rw-treat-EOPNOTSUPP-for-IOCB_NOWAIT-like-EA.patch
+pve/0018-netfs-reset-subreq-iov-iter-before-tail-clean.patch
+pve/0019-x86-CPU-AMD-Clear-virtualized-VMLOAD-VMSAVE-on-Zen4-.patch