diff --git a/debian/patches/pve/0009-allow-opt-in-to-allow-pass-through-on-broken-hardwar.patch b/debian/patches/pve/0009-allow-opt-in-to-allow-pass-through-on-broken-hardwar.patch index bb8a4c9..a29f003 100644 --- a/debian/patches/pve/0009-allow-opt-in-to-allow-pass-through-on-broken-hardwar.patch +++ b/debian/patches/pve/0009-allow-opt-in-to-allow-pass-through-on-broken-hardwar.patch @@ -11,7 +11,7 @@ Signed-off-by: Thomas Lamprecht 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c -index c4c6240d14f9..5e037a9ea6a6 100644 +index 31ff09cc5737..9e8cdd7298d3 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -234,6 +234,7 @@ static int dmar_map_gfx = 1; diff --git a/debian/patches/pve/0014-cifs-fix-pagecache-leak-when-do-writepages.patch b/debian/patches/pve/0013-cifs-fix-pagecache-leak-when-do-writepages.patch similarity index 98% rename from debian/patches/pve/0014-cifs-fix-pagecache-leak-when-do-writepages.patch rename to debian/patches/pve/0013-cifs-fix-pagecache-leak-when-do-writepages.patch index 495dd71..e7f0832 100644 --- a/debian/patches/pve/0014-cifs-fix-pagecache-leak-when-do-writepages.patch +++ b/debian/patches/pve/0013-cifs-fix-pagecache-leak-when-do-writepages.patch @@ -47,7 +47,7 @@ Signed-off-by: Fiona Ebner 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c -index af5c476db6e6..8aee0f520300 100644 +index 438d68d681b1..dc5165b16956 100644 --- a/fs/smb/client/file.c +++ b/fs/smb/client/file.c @@ -2845,17 +2845,21 @@ static ssize_t cifs_write_back_from_locked_folio(struct address_space *mapping, diff --git a/debian/patches/pve/0013-x86-CPU-AMD-Improve-the-erratum-1386-workaround.patch b/debian/patches/pve/0013-x86-CPU-AMD-Improve-the-erratum-1386-workaround.patch deleted file mode 100644 index e3e7018..0000000 --- a/debian/patches/pve/0013-x86-CPU-AMD-Improve-the-erratum-1386-workaround.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Sun, 24 Mar 2024 20:51:35 +0100 -Subject: [PATCH] x86/CPU/AMD: Improve the erratum 1386 workaround - -Disable XSAVES only on machines which haven't loaded the microcode -revision containing the erratum fix. - -This will come in handy when running archaic OSes as guests. OSes whose -brilliant programmers thought that CPUID is overrated and one should not -query it but use features directly, ala shoot first, ask questions -later... but only if you're alive after the shooting. - -Signed-off-by: Borislav Petkov (AMD) -Tested-by: "Maciej S. Szmigiero" -Cc: Boris Ostrovsky -Link: https://lore.kernel.org/r/20240324200525.GBZgCHhYFsBj12PrKv@fat_crate.local ---- - arch/x86/include/asm/cpu_device_id.h | 8 ++++++++ - arch/x86/kernel/cpu/amd.c | 12 ++++++++++++ - 2 files changed, 20 insertions(+) - -diff --git a/arch/x86/include/asm/cpu_device_id.h b/arch/x86/include/asm/cpu_device_id.h -index e8e3dbe7f173..b6325ee30871 100644 ---- a/arch/x86/include/asm/cpu_device_id.h -+++ b/arch/x86/include/asm/cpu_device_id.h -@@ -288,6 +288,14 @@ struct x86_cpu_desc { - .x86_microcode_rev = (revision), \ - } - -+#define AMD_CPU_DESC(fam, model, stepping, revision) { \ -+ .x86_family = (fam), \ -+ .x86_vendor = X86_VENDOR_AMD, \ -+ .x86_model = (model), \ -+ .x86_stepping = (stepping), \ -+ .x86_microcode_rev = (revision), \ -+} -+ - extern const struct x86_cpu_id *x86_match_cpu(const struct x86_cpu_id *match); - extern bool x86_cpu_has_min_microcode_rev(const struct x86_cpu_desc *table); - -diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c -index 0838ea579eb0..ca6096dcc5c6 100644 ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -13,6 +13,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -925,6 +926,11 @@ static void init_amd_bd(struct cpuinfo_x86 *c) - clear_rdrand_cpuid_bit(c); - } - -+static const struct x86_cpu_desc erratum_1386_microcode[] = { -+ AMD_CPU_DESC(0x17, 0x1, 0x2, 0x0800126e), -+ AMD_CPU_DESC(0x17, 0x31, 0x0, 0x08301052), -+}; -+ - static void fix_erratum_1386(struct cpuinfo_x86 *c) - { - /* -@@ -934,7 +940,13 @@ static void fix_erratum_1386(struct cpuinfo_x86 *c) - * - * Affected parts all have no supervisor XSAVE states, meaning that - * the XSAVEC instruction (which works fine) is equivalent. -+ * -+ * Clear the feature flag only on microcode revisions which -+ * don't have the fix. - */ -+ if (x86_cpu_has_min_microcode_rev(erratum_1386_microcode)) -+ return; -+ - clear_cpu_cap(c, X86_FEATURE_XSAVES); - } - diff --git a/debian/patches/pve/0015-drm-amdgpu-pm-Don-t-use-OD-table-on-Arcturus.patch b/debian/patches/pve/0014-drm-amdgpu-pm-Don-t-use-OD-table-on-Arcturus.patch similarity index 100% rename from debian/patches/pve/0015-drm-amdgpu-pm-Don-t-use-OD-table-on-Arcturus.patch rename to debian/patches/pve/0014-drm-amdgpu-pm-Don-t-use-OD-table-on-Arcturus.patch diff --git a/debian/patches/pve/0019-apparmor-fix-possible-NULL-pointer-dereference.patch b/debian/patches/pve/0015-apparmor-fix-possible-NULL-pointer-dereference.patch similarity index 100% rename from debian/patches/pve/0019-apparmor-fix-possible-NULL-pointer-dereference.patch rename to debian/patches/pve/0015-apparmor-fix-possible-NULL-pointer-dereference.patch diff --git a/debian/patches/pve/0020-PCI-pciehp-Retain-Power-Indicator-bits-for-userspace.patch b/debian/patches/pve/0016-PCI-pciehp-Retain-Power-Indicator-bits-for-userspace.patch similarity index 100% rename from debian/patches/pve/0020-PCI-pciehp-Retain-Power-Indicator-bits-for-userspace.patch rename to debian/patches/pve/0016-PCI-pciehp-Retain-Power-Indicator-bits-for-userspace.patch diff --git a/debian/patches/pve/0016-SUNRPC-Fix-backchannel-reply-again.patch b/debian/patches/pve/0016-SUNRPC-Fix-backchannel-reply-again.patch deleted file mode 100644 index 8b3242e..0000000 --- a/debian/patches/pve/0016-SUNRPC-Fix-backchannel-reply-again.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Chuck Lever -Date: Wed, 19 Jun 2024 09:51:08 -0400 -Subject: [PATCH] SUNRPC: Fix backchannel reply, again -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -[ Upstream commit 6ddc9deacc1312762c2edd9de00ce76b00f69f7c ] - -I still see "RPC: Could not send backchannel reply error: -110" -quite often, along with slow-running tests. Debugging shows that the -backchannel is still stumbling when it has to queue a callback reply -on a busy transport. - -Note that every one of these timeouts causes a connection loss by -virtue of the xprt_conditional_disconnect() call in that arm of -call_cb_transmit_status(). - -I found that setting to_maxval is necessary to get the RPC timeout -logic to behave whenever to_exponential is not set. - -Fixes: 57331a59ac0d ("NFSv4.1: Use the nfs_client's rpc timeouts for backchannel") -Signed-off-by: Chuck Lever -Reviewed-by: Benjamin Coddington -Signed-off-by: Trond Myklebust -Signed-off-by: Sasha Levin -(cherry picked from commit bd1e42e0f2567c911d3df761cf7a33b021fdceeb) -Signed-off-by: Fabian Grünbichler ---- - net/sunrpc/svc.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c -index bd61e257cda6..bac1886f07da 100644 ---- a/net/sunrpc/svc.c -+++ b/net/sunrpc/svc.c -@@ -1546,9 +1546,11 @@ void svc_process(struct svc_rqst *rqstp) - */ - void svc_process_bc(struct rpc_rqst *req, struct svc_rqst *rqstp) - { -+ struct rpc_timeout timeout = { -+ .to_increment = 0, -+ }; - struct rpc_task *task; - int proc_error; -- struct rpc_timeout timeout; - - /* Build the svc_rqst used by the common processing routine */ - rqstp->rq_xid = req->rq_xid; -@@ -1601,6 +1603,7 @@ void svc_process_bc(struct rpc_rqst *req, struct svc_rqst *rqstp) - timeout.to_initval = req->rq_xprt->timeout->to_initval; - timeout.to_retries = req->rq_xprt->timeout->to_retries; - } -+ timeout.to_maxval = timeout.to_initval; - memcpy(&req->rq_snd_buf, &rqstp->rq_res, sizeof(req->rq_snd_buf)); - task = rpc_run_bc_task(req, &timeout); - diff --git a/debian/patches/pve/0017-io_uring-rw-treat-EOPNOTSUPP-for-IOCB_NOWAIT-like-EA.patch b/debian/patches/pve/0017-io_uring-rw-treat-EOPNOTSUPP-for-IOCB_NOWAIT-like-EA.patch new file mode 100644 index 0000000..7187c94 --- /dev/null +++ b/debian/patches/pve/0017-io_uring-rw-treat-EOPNOTSUPP-for-IOCB_NOWAIT-like-EA.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 10 Sep 2024 08:30:57 -0600 +Subject: [PATCH] io_uring/rw: treat -EOPNOTSUPP for IOCB_NOWAIT like -EAGAIN + +Some file systems, ocfs2 in this case, will return -EOPNOTSUPP for +an IOCB_NOWAIT read/write attempt. While this can be argued to be +correct, the usual return value for something that requires blocking +issue is -EAGAIN. + +A refactoring io_uring commit dropped calling kiocb_done() for +negative return values, which is otherwise where we already do that +transformation. To ensure we catch it in both spots, check it in +__io_read() itself as well. + +Reported-by: Robert Sander +Link: https://fosstodon.org/@gurubert@mastodon.gurubert.de/113112431889638440 +Cc: stable@vger.kernel.org +Fixes: a08d195b586a ("io_uring/rw: split io_read() into a helper") +Signed-off-by: Jens Axboe +(cherry picked from commit c0a9d496e0fece67db777bd48550376cf2960c47) +Signed-off-by: Daniel Kral +--- + io_uring/rw.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/io_uring/rw.c b/io_uring/rw.c +index c3c154790e45..ed7f67097572 100644 +--- a/io_uring/rw.c ++++ b/io_uring/rw.c +@@ -825,6 +825,14 @@ static int __io_read(struct io_kiocb *req, unsigned int issue_flags) + + ret = io_iter_do_read(rw, &s->iter); + ++ /* ++ * Some file systems like to return -EOPNOTSUPP for an IOCB_NOWAIT ++ * issue, even though they should be returning -EAGAIN. To be safe, ++ * retry from blocking context for either. ++ */ ++ if (ret == -EOPNOTSUPP && force_nonblock) ++ ret = -EAGAIN; ++ + if (ret == -EAGAIN || (req->flags & REQ_F_REISSUE)) { + req->flags &= ~REQ_F_REISSUE; + /* diff --git a/debian/patches/pve/0017-tap-add-missing-verification-for-short-frame.patch b/debian/patches/pve/0017-tap-add-missing-verification-for-short-frame.patch deleted file mode 100644 index 7607163..0000000 --- a/debian/patches/pve/0017-tap-add-missing-verification-for-short-frame.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Si-Wei Liu -Date: Wed, 24 Jul 2024 10:04:51 -0700 -Subject: [PATCH] tap: add missing verification for short frame - -The cited commit missed to check against the validity of the frame length -in the tap_get_user_xdp() path, which could cause a corrupted skb to be -sent downstack. Even before the skb is transmitted, the -tap_get_user_xdp()-->skb_set_network_header() may assume the size is more -than ETH_HLEN. Once transmitted, this could either cause out-of-bound -access beyond the actual length, or confuse the underlayer with incorrect -or inconsistent header length in the skb metadata. - -In the alternative path, tap_get_user() already prohibits short frame which -has the length less than Ethernet header size from being transmitted. - -This is to drop any frame shorter than the Ethernet header size just like -how tap_get_user() does. - -CVE: CVE-2024-41090 -Link: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/ -Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()") -Cc: stable@vger.kernel.org -Signed-off-by: Si-Wei Liu -Signed-off-by: Dongli Zhang -Reviewed-by: Willem de Bruijn -Reviewed-by: Paolo Abeni -Reviewed-by: Jason Wang -Link: https://patch.msgid.link/20240724170452.16837-2-dongli.zhang@oracle.com -Signed-off-by: Jakub Kicinski -(cherry picked from commit ed7f2afdd0e043a397677e597ced0830b83ba0b3) -Signed-off-by: Fiona Ebner ---- - drivers/net/tap.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/net/tap.c b/drivers/net/tap.c -index 9f0495e8df4d..feeeac715c18 100644 ---- a/drivers/net/tap.c -+++ b/drivers/net/tap.c -@@ -1177,6 +1177,11 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp) - struct sk_buff *skb; - int err, depth; - -+ if (unlikely(xdp->data_end - xdp->data < ETH_HLEN)) { -+ err = -EINVAL; -+ goto err; -+ } -+ - if (q->flags & IFF_VNET_HDR) - vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz); - diff --git a/debian/patches/pve/0018-netfs-reset-subreq-iov-iter-before-tail-clean.patch b/debian/patches/pve/0018-netfs-reset-subreq-iov-iter-before-tail-clean.patch new file mode 100644 index 0000000..75270d8 --- /dev/null +++ b/debian/patches/pve/0018-netfs-reset-subreq-iov-iter-before-tail-clean.patch @@ -0,0 +1,28 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Christian Ebner +Date: Wed, 2 Oct 2024 15:24:31 +0200 +Subject: [PATCH] netfs: reset subreq iov iter before tail clean + +Make sure the iter is at the correct location when cleaning up tail +bytes for incomplete read subrequests. + +Fixes: 92b6cc5d ("netfs: Add iov_iters to (sub)requests to describe various buffers") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219237 + +Signed-off-by: Christian Ebner +--- + fs/netfs/io.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/netfs/io.c b/fs/netfs/io.c +index 4261ad6c55b6..27c9e441d21e 100644 +--- a/fs/netfs/io.c ++++ b/fs/netfs/io.c +@@ -516,6 +516,7 @@ void netfs_subreq_terminated(struct netfs_io_subrequest *subreq, + + incomplete: + if (test_bit(NETFS_SREQ_CLEAR_TAIL, &subreq->flags)) { ++ netfs_reset_subreq_iter(rreq, subreq); + netfs_clear_unread(subreq); + subreq->transferred = subreq->len; + goto complete; diff --git a/debian/patches/pve/0018-tun-add-missing-verification-for-short-frame.patch b/debian/patches/pve/0018-tun-add-missing-verification-for-short-frame.patch deleted file mode 100644 index 4b07b09..0000000 --- a/debian/patches/pve/0018-tun-add-missing-verification-for-short-frame.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Dongli Zhang -Date: Wed, 24 Jul 2024 10:04:52 -0700 -Subject: [PATCH] tun: add missing verification for short frame - -The cited commit missed to check against the validity of the frame length -in the tun_xdp_one() path, which could cause a corrupted skb to be sent -downstack. Even before the skb is transmitted, the -tun_xdp_one-->eth_type_trans() may access the Ethernet header although it -can be less than ETH_HLEN. Once transmitted, this could either cause -out-of-bound access beyond the actual length, or confuse the underlayer -with incorrect or inconsistent header length in the skb metadata. - -In the alternative path, tun_get_user() already prohibits short frame which -has the length less than Ethernet header size from being transmitted for -IFF_TAP. - -This is to drop any frame shorter than the Ethernet header size just like -how tun_get_user() does. - -CVE: CVE-2024-41091 -Inspired-by: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/ -Fixes: 043d222f93ab ("tuntap: accept an array of XDP buffs through sendmsg()") -Cc: stable@vger.kernel.org -Signed-off-by: Dongli Zhang -Reviewed-by: Si-Wei Liu -Reviewed-by: Willem de Bruijn -Reviewed-by: Paolo Abeni -Reviewed-by: Jason Wang -Link: https://patch.msgid.link/20240724170452.16837-3-dongli.zhang@oracle.com -Signed-off-by: Jakub Kicinski -(cherry picked from commit 049584807f1d797fc3078b68035450a9769eb5c3) -Signed-off-by: Fiona Ebner ---- - drivers/net/tun.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index 86515f0c2b6c..e9cd3b810e2c 100644 ---- a/drivers/net/tun.c -+++ b/drivers/net/tun.c -@@ -2459,6 +2459,9 @@ static int tun_xdp_one(struct tun_struct *tun, - bool skb_xdp = false; - struct page *page; - -+ if (unlikely(datasize < ETH_HLEN)) -+ return -EINVAL; -+ - xdp_prog = rcu_dereference(tun->xdp_prog); - if (xdp_prog) { - if (gso->gso_type) { diff --git a/debian/patches/pve/0019-x86-CPU-AMD-Clear-virtualized-VMLOAD-VMSAVE-on-Zen4-.patch b/debian/patches/pve/0019-x86-CPU-AMD-Clear-virtualized-VMLOAD-VMSAVE-on-Zen4-.patch new file mode 100644 index 0000000..76957b6 --- /dev/null +++ b/debian/patches/pve/0019-x86-CPU-AMD-Clear-virtualized-VMLOAD-VMSAVE-on-Zen4-.patch @@ -0,0 +1,44 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Tue, 5 Nov 2024 10:02:34 -0600 +Subject: [PATCH] x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client + +A number of Zen4 client SoCs advertise the ability to use virtualized +VMLOAD/VMSAVE, but using these instructions is reported to be a cause +of a random host reboot. + +These instructions aren't intended to be advertised on Zen4 client +so clear the capability. + +Signed-off-by: Mario Limonciello +Signed-off-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219009 +(cherry picked from commit a5ca1dc46a6b610dd4627d8b633d6c84f9724ef0) +Signed-off-by: Fiona Ebner +--- + arch/x86/kernel/cpu/amd.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c +index 1e0fe5f8ab84..ee87f997d31f 100644 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -924,6 +924,17 @@ static void init_amd_zen4(struct cpuinfo_x86 *c) + { + if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) + msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT); ++ ++ /* ++ * These Zen4 SoCs advertise support for virtualized VMLOAD/VMSAVE ++ * in some BIOS versions but they can lead to random host reboots. ++ */ ++ switch (c->x86_model) { ++ case 0x18 ... 0x1f: ++ case 0x60 ... 0x7f: ++ clear_cpu_cap(c, X86_FEATURE_V_VMSAVE_VMLOAD); ++ break; ++ } + } + + static void init_amd_zen5(struct cpuinfo_x86 *c) diff --git a/debian/patches/series.linux b/debian/patches/series.linux index ab2cdaa..889c1f6 100644 --- a/debian/patches/series.linux +++ b/debian/patches/series.linux @@ -10,11 +10,10 @@ pve/0009-allow-opt-in-to-allow-pass-through-on-broken-hardwar.patch pve/0010-KVM-nSVM-Advertise-support-for-flush-by-ASID.patch pve/0011-revert-memfd-improve-userspace-warnings-for-missing-.patch pve/0012-apparmor-expect-msg_namelen-0-for-recvmsg-calls.patch -pve/0013-x86-CPU-AMD-Improve-the-erratum-1386-workaround.patch -pve/0014-cifs-fix-pagecache-leak-when-do-writepages.patch -pve/0015-drm-amdgpu-pm-Don-t-use-OD-table-on-Arcturus.patch -pve/0016-SUNRPC-Fix-backchannel-reply-again.patch -pve/0017-tap-add-missing-verification-for-short-frame.patch -pve/0018-tun-add-missing-verification-for-short-frame.patch -pve/0019-apparmor-fix-possible-NULL-pointer-dereference.patch -pve/0020-PCI-pciehp-Retain-Power-Indicator-bits-for-userspace.patch +pve/0013-cifs-fix-pagecache-leak-when-do-writepages.patch +pve/0014-drm-amdgpu-pm-Don-t-use-OD-table-on-Arcturus.patch +pve/0015-apparmor-fix-possible-NULL-pointer-dereference.patch +pve/0016-PCI-pciehp-Retain-Power-Indicator-bits-for-userspace.patch +pve/0017-io_uring-rw-treat-EOPNOTSUPP-for-IOCB_NOWAIT-like-EA.patch +pve/0018-netfs-reset-subreq-iov-iter-before-tail-clean.patch +pve/0019-x86-CPU-AMD-Clear-virtualized-VMLOAD-VMSAVE-on-Zen4-.patch