Home Home > GIT Browse > SLE11-SP4
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Hocko <mhocko@suse.com>2019-01-14 15:20:08 +0100
committerMichal Hocko <mhocko@suse.com>2019-01-14 15:20:08 +0100
commitf54718e149238936ebb16603e0077f76d25fa95e (patch)
treea07e0039b42d2cc86a2f4388a8e9234161eac2ac
parent86167c0df43fd8784be30732b31cdc82b30f3dd9 (diff)
parent73b456c0ab0ec6a93432fae0b1825cd7fb298c5e (diff)
Merge remote-tracking branch 'origin/users/jbeulich/SLE11-SP4/for-next' into users/mhocko/SLE11-SP4/for-next
-rw-r--r--patches.suse/0001-efivarfs-maintain-the-efivarfs-interfaces-when-sysfs.patch2
-rw-r--r--patches.xen/xen-blkfront-build-upstream5
-rw-r--r--patches.xen/xen3-0001-x86-kabi-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch (renamed from patches.xen/xen3-x86-kabi-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch)15
-rw-r--r--patches.xen/xen3-0001-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch (renamed from patches.xen/xen3-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch)10
-rw-r--r--patches.xen/xen3-0001-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch (renamed from patches.xen/xen3-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch)21
-rw-r--r--patches.xen/xen3-0005-x86-process-re-export-start_thread37
-rw-r--r--patches.xen/xen3-03-x86-entry-use-ibrs-on-entry-to-kernel-space.patch10
-rw-r--r--patches.xen/xen3-08-x86-retpoline-entry-Convert-entry-assembler-indirect-ia32.patch48
-rw-r--r--patches.xen/xen3-09-x86-mm-set-ibpb-upon-context-switch.patch32
-rw-r--r--patches.xen/xen3-14.1-x86-retpoline-fill-rsb-on-context-switch-for-affected-cpus.patch19
-rw-r--r--patches.xen/xen3-i387-use-restore_fpu_checking-directly-in-task-switc.patch2
-rw-r--r--patches.xen/xen3-patch-2.6.2733
-rw-r--r--patches.xen/xen3-x86-l1tf-04-protect-PROT_NONE-ptes-fix.patch19
-rw-r--r--patches.xen/xen3-x86-l1tf-04-protect-PROT_NONE-ptes.patch4
-rw-r--r--patches.xen/xen3-x86-mm-Simplify-p-g4um-d_page-macros.patch9
-rw-r--r--patches.xen/xen3-x86-mm-prevent-kernel-oops-in-ptdump-code-with-highpte-y58
-rw-r--r--patches.xen/xen3-x86-non-upstream-eager-fpu-extmods.patch32
-rw-r--r--patches.xen/xen3-x86-non-upstream-eager-fpu.patch7
-rw-r--r--patches.xen/xen3-x86-speculation-l1tf-Fix-overflow-in-l1tf_pfn_limit-.patch12
-rw-r--r--patches.xen/xen3-x86-traps-add-missing-kernel-CR3-switch-in-bad_iret-.patch23
-rw-r--r--rpm/modprobe-xen.conf4
-rw-r--r--series.conf17
22 files changed, 332 insertions, 87 deletions
diff --git a/patches.suse/0001-efivarfs-maintain-the-efivarfs-interfaces-when-sysfs.patch b/patches.suse/0001-efivarfs-maintain-the-efivarfs-interfaces-when-sysfs.patch
index 8d6afbee0b..98d343f79e 100644
--- a/patches.suse/0001-efivarfs-maintain-the-efivarfs-interfaces-when-sysfs.patch
+++ b/patches.suse/0001-efivarfs-maintain-the-efivarfs-interfaces-when-sysfs.patch
@@ -87,7 +87,7 @@ Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
+ struct efivars *efivars = &__efivars;
+ unsigned long strsize1, strsize2;
+ struct efivar_entry *entry, *n;
-+ int len, i, err, found = 0;
++ int len, i, err = -ENOMEM, found = 0;
+ struct inode *inode = NULL;
+ unsigned long size = 0;
+ char *name;
diff --git a/patches.xen/xen-blkfront-build-upstream b/patches.xen/xen-blkfront-build-upstream
index 3284c5629b..c2cf819326 100644
--- a/patches.xen/xen-blkfront-build-upstream
+++ b/patches.xen/xen-blkfront-build-upstream
@@ -81,6 +81,11 @@ References: bsc#961658 fate#320200
#define BLK_RING_SIZE __CONST_RING_SIZE(blkif, PAGE_SIZE)
+@@ -2149,4 +2179,3 @@ MODULE_DESCRIPTION("Xen virtual block de
+ MODULE_LICENSE("GPL");
+ MODULE_ALIAS_BLOCKDEV_MAJOR(XENVBD_MAJOR);
+ MODULE_ALIAS("xen:vbd");
+-MODULE_ALIAS("xenblk");
--- a/include/xen/xen.h
+++ b/include/xen/xen.h
@@ -11,6 +11,8 @@ enum xen_domain_type {
diff --git a/patches.xen/xen3-x86-kabi-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch b/patches.xen/xen3-0001-x86-kabi-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch
index 187758bd33..01153b3348 100644
--- a/patches.xen/xen3-x86-kabi-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch
+++ b/patches.xen/xen3-0001-x86-kabi-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch
@@ -1,6 +1,6 @@
From: Michal Hocko <mhocko@suse.com>
-Subject: kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
-Patch-mainline: no, suse specific
+Subject: xen: kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
+Patch-mainline: Never, SUSE-Xen specific
References: bnc#1105536
hide new x86_cache_bits from the kabi checker. Nobody should be touching
@@ -8,18 +8,19 @@ this part of the structure.
Signed-off-by: Michal Hocko <mhocko@suse.com>
----
- arch/x86/include/mach-xen/asm/processor.h | 2 ++
- 1 file changed, 2 insertions(+)
+Automatically created from "patches.kabi/0001-x86-kabi-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch" by xen-port-patches.py
--- a/arch/x86/include/mach-xen/asm/processor.h
+++ b/arch/x86/include/mach-xen/asm/processor.h
-@@ -124,8 +124,10 @@ struct cpuinfo_x86 {
+@@ -124,11 +124,13 @@ struct cpuinfo_x86 {
#ifndef CONFIG_XEN
u32 microcode;
#endif
+#ifndef __GENKSYMS__
- /* Address space bits used by the cache internally */
+ /*
+ * Address space bits used by the cache internally
+ * NOTE: only to be used for l1tf mitigation
+ */
u8 x86_cache_bits;
+#endif
} __attribute__((__aligned__(SMP_CACHE_BYTES)));
diff --git a/patches.xen/xen3-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch b/patches.xen/xen3-0001-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch
index 5f0b44a5cc..2ca783c145 100644
--- a/patches.xen/xen3-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch
+++ b/patches.xen/xen3-0001-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch
@@ -1,10 +1,9 @@
From b0a182f875689647b014bc01d36b340217792852 Mon Sep 17 00:00:00 2001
From: Vlastimil Babka <vbabka@suse.cz>
Date: Thu, 23 Aug 2018 15:44:18 +0200
-Subject: [PATCH] xen x86/speculation/l1tf: Fix off-by-one error when warning that
+Subject: [PATCH] xen/x86/speculation/l1tf: Fix off-by-one error when warning that
system has too much RAM
-Git-commit: b0a182f875689647b014bc01d36b340217792852
-Patch-mainline: 4.19-rc1
+Patch-mainline: Never, SUSE-Xen specific
References: bnc#1105536
Two users have reported [1] that they have an "extremely unlikely" system
@@ -41,12 +40,11 @@ Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20180823134418.17008-1-vbabka@suse.cz
Acked-by: Michal Hocko <mhocko@suse.com>
----
- arch/x86/include/mach-xen/asm/processor.h | 2 +-
+Automatically created from "patches.arch/0001-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch" by xen-port-patches.py
--- a/arch/x86/include/mach-xen/asm/processor.h
+++ b/arch/x86/include/mach-xen/asm/processor.h
-@@ -160,7 +160,7 @@ extern struct pt_regs *idle_regs(struct
+@@ -173,7 +173,7 @@ extern struct pt_regs *idle_regs(struct
static inline unsigned long long l1tf_pfn_limit(void)
{
diff --git a/patches.xen/xen3-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch b/patches.xen/xen3-0001-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch
index 3c355c384c..88583fae89 100644
--- a/patches.xen/xen3-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch
+++ b/patches.xen/xen3-0001-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch
@@ -1,9 +1,8 @@
From cc51e5428ea54f575d49cfcede1d4cb3a72b4ec4 Mon Sep 17 00:00:00 2001
From: Andi Kleen <ak@linux.intel.com>
Date: Fri, 24 Aug 2018 10:03:50 -0700
-Subject: [PATCH] xen x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
-Git-commit: cc51e5428ea54f575d49cfcede1d4cb3a72b4ec4
-Patch-mainline: 4.19-rc2
+Subject: [PATCH] xen/x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
+Patch-mainline: Never, SUSE-Xen specific
References: bnc#1105536
On Nehalem and newer core CPUs the CPU cache internally uses 44 bits
@@ -39,25 +38,23 @@ Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20180824170351.34874-1-andi@firstfloor.org
Acked-by: Michal Hocko <mhocko@suse.com>
----
- arch/x86/include/mach-xen/asm/processor.h | 4 ++-
-
----
- arch/x86/include/mach-xen/asm/processor.h | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
+Automatically created from "patches.arch/0001-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch" by xen-port-patches.py
--- a/arch/x86/include/mach-xen/asm/processor.h
+++ b/arch/x86/include/mach-xen/asm/processor.h
-@@ -124,6 +124,8 @@ struct cpuinfo_x86 {
+@@ -124,6 +124,11 @@ struct cpuinfo_x86 {
#ifndef CONFIG_XEN
u32 microcode;
#endif
-+ /* Address space bits used by the cache internally */
++ /*
++ * Address space bits used by the cache internally
++ * NOTE: only to be used for l1tf mitigation
++ */
+ u8 x86_cache_bits;
} __attribute__((__aligned__(SMP_CACHE_BYTES)));
#define X86_VENDOR_INTEL 0
-@@ -173,7 +175,7 @@ extern struct pt_regs *idle_regs(struct
+@@ -173,7 +178,7 @@ extern struct pt_regs *idle_regs(struct
static inline unsigned long long l1tf_pfn_limit(void)
{
diff --git a/patches.xen/xen3-0005-x86-process-re-export-start_thread b/patches.xen/xen3-0005-x86-process-re-export-start_thread
new file mode 100644
index 0000000000..7d09e99b5c
--- /dev/null
+++ b/patches.xen/xen3-0005-x86-process-re-export-start_thread
@@ -0,0 +1,37 @@
+From: Rian Hunter <rian@alum.mit.edu>
+Date: Sun, 19 Aug 2018 16:08:53 -0700
+Subject: xen/x86/process: Re-export start_thread()
+Patch-mainline: Never, SUSE-Xen specific
+References: bsc#1110006
+
+The consolidation of the start_thread() functions removed the export
+unintentionally. This breaks binfmt handlers built as a module.
+
+Add it back.
+
+Fixes: e634d8fc792c ("x86-64: merge the standard and compat start_thread() functions")
+Signed-off-by: Rian Hunter <rian@alum.mit.edu>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bpetkov@suse.de>
+Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
+Cc: Joerg Roedel <jroedel@suse.de>
+Cc: Dmitry Safonov <dima@arista.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180819230854.7275-1-rian@alum.mit.edu
+
+Acked-by: Joerg Roedel <jroedel@suse.de>
+Automatically created from "patches.arch/0005-x86-process-re-export-start_thread" by xen-port-patches.py
+
+--- a/arch/x86/kernel/process_64-xen.c
++++ b/arch/x86/kernel/process_64-xen.c
+@@ -355,6 +355,7 @@ start_thread(struct pt_regs *regs, unsig
+ start_thread_common(regs, new_ip, new_sp,
+ __USER_CS, __USER_DS, 0);
+ }
++EXPORT_SYMBOL_GPL(start_thread);
+
+ #ifdef CONFIG_IA32_EMULATION
+ void start_thread_ia32(struct pt_regs *regs, u32 new_ip, u32 new_sp)
diff --git a/patches.xen/xen3-03-x86-entry-use-ibrs-on-entry-to-kernel-space.patch b/patches.xen/xen3-03-x86-entry-use-ibrs-on-entry-to-kernel-space.patch
index 658649d819..854d675c03 100644
--- a/patches.xen/xen3-03-x86-entry-use-ibrs-on-entry-to-kernel-space.patch
+++ b/patches.xen/xen3-03-x86-entry-use-ibrs-on-entry-to-kernel-space.patch
@@ -41,16 +41,16 @@ Automatically created from "patches.suse/03-x86-entry-use-ibrs-on-entry-to-kerne
/* no need to do an access_ok check here because r8 has been
32bit zero extended */
/* hardware stack frame is complete now */
-@@ -309,6 +316,9 @@ ENTRY(ia32_syscall)
+@@ -307,6 +314,9 @@ ENTRY(ia32_syscall)
+ this could be a problem. */
+ SAVE_ARGS 0,0,1
GET_THREAD_INFO(%r10)
- orl $TS_COMPAT,TI_status(%r10)
- testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
+
+ ENABLE_IBRS
+
+ orl $TS_COMPAT,TI_status(%r10)
+ testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
jnz ia32_tracesys
- .Lia32_check_call:
- cmpl $IA32_NR_syscalls,%eax
--- a/arch/x86/kernel/entry_64-xen.S
+++ b/arch/x86/kernel/entry_64-xen.S
@@ -57,9 +57,9 @@
diff --git a/patches.xen/xen3-08-x86-retpoline-entry-Convert-entry-assembler-indirect-ia32.patch b/patches.xen/xen3-08-x86-retpoline-entry-Convert-entry-assembler-indirect-ia32.patch
new file mode 100644
index 0000000000..729675ad91
--- /dev/null
+++ b/patches.xen/xen3-08-x86-retpoline-entry-Convert-entry-assembler-indirect-ia32.patch
@@ -0,0 +1,48 @@
+From: David Woodhouse <dwmw@amazon.co.uk>
+Date: Thu, 11 Jan 2018 21:46:28 +0000
+Subject: xen/x86/retpoline/entry: Convert entry assembler indirect jumps -- ia32
+Patch-mainline: Never, SUSE-Xen specific
+References: bsc#1068032 CVE-2017-5715
+
+In this patch:
+patches.arch/08-x86-retpoline-entry-Convert-entry-assembler-indirect.patch
+we converted 32bit and 64bit entries to retpolines. But we completely
+omitted the ia32 emulation on 64bit. So fix this in this followup patch.
+
+Note: this code was converted to C in 4.4.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Automatically created from "patches.arch/08-x86-retpoline-entry-Convert-entry-assembler-indirect-ia32.patch" by xen-port-patches.py
+
+--- a/arch/x86/ia32/ia32entry-xen.S
++++ b/arch/x86/ia32/ia32entry-xen.S
+@@ -15,6 +15,7 @@
+ #include <asm/irqflags.h>
+ #include <linux/linkage.h>
+ #include <asm/spec_ctrl.h>
++#include <asm/nospec-branch.h>
+
+ /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
+ #include <linux/elf-em.h>
+@@ -328,7 +329,12 @@ ia32_do_call:
+ andq %r10,%rax
+ IA32_ARG_FIXUP
+ .Lia32_dispatch:
++#ifdef CONFIG_RETPOLINE
++ mov ia32_sys_call_table(,%rax,8), %rax
++ call __x86_indirect_thunk_rax
++#else
+ call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
++#endif
+ ia32_sysret:
+ movq %rax,RAX-ARGOFFSET(%rsp)
+ CLEAR_RREGS -ARGOFFSET
+@@ -398,7 +404,7 @@ ENTRY(ia32_ptregs_common)
+ CFI_REL_OFFSET rsp,RSP-ARGOFFSET
+ /* CFI_REL_OFFSET ss,SS-ARGOFFSET*/
+ SAVE_REST
+- call *%rax
++ CALL_NOSPEC %rax
+ RESTORE_REST
+ jmp ia32_sysret /* misbalances the return cache */
+ CFI_ENDPROC
diff --git a/patches.xen/xen3-09-x86-mm-set-ibpb-upon-context-switch.patch b/patches.xen/xen3-09-x86-mm-set-ibpb-upon-context-switch.patch
new file mode 100644
index 0000000000..14240fcfd0
--- /dev/null
+++ b/patches.xen/xen3-09-x86-mm-set-ibpb-upon-context-switch.patch
@@ -0,0 +1,32 @@
+From: Tim Chen <tim.c.chen@linux.intel.com>
+Date: Sat, 16 Dec 2017 18:25:12 +0100
+Subject: xen/x86/mm: Set IBPB upon context switch
+Patch-mainline: Never, SUSE-Xen specific
+References: bsc#1068032
+
+Set IBPB on context switch when writing CR3.
+
+Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
+[ Convert to do x86_ibp_barrier(). ]
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Automatically created from "patches.suse/09-x86-mm-set-ibpb-upon-context-switch.patch" by xen-port-patches.py
+
+--- a/arch/x86/mm/tlb-xen.c
++++ b/arch/x86/mm/tlb-xen.c
+@@ -10,6 +10,7 @@
+ #include <asm/tlbflush.h>
+ #include <asm/mmu_context.h>
+ #include <asm/cache.h>
++#include <asm/spec_ctrl.h>
+
+ void switch_mm(struct mm_struct *prev, struct mm_struct *next,
+ struct task_struct *tsk)
+@@ -31,6 +32,8 @@ void switch_mm_irqs_off(struct mm_struct
+ BUG_ON(!xen_feature(XENFEAT_writable_page_tables) &&
+ !PagePinned(virt_to_page(next->pgd)));
+
++ x86_ibp_barrier();
++
+ #if defined(CONFIG_SMP) && !defined(CONFIG_XEN) /* XEN: no lazy tlb */
+ percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
+ percpu_write(cpu_tlbstate.active_mm, next);
diff --git a/patches.xen/xen3-14.1-x86-retpoline-fill-rsb-on-context-switch-for-affected-cpus.patch b/patches.xen/xen3-14.1-x86-retpoline-fill-rsb-on-context-switch-for-affected-cpus.patch
index 335e860fd3..01b1ee4ad5 100644
--- a/patches.xen/xen3-14.1-x86-retpoline-fill-rsb-on-context-switch-for-affected-cpus.patch
+++ b/patches.xen/xen3-14.1-x86-retpoline-fill-rsb-on-context-switch-for-affected-cpus.patch
@@ -61,7 +61,7 @@ Automatically created from "patches.arch/14.1-x86-retpoline-fill-rsb-on-context-
#include <asm/hypervisor.h>
#include <linux/kernel.h>
-@@ -63,6 +64,19 @@ extern void show_regs_common(void);
+@@ -63,6 +64,22 @@ extern void show_regs_common(void);
#endif /* CC_STACKPROTECTOR */
/*
@@ -72,7 +72,10 @@ Automatically created from "patches.arch/14.1-x86-retpoline-fill-rsb-on-context-
+ * speculative execution to prevent attack.
+ */
+#ifdef CONFIG_RETPOLINE
-+#define __switch_fill_rsb __stringify(__FILL_RETURN_BUFFER(%%ebx, RSB_CLEAR_LOOPS, %%esp))
++#define __switch_fill_rsb \
++ ALTERNATIVE("jmp 10f\n\t" ASM_NOP3, ASM_NOP5, X86_FEATURE_RSB_CTXSW) \
++ __stringify(__FILL_RETURN_BUFFER(%%ebx,RSB_CLEAR_LOOPS,%%esp)) "\n\t" \
++ "10:\n"
+#else
+#define __switch_fill_rsb
+#endif
@@ -81,7 +84,7 @@ Automatically created from "patches.arch/14.1-x86-retpoline-fill-rsb-on-context-
* Saving eflags is important. It switches not only IOPL between tasks,
* it also protects other tasks from NT leaking through sysenter etc.
*/
-@@ -84,6 +98,7 @@ do { \
+@@ -84,6 +101,7 @@ do { \
"movl $1f,%[prev_ip]\n\t" /* save EIP */ \
"pushl %[next_ip]\n\t" /* restore EIP */ \
__switch_canary \
@@ -89,7 +92,7 @@ Automatically created from "patches.arch/14.1-x86-retpoline-fill-rsb-on-context-
"jmp __switch_to\n" /* regparm call */ \
"1:\t" \
"popl %%ebp\n\t" /* restore EBP */ \
-@@ -147,11 +162,25 @@ do { \
+@@ -147,11 +165,31 @@ do { \
#define THREAD_RETURN_SYM
#endif
@@ -99,9 +102,15 @@ Automatically created from "patches.arch/14.1-x86-retpoline-fill-rsb-on-context-
+ * with userspace addresses. On CPUs where those concerns
+ * exist, overwrite the RSB with entries which capture
+ * speculative execution to prevent attack.
++ *
++ * bp: use the old jmp labels and fix the padding so that
++ * the original insn is always >= replacement.
+ */
+#ifdef CONFIG_RETPOLINE
-+#define __switch_fill_rsb __stringify(__FILL_RETURN_BUFFER(%%rbx, RSB_CLEAR_LOOPS, %%rsp))
++#define __switch_fill_rsb \
++ ALTERNATIVE("jmp 1f\n\t" ASM_NOP3, ASM_NOP5, X86_FEATURE_RSB_CTXSW) \
++ __stringify(__FILL_RETURN_BUFFER(%%rbx,RSB_CLEAR_LOOPS,%%rsp)) "\n\t" \
++ "1:\n"
+#else
+#define __switch_fill_rsb
+#endif
diff --git a/patches.xen/xen3-i387-use-restore_fpu_checking-directly-in-task-switc.patch b/patches.xen/xen3-i387-use-restore_fpu_checking-directly-in-task-switc.patch
index 7c0ad374c0..caa1430623 100644
--- a/patches.xen/xen3-i387-use-restore_fpu_checking-directly-in-task-switc.patch
+++ b/patches.xen/xen3-i387-use-restore_fpu_checking-directly-in-task-switc.patch
@@ -14,7 +14,7 @@ bother even trying.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
-Automatically created from "extra/i387-use-restore_fpu_checking-directly-in-task-switc.patch" by xen-port-patches.py
+Automatically created from "patches.suse/i387-use-restore_fpu_checking-directly-in-task-switc.patch" by xen-port-patches.py
--- a/arch/x86/kernel/traps-xen.c
+++ b/arch/x86/kernel/traps-xen.c
diff --git a/patches.xen/xen3-patch-2.6.27 b/patches.xen/xen3-patch-2.6.27
index 80a3292215..671bcf299c 100644
--- a/patches.xen/xen3-patch-2.6.27
+++ b/patches.xen/xen3-patch-2.6.27
@@ -13,10 +13,11 @@ as they would get removed again by xen-clockevents (and really shouldn't
have been needed - see SLE11 SPn).
2.6.28/arch/x86/kernel/cpu/common_64-xen.c
+patches.arch/06-x86-cpu-merge-bugs-c-and-bugs_64-c.patch/arch/x86/kernel/cpu/bugs_64.c
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
-@@ -737,7 +737,7 @@ config AMD_IOMMU
+@@ -752,7 +752,7 @@ config AMD_IOMMU
select SWIOTLB
select PCI_MSI
select PCI_IOV
@@ -25,7 +26,7 @@ have been needed - see SLE11 SPn).
---help---
With this option you can enable support for AMD IOMMU hardware in
your system. An IOMMU is a hardware component which provides
-@@ -1493,7 +1493,7 @@ config MTRR
+@@ -1508,7 +1508,7 @@ config MTRR
config MTRR_SANITIZER
def_bool y
prompt "MTRR cleanup support"
@@ -310,7 +311,7 @@ have been needed - see SLE11 SPn).
ia32_syscall_end:
--- a/arch/x86/kernel/Makefile
+++ b/arch/x86/kernel/Makefile
-@@ -132,9 +132,11 @@ ifeq ($(CONFIG_X86_64),y)
+@@ -134,9 +134,11 @@ ifeq ($(CONFIG_X86_64),y)
obj-$(CONFIG_PCI_MMCONFIG) += mmconf-fam10h_64.o
obj-y += vsmp_64.o
@@ -327,7 +328,7 @@ have been needed - see SLE11 SPn).
+disabled-obj-$(CONFIG_XEN_UNPRIVILEGED_GUEST) += probe_roms_32.o
--- a/arch/x86/kernel/acpi/boot.c
+++ b/arch/x86/kernel/acpi/boot.c
-@@ -1346,6 +1346,7 @@ static int __init dmi_disable_acpi(const
+@@ -1362,6 +1362,7 @@ static int __init dmi_disable_acpi(const
return 0;
}
@@ -335,7 +336,7 @@ have been needed - see SLE11 SPn).
/*
* Force ignoring BIOS IRQ0 override
*/
-@@ -1358,6 +1359,7 @@ static int __init dmi_ignore_irq0_timer_
+@@ -1374,6 +1375,7 @@ static int __init dmi_ignore_irq0_timer_
}
return 0;
}
@@ -343,7 +344,7 @@ have been needed - see SLE11 SPn).
static int __init force_acpi_rsdt(const struct dmi_system_id *d)
{
-@@ -1478,6 +1480,7 @@ static struct dmi_system_id __initdata a
+@@ -1494,6 +1496,7 @@ static struct dmi_system_id __initdata a
{}
};
@@ -351,7 +352,7 @@ have been needed - see SLE11 SPn).
/* second table for DMI checks that should run after early-quirks */
static struct dmi_system_id __initdata acpi_dmi_table_late[] = {
/*
-@@ -1532,6 +1535,7 @@ static struct dmi_system_id __initdata a
+@@ -1548,6 +1551,7 @@ static struct dmi_system_id __initdata a
},
{}
};
@@ -359,7 +360,7 @@ have been needed - see SLE11 SPn).
/*
* acpi_boot_table_init() and acpi_boot_init()
-@@ -1604,8 +1608,10 @@ int __init early_acpi_boot_init(void)
+@@ -1620,8 +1624,10 @@ int __init early_acpi_boot_init(void)
int __init acpi_boot_init(void)
{
@@ -399,7 +400,7 @@ have been needed - see SLE11 SPn).
static int modern_apic(void)
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
-@@ -624,6 +624,7 @@ static void __cpuinit init_amd(struct cp
+@@ -682,6 +682,7 @@ static void __cpuinit init_amd(struct cp
fam10h_check_enable_mmcfg();
}
@@ -407,7 +408,7 @@ have been needed - see SLE11 SPn).
if (c == &boot_cpu_data && c->x86 >= 0xf) {
unsigned long long tseg;
-@@ -643,6 +644,7 @@ static void __cpuinit init_amd(struct cp
+@@ -701,6 +702,7 @@ static void __cpuinit init_amd(struct cp
}
}
#endif
@@ -4272,7 +4273,7 @@ have been needed - see SLE11 SPn).
jmp syscall_exit
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
-@@ -1279,7 +1279,7 @@ ENTRY(arch_unwind_init_running)
+@@ -1376,7 +1376,7 @@ ENTRY(arch_unwind_init_running)
END(arch_unwind_init_running)
#endif
@@ -4281,7 +4282,7 @@ have been needed - see SLE11 SPn).
zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
/*
-@@ -1379,7 +1379,7 @@ END(xen_failsafe_callback)
+@@ -1476,7 +1476,7 @@ END(xen_failsafe_callback)
apicinterrupt HYPERVISOR_CALLBACK_VECTOR \
xen_hvm_callback_vector xen_evtchn_do_upcall
@@ -7515,7 +7516,7 @@ have been needed - see SLE11 SPn).
}
--- a/arch/x86/kernel/machine_kexec_32.c
+++ b/arch/x86/kernel/machine_kexec_32.c
-@@ -131,22 +131,11 @@ void machine_kexec_setup_load_arg(xen_ke
+@@ -135,22 +135,11 @@ void machine_kexec_setup_load_arg(xen_ke
xki->page_list[PA_PTE_0] = __ma(kexec_pte0);
xki->page_list[PA_PTE_1] = __ma(kexec_pte1);
@@ -15603,7 +15604,7 @@ have been needed - see SLE11 SPn).
}
--- a/arch/x86/mm/Makefile
+++ b/arch/x86/mm/Makefile
-@@ -28,6 +28,7 @@ obj-$(CONFIG_ACPI_NUMA) += srat.o
+@@ -27,6 +27,7 @@ obj-$(CONFIG_ACPI_NUMA) += srat.o
obj-$(CONFIG_NUMA_EMU) += numa_emulation.o
obj-$(CONFIG_XEN) += hypervisor.o
@@ -19952,7 +19953,7 @@ have been needed - see SLE11 SPn).
--- a/arch/x86/vdso/Makefile
+++ b/arch/x86/vdso/Makefile
-@@ -78,9 +78,7 @@ obj-$(VDSO32-y) += vdso32-syms.lds
+@@ -79,9 +79,7 @@ obj-$(VDSO32-y) += vdso32-syms.lds
vdso32.so-$(VDSO32-y) += int80
vdso32.so-$(CONFIG_COMPAT) += syscall
vdso32.so-$(VDSO32-y) += sysenter
@@ -20465,7 +20466,7 @@ have been needed - see SLE11 SPn).
DPRINTK("pid received %p:%d\n",
info->pid_ns, info->pid);
}
-@@ -1764,7 +1765,8 @@ static int __init blkif_init(void)
+@@ -1763,7 +1764,8 @@ static int __init blkif_init(void)
* We only create the device when a request of a new device is
* made.
*/
diff --git a/patches.xen/xen3-x86-l1tf-04-protect-PROT_NONE-ptes-fix.patch b/patches.xen/xen3-x86-l1tf-04-protect-PROT_NONE-ptes-fix.patch
index 62bc4a69be..6e302dac4b 100644
--- a/patches.xen/xen3-x86-l1tf-04-protect-PROT_NONE-ptes-fix.patch
+++ b/patches.xen/xen3-x86-l1tf-04-protect-PROT_NONE-ptes-fix.patch
@@ -1,6 +1,6 @@
From: Michal Hocko <mhocko@suse.com>
-Subject: xen, x86, l1tf: Protect PROT_NONE PTEs against speculation fixup
-Patch-mainline: never (suse specific)
+Subject: xen: x86, l1tf: Protect PROT_NONE PTEs against speculation fixup
+Patch-mainline: Never, SUSE-Xen specific
References: bnc#1104684, bnc#1104818
When backporting patches.arch/x86-l1tf-04-protect-PROT_NONE-ptes.patch I
@@ -16,9 +16,7 @@ state (bnc#1104818).
Signed-off-by: Michal Hocko <mhocko@suse.com>
----
- arch/x86/include/mach-xen/asm/pgtable.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+Automatically created from "patches.arch/x86-l1tf-04-protect-PROT_NONE-ptes-fix.patch" by xen-port-patches.py
--- a/arch/x86/include/mach-xen/asm/pgtable.h
+++ b/arch/x86/include/mach-xen/asm/pgtable.h
@@ -26,8 +24,17 @@ Signed-off-by: Michal Hocko <mhocko@suse.com>
{
phys_addr_t paddr = PFN_PHYS(page_nr);
paddr ^= protnone_mask(pgprot_val(pgprot));
-- paddr &= PMD_PAGE_MASK;
+- paddr &= PHYSICAL_PMD_PAGE_MASK;
+ paddr &= PTE_PFN_MASK;
return __pmd(paddr | massage_pgprot(pgprot));
}
+@@ -364,7 +364,7 @@ static inline pmd_t pmd_modify(pmd_t pmd
+
+ val &= _HPAGE_CHG_MASK;
+ val |= massage_pgprot(newprot) & ~_HPAGE_CHG_MASK;
+- val = flip_protnone_guard(oldval, val, PHYSICAL_PMD_PAGE_MASK);
++ val = flip_protnone_guard(oldval, val, PTE_PFN_MASK);
+ return __pmd(val);
+ }
+ #endif
diff --git a/patches.xen/xen3-x86-l1tf-04-protect-PROT_NONE-ptes.patch b/patches.xen/xen3-x86-l1tf-04-protect-PROT_NONE-ptes.patch
index a72f4b5fe2..bbbe370b8c 100644
--- a/patches.xen/xen3-x86-l1tf-04-protect-PROT_NONE-ptes.patch
+++ b/patches.xen/xen3-x86-l1tf-04-protect-PROT_NONE-ptes.patch
@@ -136,7 +136,7 @@ Automatically created from "patches.arch/x86-l1tf-04-protect-PROT_NONE-ptes.patc
- massage_pgprot(pgprot));
+ phys_addr_t paddr = PFN_PHYS(page_nr);
+ paddr ^= protnone_mask(pgprot_val(pgprot));
-+ paddr &= PMD_PAGE_MASK;
++ paddr &= PHYSICAL_PMD_PAGE_MASK;
+ return __pmd(paddr | massage_pgprot(pgprot));
}
@@ -162,7 +162,7 @@ Automatically created from "patches.arch/x86-l1tf-04-protect-PROT_NONE-ptes.patc
val &= _HPAGE_CHG_MASK;
val |= massage_pgprot(newprot) & ~_HPAGE_CHG_MASK;
-
-+ val = flip_protnone_guard(oldval, val, PMD_PAGE_MASK);
++ val = flip_protnone_guard(oldval, val, PHYSICAL_PMD_PAGE_MASK);
return __pmd(val);
}
#endif
diff --git a/patches.xen/xen3-x86-mm-Simplify-p-g4um-d_page-macros.patch b/patches.xen/xen3-x86-mm-Simplify-p-g4um-d_page-macros.patch
index ee0d2bea84..dd9e0f4d00 100644
--- a/patches.xen/xen3-x86-mm-Simplify-p-g4um-d_page-macros.patch
+++ b/patches.xen/xen3-x86-mm-Simplify-p-g4um-d_page-macros.patch
@@ -1,12 +1,11 @@
From fd7e315988b784509ba3f1b42f539bd0b1fca9bb Mon Sep 17 00:00:00 2001
From: Tom Lendacky <thomas.lendacky@amd.com>
Date: Mon, 17 Jul 2017 16:10:06 -0500
-Subject: [PATCH] x86/mm: Simplify p[g4um]d_page() macros
+Subject: [PATCH] x86/mm: Simplify p[g4um]xen: d_page() macros
Mime-version: 1.0
Content-type: text/plain; charset=UTF-8
Content-transfer-encoding: 8bit
-Git-commit: fd7e315988b784509ba3f1b42f539bd0b1fca9bb
-Patch-mainline: 4.14-rc1
+Patch-mainline: Never, SUSE-Xen specific
References: bnc#1087081, bnc#1104684
mhocko@suse.cz:
@@ -53,9 +52,7 @@ Link: http://lkml.kernel.org/r/e61eb533a6d0aac941db2723d8aa63ef6b882dee.15003192
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Michal Hocko <mhocko@suse.cz>
----
- arch/x86/include/mach-xen/asm/pgtable.h | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
+Automatically created from "patches.arch/x86-mm-Simplify-p-g4um-d_page-macros.patch" by xen-port-patches.py
--- a/arch/x86/include/mach-xen/asm/pgtable.h
+++ b/arch/x86/include/mach-xen/asm/pgtable.h
diff --git a/patches.xen/xen3-x86-mm-prevent-kernel-oops-in-ptdump-code-with-highpte-y b/patches.xen/xen3-x86-mm-prevent-kernel-oops-in-ptdump-code-with-highpte-y
new file mode 100644
index 0000000000..b2e64db658
--- /dev/null
+++ b/patches.xen/xen3-x86-mm-prevent-kernel-oops-in-ptdump-code-with-highpte-y
@@ -0,0 +1,58 @@
+From: Joerg Roedel <jroedel@suse.de>
+Date: Tue, 17 Apr 2018 15:27:16 +0200
+Subject: xen/x86/mm: Prevent kernel Oops in PTDUMP code with HIGHPTE=y
+Patch-mainline: Never, SUSE-Xen specific
+References: bsc#1106105
+
+The walk_pte_level() function just uses __va to get the virtual address of
+the PTE page, but that breaks when the PTE page is not in the direct
+mapping with HIGHPTE=y.
+
+The result is an unhandled kernel paging request at some random address
+when accessing the current_kernel or current_user file.
+
+Use the correct API to access PTE pages.
+
+Fixes: fe770bf0310d ('x86: clean up the page table dumper and add 32-bit support')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Cc: jgross@suse.com
+Cc: JBeulich@suse.com
+Cc: hpa@zytor.com
+Cc: aryabinin@virtuozzo.com
+Cc: kirill.shutemov@linux.intel.com
+Link: https://lkml.kernel.org/r/1523971636-4137-1-git-send-email-joro@8bytes.org
+Automatically created from "patches.arch/x86-mm-prevent-kernel-oops-in-ptdump-code-with-highpte-y" by xen-port-patches.py
+
+--- a/arch/x86/mm/dump_pagetables-xen.c
++++ b/arch/x86/mm/dump_pagetables-xen.c
+@@ -17,6 +17,7 @@
+ #include <linux/mm.h>
+ #include <linux/module.h>
+ #include <linux/seq_file.h>
++#include <linux/highmem.h>
+
+ #include <xen/interface/xen.h>
+
+@@ -250,15 +251,15 @@ static void walk_pte_level(struct seq_fi
+ unsigned long P)
+ {
+ int i;
+- pte_t *start;
++ pte_t *pte;
++ pgprot_t prot;
+
+- start = (pte_t *) pmd_page_vaddr(addr);
+ for (i = 0; i < PTRS_PER_PTE; i++) {
+- pgprot_t prot = pte_pgprot(*start);
+-
+ st->current_address = normalize_addr(P + i * PTE_LEVEL_MULT);
++ pte = pte_offset_map(&addr, st->current_address);
++ prot = pte_pgprot(*pte);
+ note_page(m, st, prot, 4);
+- start++;
++ pte_unmap(pte);
+ }
+ }
+
diff --git a/patches.xen/xen3-x86-non-upstream-eager-fpu-extmods.patch b/patches.xen/xen3-x86-non-upstream-eager-fpu-extmods.patch
new file mode 100644
index 0000000000..017df7fe78
--- /dev/null
+++ b/patches.xen/xen3-x86-non-upstream-eager-fpu-extmods.patch
@@ -0,0 +1,32 @@
+From: Jiri Slaby <jslaby@suse.cz>
+Subject: xen: x86-non-upstream-eager-fpu external modules fix
+Patch-mainline: Never, SUSE-Xen specific
+References: bnc#1087086 CVE-2018-3665 bnc#1100091 bnc#1099598
+
+This is a fix for:
+patches.suse/x86-non-upstream-eager-fpu.patch
+
+We silently broke kABI in that patch (kernel_fpu_begin/end are inlines)
+and customers started seeing crashes due to added BUG_ON in
+do_device_not_available. Fix this by soften it to a WARNING and do clts
+to recover.
+
+Note that the warning is printed in a ratelimit manner.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Automatically created from "patches.suse/x86-non-upstream-eager-fpu-extmods.patch" by xen-port-patches.py
+
+--- a/arch/x86/kernel/traps-xen.c
++++ b/arch/x86/kernel/traps-xen.c
+@@ -760,7 +760,10 @@ EXPORT_SYMBOL_GPL(math_state_restore);
+ dotraplinkage void __kprobes
+ do_device_not_available(struct pt_regs *regs, long error_code)
+ {
+- BUG_ON(use_eager_fpu());
++ if (use_eager_fpu()) {
++ WARN(printk_ratelimit(), "Perhaps a KMP which was not rebuilt against the kernel protected against CVE-2018-3665 was loaded. Your system might be vulnerable, please rebuild all external modules. Trying to recover...");
++ clts();
++ }
+ #ifdef CONFIG_MATH_EMULATION
+ if (read_cr0() & X86_CR0_EM) {
+ struct math_emu_info info = { };
diff --git a/patches.xen/xen3-x86-non-upstream-eager-fpu.patch b/patches.xen/xen3-x86-non-upstream-eager-fpu.patch
index 685534d0be..a256c75651 100644
--- a/patches.xen/xen3-x86-non-upstream-eager-fpu.patch
+++ b/patches.xen/xen3-x86-non-upstream-eager-fpu.patch
@@ -12,7 +12,7 @@ This is a mixture of upstream commits:
It is supposed to add the eager-fpu and make it the default.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
-Automatically created from "extra/x86-non-upstream-eager-fpu.patch" by xen-port-patches.py
+Automatically created from "patches.suse/x86-non-upstream-eager-fpu.patch" by xen-port-patches.py
--- a/arch/x86/include/mach-xen/asm/i387.h
+++ b/arch/x86/include/mach-xen/asm/i387.h
@@ -169,7 +169,7 @@ Automatically created from "extra/x86-non-upstream-eager-fpu.patch" by xen-port-
void
--- a/arch/x86/kernel/traps-xen.c
+++ b/arch/x86/kernel/traps-xen.c
-@@ -743,11 +743,12 @@ void math_state_restore(void)
+@@ -743,21 +743,24 @@ void math_state_restore(void)
}
xen_thread_fpu_begin(tsk, NULL);
@@ -183,7 +183,6 @@ Automatically created from "extra/x86-non-upstream-eager-fpu.patch" by xen-port-
force_sig(SIGSEGV, tsk);
return;
}
-@@ -754,10 +755,12 @@ void math_state_restore(void)
tsk->fpu_counter++;
}
@@ -198,7 +197,7 @@ Automatically created from "extra/x86-non-upstream-eager-fpu.patch" by xen-port-
struct math_emu_info info = { };
--- a/arch/x86/kernel/xsave.c
+++ b/arch/x86/kernel/xsave.c
-@@ -511,7 +511,11 @@ void __cpuinit eager_fpu_init(void)
+@@ -516,7 +516,11 @@ void __cpuinit eager_fpu_init(void)
* not yet patched to use math_state_restore().
*/
init_fpu(current);
diff --git a/patches.xen/xen3-x86-speculation-l1tf-Fix-overflow-in-l1tf_pfn_limit-.patch b/patches.xen/xen3-x86-speculation-l1tf-Fix-overflow-in-l1tf_pfn_limit-.patch
index 5b4ea1aedb..12eb38cdf4 100644
--- a/patches.xen/xen3-x86-speculation-l1tf-Fix-overflow-in-l1tf_pfn_limit-.patch
+++ b/patches.xen/xen3-x86-speculation-l1tf-Fix-overflow-in-l1tf_pfn_limit-.patch
@@ -1,11 +1,9 @@
From 9df9516940a61d29aedf4d91b483ca6597e7d480 Mon Sep 17 00:00:00 2001
From: Vlastimil Babka <vbabka@suse.cz>
Date: Mon, 20 Aug 2018 11:58:35 +0200
-Subject: [PATCH] xen: x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on
+Subject: [PATCH] xen/x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on
32bit
-Git-commit: 9df9516940a61d29aedf4d91b483ca6597e7d480
-Patch-mainline: not yet (in tip tree)
-Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git
+Patch-mainline: Never, SUSE-Xen specific
References: bnc#1087081
On 32bit PAE kernels on 64bit hardware with enough physical bits,
@@ -34,13 +32,11 @@ Cc: Michal Hocko <mhocko@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20180820095835.5298-1-vbabka@suse.cz
----
- arch/x86/include/mach-xen/asm/processor.h | 4 ++--
- 3 files changed, 5 insertions(+), 3 deletions(-)
+Automatically created from "patches.arch/x86-speculation-l1tf-Fix-overflow-in-l1tf_pfn_limit-.patch" by xen-port-patches.py
--- a/arch/x86/include/mach-xen/asm/processor.h
+++ b/arch/x86/include/mach-xen/asm/processor.h
-@@ -166,9 +166,9 @@ extern void cpu_detect(struct cpuinfo_x8
+@@ -171,9 +171,9 @@ extern void cpu_detect(struct cpuinfo_x8
extern struct pt_regs *idle_regs(struct pt_regs *);
diff --git a/patches.xen/xen3-x86-traps-add-missing-kernel-CR3-switch-in-bad_iret-.patch b/patches.xen/xen3-x86-traps-add-missing-kernel-CR3-switch-in-bad_iret-.patch
new file mode 100644
index 0000000000..91a49562de
--- /dev/null
+++ b/patches.xen/xen3-x86-traps-add-missing-kernel-CR3-switch-in-bad_iret-.patch
@@ -0,0 +1,23 @@
+From 311cb57e0fd0b5be271c92f3be5ecfe9b132b66c Mon Sep 17 00:00:00 2001
+From: Vlastimil Babka <vbabka@suse.cz>
+Date: Tue, 10 Jul 2018 13:00:27 +0200
+Subject: [PATCH] xen/x86/traps: add missing kernel CR3 switch in bad_iret path
+Patch-mainline: Never, SUSE-Xen specific
+References: bsc#1098658
+
+In error_bad_iret, we have user CR3 already but are about to execute kernel
+code again starting with fixup_bad_iret(). We need to switch to kernel CR3.
+
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Automatically created from "patches.suse/x86-traps-add-missing-kernel-CR3-switch-in-bad_iret-.patch" by xen-port-patches.py
+
+--- a/arch/x86/kernel/entry_64-xen.S
++++ b/arch/x86/kernel/entry_64-xen.S
+@@ -1327,6 +1327,7 @@ bstep_iret:
+
+ error_bad_iret:
+ SWAPGS
++ SWITCH_KERNEL_CR3
+ mov %rsp,%rdi
+ call fixup_bad_iret
+ mov %rax,%rsp
diff --git a/rpm/modprobe-xen.conf b/rpm/modprobe-xen.conf
index 2ef70a64e7..e69def636e 100644
--- a/rpm/modprobe-xen.conf
+++ b/rpm/modprobe-xen.conf
@@ -9,7 +9,7 @@
# the appropriate section below is uncommented, and rebuild the initrd.
#
### Enable the traditional implementation of blkfront
-install xen-blkfront /sbin/modprobe xenblk
+install xen-blkfront /sbin/modprobe --ignore-install xenblk
#
### Enable the pvops-based implementation of blkfront
-#install xenblk /sbin/modprobe xen-blkfront
+#install xenblk /sbin/modprobe --ignore-install xen-blkfront
diff --git a/series.conf b/series.conf
index 6536117736..fe5f082991 100644
--- a/series.conf
+++ b/series.conf
@@ -26005,6 +26005,7 @@
patches.xen/xen3-x86-spectre_v1-Disable-compiler-optimizations-over-a.patch
patches.xen/xen3-i387-use-restore_fpu_checking-directly-in-task-switc.patch
patches.xen/xen3-x86-non-upstream-eager-fpu.patch
+ patches.xen/xen3-x86-non-upstream-eager-fpu-extmods.patch
patches.xen/xen3-x86-mcp51-no-dac
patches.xen/xen3-x86_64-switch_to-load-tls-descriptors-before-switching-ds-and-es.patch
patches.xen/xen3-x86-mark_rodata_rw.patch
@@ -26016,6 +26017,7 @@
patches.xen/xen3-x86-add-check-for-number-of-available-vectors-before-cpu-down
patches.xen/xen3-x86-cpu-hotplug-fix-stack-frame-warning-in-check_irq_vectors_for_cpu_disable
patches.xen/xen3-x86-irq-check-for-valid-irq-descriptor-in-check_irq_vectors_for_cpu_disable
+ patches.xen/xen3-0005-x86-process-re-export-start_thread
patches.xen/xen3-x86-64-don-t-apply-destructive-erratum-workaround-on-unaffected-cpus
patches.xen/xen3-x86-mce-Cleanup-timer-mess.patch
patches.xen/xen3-0011-x86-efi-EFI-boot-stub-support.patch
@@ -26086,6 +26088,7 @@
patches.xen/xen3-0001-x86-mm-only-do-a-local-tlb-flush-in-ptep_set_access_.patch
patches.xen/xen3-0002-x86-mm-drop-TLB-flush-from-ptep_set_access_flags.patch
patches.xen/xen3-x86-cpu-fix-bootup-crashes-by-sanitizing-clearcpuid.patch
+ patches.xen/xen3-x86-mm-prevent-kernel-oops-in-ptdump-code-with-highpte-y
patches.xen/xen3-0001-x86-64-Give-vvars-their-own-page.patch
patches.xen/xen3-0001-x86-64-Map-the-HPET-NX.patch
patches.xen/xen3-kaiser-0009-x86-mm-sched-core-Uninline-switch_mm.patch
@@ -26101,15 +26104,18 @@
patches.kabi/xen3-kaiser-preserve-kabi.patch
patches.xen/xen3-03-x86-entry-use-ibrs-on-entry-to-kernel-space.patch
patches.xen/xen3-06-x86-idle-toggle-ibrs-when-going-idle.patch
+ patches.xen/xen3-09-x86-mm-set-ibpb-upon-context-switch.patch
patches.xen/xen3-20-x86-cpu-check-speculation-control-cpuid-bit.patch
patches.xen/xen3-32-x86-cpu-Factor-out-application-of-forced-CPU-caps.patch
patches.xen/xen3-33-x86-CPU-Sync-CPU-feature-flags-late.patch
patches.xen/xen3-05-x86-retpoline-Add-initial-retpoline-support.patch
patches.xen/xen3-07-x86-spectre-Add-boot-time-option-to-select-Spectre-v.patch
patches.xen/xen3-08-x86-retpoline-entry-Convert-entry-assembler-indirect.patch
+ patches.xen/xen3-08-x86-retpoline-entry-Convert-entry-assembler-indirect-ia32.patch
patches.xen/xen3-09-x86-retpoline-ftrace-Convert-ftrace-assembler-indire.patch
patches.xen/xen3-14.1-x86-retpoline-fill-rsb-on-context-switch-for-affected-cpus.patch
patches.xen/xen3-19-x86-retpoline-entry-convert-unwind-assembly-indirect.patch
+ patches.xen/xen3-x86-traps-add-missing-kernel-CR3-switch-in-bad_iret-.patch
patches.xen/xen3-0003-x86-entry-32-Use-trampoline-stack-for-kernel-entry.patch
patches.xen/xen3-0005-x86-mm-Move-KAISER-functions-from-pgtable_64.h-to-pg.patch
patches.xen/xen3-0006-x86-mm-Makse-sure-only-valid-bits-are-set-on-top-lev.patch
@@ -26125,18 +26131,17 @@
patches.xen/xen3-x86-l1tf-06-add-sysfs-report.patch
patches.xen/xen3-x86-l1tf-08-disallow-non-privileged-high-MMIO-PROT_NONE.patch
patches.xen/xen3-x86-l1tf-09-protect-PAE-swap-entries.patch
+ patches.xen/xen3-x86-speculation-l1tf-Fix-overflow-in-l1tf_pfn_limit-.patch
+ patches.xen/xen3-x86-l1tf-04-protect-PROT_NONE-ptes-fix.patch
patches.xen/xen3-05-11-cpu-hotplug-provide-knobs-to-control-smt.patch
patches.xen/xen3-06-11-x86-cpu-remove-the-pointless-cpu-printout.patch
patches.xen/xen3-08-11-x86-cpu-common-provide-detect_ht_early.patch
patches.xen/xen3-09-11-x86-cpu-topology-provide-detect_extended_topology_early.patch
patches.xen/xen3-12-11-x86-cpu-amd-evaluate-smp_num_siblings-early.patch
patches.xen/xen3-0010-x86-bugs-kvm-Introduce-boot-time-control-of-L1TF-mit.patch
- patches.xen/xen3-x86-l1tf-04-protect-PROT_NONE-ptes-fix.patch
-
- patches.xen/xen3-x86-speculation-l1tf-Fix-overflow-in-l1tf_pfn_limit-.patch
- patches.xen/xen3-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch
- patches.xen/xen3-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch
- patches.xen/xen3-x86-kabi-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch
+ patches.xen/xen3-0001-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch
+ patches.xen/xen3-0001-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch
+ patches.xen/xen3-0001-x86-kabi-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch
# upstream block frontend backports
patches.xen/4e96ec2f-xen-blkfront-Handle-discard-requests.patch