Merge tag 'ASB-2021-03-05_4.14-q' into Grass-Unified

https://source.android.com/security/bulletin/2021-03-01
CVE-2021-0399

* tag 'ASB-2021-03-05_4.14-q':
  Linux 4.14.222
  kvm: check tlbs_dirty directly
  usb: gadget: u_ether: Fix MTU size mismatch with RX packet size
  USB: Gadget Ethernet: Re-enable Jumbo frames.
  scsi: qla2xxx: Fix crash during driver load on big endian machines
  xen-blkback: fix error handling in xen_blkbk_map()
  xen-scsiback: don't "handle" error by BUG()
  xen-netback: don't "handle" error by BUG()
  xen-blkback: don't "handle" error by BUG()
  xen/arm: don't ignore return errors from set_phys_to_machine
  Xen/gntdev: correct error checking in gntdev_map_grant_pages()
  Xen/gntdev: correct dev_bus_addr handling in gntdev_map_grant_pages()
  Xen/x86: also check kernel mapping in set_foreign_p2m_mapping()
  Xen/x86: don't bail early from clear_foreign_p2m_mapping()
  tracing: Avoid calling cc-option -mrecord-mcount for every Makefile
  tracing: Fix SKIP_STACK_VALIDATION=1 build due to bad merge with -mrecord-mcount
  trace: Use -mcount-record for dynamic ftrace
  x86/build: Disable CET instrumentation in the kernel for 32-bit too
  h8300: fix PREEMPTION build, TI_PRE_COUNT undefined
  i2c: stm32f7: fix configuration of the digital filter
  vsock: fix locking in vsock_shutdown()
  vsock/virtio: update credit only if socket is not closed
  net: watchdog: hold device global xmit lock during tx disable
  net/vmw_vsock: improve locking in vsock_connect_timeout()
  usb: dwc3: ulpi: Replace CPU-based busyloop with Protocol-based one
  usb: dwc3: ulpi: fix checkpatch warning
  netfilter: conntrack: skip identical origin tuple in same zone only
  xen/netback: avoid race in xenvif_rx_ring_slots_available()
  netfilter: xt_recent: Fix attempt to update deleted entry
  bpf: Check for integer overflow when using roundup_pow_of_two()
  memblock: do not start bottom-up allocations with kernel_end
  ARM: ensure the signal page contains defined contents
  ARM: dts: lpc32xx: Revert set default clock rate of HCLK PLL
  ovl: skip getxattr of security labels
  cap: fix conversions on getxattr
  ovl: perform vfs_getxattr() with mounter creds
  platform/x86: hp-wmi: Disable tablet-mode reporting by default
  arm64: dts: rockchip: Fix PCIe DT properties on rk3399
  MIPS: BMIPS: Fix section mismatch warning
  arm/xen: Don't probe xenbus as part of an early initcall
  tracing: Check length before giving out the filter buffer
  tracing: Do not count ftrace events in top level enable output
  squashfs: add more sanity checks in xattr id lookup
  squashfs: add more sanity checks in inode lookup
  squashfs: add more sanity checks in id lookup
  memcg: fix a crash in wb_workfn when a device disappears
  include/trace/events/writeback.h: fix -Wstringop-truncation warnings
  lib/string: Add strscpy_pad() function
  SUNRPC: Handle 0 length opaque XDR object data properly
  SUNRPC: Move simple_get_bytes and simple_get_netobj into private header
  iwlwifi: mvm: guard against device removal in reprobe
  iwlwifi: pcie: add a NULL check in iwl_pcie_txq_unmap
  iwlwifi: mvm: take mutex for calling iwl_mvm_get_sync_time()
  pNFS/NFSv4: Try to return invalid layout in pnfs_layout_process()
  af_key: relax availability checks for skb size calculation
  remoteproc: qcom_q6v5_mss: Validate MBA firmware size before load
  remoteproc: qcom_q6v5_mss: Validate modem blob firmware size before load
  fgraph: Initialize tracing_graph_pause at task creation
  BACKPORT: bpf: add bpf_ktime_get_boot_ns()
  UPSTREAM: net: bpf: Make bpf_ktime_get_ns() available to non GPL programs
  Linux 4.14.221
  net: dsa: mv88e6xxx: override existent unicast portvec in port_fdb_add
  iommu/vt-d: Do not use flush-queue when caching-mode is on
  Input: xpad - sync supported devices with fork on GitHub
  x86/apic: Add extra serialization for non-serializing MSRs
  x86/build: Disable CET instrumentation in the kernel
  mm: thp: fix MADV_REMOVE deadlock on shmem THP
  mm: hugetlb: remove VM_BUG_ON_PAGE from page_huge_active
  mm: hugetlb: fix a race between isolating and freeing page
  mm: hugetlbfs: fix cannot migrate the fallocated HugeTLB page
  ARM: footbridge: fix dc21285 PCI configuration accessors
  nvme-pci: avoid the deepest sleep state on Kingston A2000 SSDs
  mmc: core: Limit retries when analyse of SDIO tuples fails
  smb3: Fix out-of-bounds bug in SMB2_negotiate()
  cifs: report error instead of invalid when revalidating a dentry fails
  xhci: fix bounce buffer usage for non-sg list case
  kretprobe: Avoid re-registration of the same kretprobe earlier
  mac80211: fix station rate table updates on assoc
  ovl: fix dentry leak in ovl_get_redirect
  usb: dwc2: Fix endpoint direction check in ep_from_windex
  USB: usblp: don't call usb_set_interface if there's a single alt
  USB: gadget: legacy: fix an error code in eth_bind()
  ipv4: fix race condition between route lookup and invalidation
  elfcore: fix building with clang
  objtool: Support Clang non-section symbols in ORC generation
  net: lapb: Copy the skb before sending a packet
  arm64: dts: ls1046a: fix dcfg address range
  Input: i8042 - unbreak Pegatron C15B
  USB: serial: option: Adding support for Cinterion MV31
  USB: serial: cp210x: add new VID/PID for supporting Teraoka AD2000
  USB: serial: cp210x: add pid/vid for WSDA-200-USB
  Linux 4.14.220
  kthread: Extract KTHREAD_IS_PER_CPU
  objtool: Don't fail on missing symbol table
  scsi: ibmvfc: Set default timeout to avoid crash during migration
  mac80211: fix fast-rx encryption check
  scsi: libfc: Avoid invoking response handler twice if ep is already completed
  scsi: scsi_transport_srp: Don't block target in failfast state
  x86: __always_inline __{rd,wr}msr()
  phy: cpcap-usb: Fix warning for missing regulator_disable
  driver core: Extend device_is_dependent()
  base: core: Remove WARN_ON from link dependencies check
  net_sched: gen_estimator: support large ewma log
  net_sched: reject silly cell_log in qdisc_get_rtab()
  ACPI: thermal: Do not call acpi_thermal_check() directly
  ibmvnic: Ensure that CRQ entry read are correctly ordered
  net: dsa: bcm_sf2: put device node before return
  Linux 4.14.219
  tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN
  team: protect features update by RCU to avoid deadlock
  NFC: fix possible resource leak
  NFC: fix resource leak when target index is invalid
  iommu/vt-d: Don't dereference iommu_device if IOMMU_API is not built
  iommu/vt-d: Gracefully handle DMAR units with no supported address widths
  x86/entry/64/compat: Fix "x86/entry/64/compat: Preserve r8-r11 in int $0x80"
  x86/entry/64/compat: Preserve r8-r11 in int $0x80
  can: dev: prevent potential information leak in can_fill_info()
  mac80211: pause TX while changing interface type
  iwlwifi: pcie: reschedule in long-running memory reads
  iwlwifi: pcie: use jiffies for memory read spin time limit
  RDMA/cxgb4: Fix the reported max_recv_sge value
  xfrm: Fix oops in xfrm_replay_advance_bmp
  netfilter: nft_dynset: add timeout extension to template
  ARM: imx: build suspend-imx6.S with arm instruction set
  xen-blkfront: allow discard-* nodes to be optional
  mt7601u: fix rx buffer refcounting
  mt7601u: fix kernel crash unplugging the device
  leds: trigger: fix potential deadlock with libata
  xen: Fix XenStore initialisation for XS_LOCAL
  KVM: x86: get smi pending status correctly
  KVM: x86/pmu: Fix HW_REF_CPU_CYCLES event pseudo-encoding in intel_arch_events[]
  drivers: soc: atmel: add null entry at the end of at91_soc_allowed_list[]
  drivers: soc: atmel: Avoid calling at91_soc_init on non AT91 SoCs
  net: usb: qmi_wwan: added support for Thales Cinterion PLSx3 modem family
  wext: fix NULL-ptr-dereference with cfg80211's lack of commit()
  ARM: dts: imx6qdl-gw52xx: fix duplicate regulator naming
  ACPI: sysfs: Prefer "compatible" modalias
  nbd: freeze the queue while we're adding connections

Makefile

@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 4
 PATCHLEVEL = 14
-SUBLEVEL = 218
+SUBLEVEL = 222
 EXTRAVERSION =
 NAME = Petit Gorille
 
@@ -881,6 +881,13 @@ ifdef CONFIG_FUNCTION_TRACER
 ifndef CC_FLAGS_FTRACE
 CC_FLAGS_FTRACE := -pg
 endif
+ifdef CONFIG_FTRACE_MCOUNT_RECORD
+  # gcc 5 supports generating the mcount tables directly
+  ifeq ($(call cc-option-yn,-mrecord-mcount),y)
+    CC_FLAGS_FTRACE	+= -mrecord-mcount
+    export CC_USING_RECORD_MCOUNT := 1
+  endif
+endif
 export CC_FLAGS_FTRACE
 ifdef CONFIG_HAVE_FENTRY
 CC_USING_FENTRY	:= $(call cc-option, -mfentry -DCC_USING_FENTRY)
@@ -1038,12 +1045,6 @@ KBUILD_CFLAGS   += $(call cc-option,-Werror=designated-init)
 # change __FILE__ to the relative path from the srctree
 KBUILD_CFLAGS	+= $(call cc-option,-fmacro-prefix-map=$(srctree)/=)
 
-# ensure -fcf-protection is disabled when using retpoline as it is
-# incompatible with -mindirect-branch=thunk-extern
-ifdef CONFIG_RETPOLINE
-KBUILD_CFLAGS += $(call cc-option,-fcf-protection=none)
-endif
-
 # use the deterministic mode of AR if available
 KBUILD_ARFLAGS := $(call ar-option,D)
 

arch/arm/boot/dts/imx6qdl-gw52xx.dtsi

@@ -278,7 +278,7 @@
 
 			/* VDD_AUD_1P8: Audio codec */
 			reg_aud_1p8v: ldo3 {
-				regulator-name = "vdd1p8";
+				regulator-name = "vdd1p8a";
 				regulator-min-microvolt = <1800000>;
 				regulator-max-microvolt = <1800000>;
 				regulator-boot-on;

arch/arm/boot/dts/lpc32xx.dtsi

@@ -323,9 +323,6 @@
 
 					clocks = <&xtal_32k>, <&xtal>;
 					clock-names = "xtal_32k", "xtal";
-
-					assigned-clocks = <&clk LPC32XX_CLK_HCLK_PLL>;
-					assigned-clock-rates = <208000000>;
 				};
 			};
 

arch/arm/kernel/signal.c

@@ -667,18 +667,20 @@ struct page *get_signal_page(void)
 
 	addr = page_address(page);
 
+	/* Poison the entire page */
+	memset32(addr, __opcode_to_mem_arm(0xe7fddef1),
+		 PAGE_SIZE / sizeof(u32));
+
 	/* Give the signal return code some randomness */
 	offset = 0x200 + (get_random_int() & 0x7fc);
 	signal_return_offset = offset;
 
-	/*
-	 * Copy signal return handlers into the vector page, and
-	 * set sigreturn to be a pointer to these.
-	 */
+	/* Copy signal return handlers into the page */
 	memcpy(addr + offset, sigreturn_codes, sizeof(sigreturn_codes));
 
-	ptr = (unsigned long)addr + offset;
-	flush_icache_range(ptr, ptr + sizeof(sigreturn_codes));
+	/* Flush out all instructions in this page */
+	ptr = (unsigned long)addr;
+	flush_icache_range(ptr, ptr + PAGE_SIZE);
 
 	return page;
 }

arch/arm/mach-footbridge/dc21285.c

@@ -69,15 +69,15 @@ dc21285_read_config(struct pci_bus *bus, unsigned int devfn, int where,
 	if (addr)
 		switch (size) {
 		case 1:
-			asm("ldrb	%0, [%1, %2]"
+			asm volatile("ldrb	%0, [%1, %2]"
 				: "=r" (v) : "r" (addr), "r" (where) : "cc");
 			break;
 		case 2:
-			asm("ldrh	%0, [%1, %2]"
+			asm volatile("ldrh	%0, [%1, %2]"
 				: "=r" (v) : "r" (addr), "r" (where) : "cc");
 			break;
 		case 4:
-			asm("ldr	%0, [%1, %2]"
+			asm volatile("ldr	%0, [%1, %2]"
 				: "=r" (v) : "r" (addr), "r" (where) : "cc");
 			break;
 		}
@@ -103,17 +103,17 @@ dc21285_write_config(struct pci_bus *bus, unsigned int devfn, int where,
 	if (addr)
 		switch (size) {
 		case 1:
-			asm("strb	%0, [%1, %2]"
+			asm volatile("strb	%0, [%1, %2]"
 				: : "r" (value), "r" (addr), "r" (where)
 				: "cc");
 			break;
 		case 2:
-			asm("strh	%0, [%1, %2]"
+			asm volatile("strh	%0, [%1, %2]"
 				: : "r" (value), "r" (addr), "r" (where)
 				: "cc");
 			break;
 		case 4:
-			asm("str	%0, [%1, %2]"
+			asm volatile("str	%0, [%1, %2]"
 				: : "r" (value), "r" (addr), "r" (where)
 				: "cc");
 			break;

arch/arm/mach-imx/suspend-imx6.S

@@ -73,6 +73,7 @@
 #define MX6Q_CCM_CCR	0x0
 
 	.align 3
+	.arm
 
 	.macro  sync_l2_cache
 

arch/arm/xen/enlighten.c

@@ -392,8 +392,6 @@ static int __init xen_guest_init(void)
 		return -ENOMEM;
 	}
 	gnttab_init();
-	if (!xen_initial_domain())
-		xenbus_probe();
 
 	/*
 	 * Making sure board specific code will not set up ops for

arch/arm/xen/p2m.c

@@ -93,8 +93,10 @@ int set_foreign_p2m_mapping(struct gnttab_map_grant_ref *map_ops,
 	for (i = 0; i < count; i++) {
 		if (map_ops[i].status)
 			continue;
-		set_phys_to_machine(map_ops[i].host_addr >> XEN_PAGE_SHIFT,
-				    map_ops[i].dev_bus_addr >> XEN_PAGE_SHIFT);
+		if (unlikely(!set_phys_to_machine(map_ops[i].host_addr >> XEN_PAGE_SHIFT,
+				    map_ops[i].dev_bus_addr >> XEN_PAGE_SHIFT))) {
+			return -ENOMEM;
+		}
 	}
 
 	return 0;

arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi

@@ -304,7 +304,7 @@
 
 		dcfg: dcfg@1ee0000 {
 			compatible = "fsl,ls1046a-dcfg", "syscon";
-			reg = <0x0 0x1ee0000 0x0 0x10000>;
+			reg = <0x0 0x1ee0000 0x0 0x1000>;
 			big-endian;
 		};
 

arch/arm64/boot/dts/rockchip/rk3399.dtsi

@@ -231,6 +231,7 @@
 		reg = <0x0 0xf8000000 0x0 0x2000000>,
 		      <0x0 0xfd000000 0x0 0x1000000>;
 		reg-names = "axi-base", "apb-base";
+		device_type = "pci";
 		#address-cells = <3>;
 		#size-cells = <2>;
 		#interrupt-cells = <1>;
@@ -249,7 +250,6 @@
 				<0 0 0 2 &pcie0_intc 1>,
 				<0 0 0 3 &pcie0_intc 2>,
 				<0 0 0 4 &pcie0_intc 3>;
-		linux,pci-domain = <0>;
 		max-link-speed = <1>;
 		msi-map = <0x0 &its 0x0 0x1000>;
 		phys = <&pcie_phy 0>, <&pcie_phy 1>,

arch/h8300/kernel/asm-offsets.c

@@ -63,6 +63,9 @@ int main(void)
 	OFFSET(TI_FLAGS, thread_info, flags);
 	OFFSET(TI_CPU, thread_info, cpu);
 	OFFSET(TI_PRE, thread_info, preempt_count);
+#ifdef CONFIG_PREEMPTION
+	DEFINE(TI_PRE_COUNT, offsetof(struct thread_info, preempt_count));
+#endif
 
 	return 0;
 }

arch/mips/kernel/smp-bmips.c

@@ -574,7 +574,7 @@ asmlinkage void __weak plat_wired_tlb_setup(void)
 	 */
 }
 
-void __init bmips_cpu_setup(void)
+void bmips_cpu_setup(void)
 {
 	void __iomem __maybe_unused *cbr = BMIPS_GET_CBR();
 	u32 __maybe_unused cfg;

arch/x86/Makefile

@@ -62,6 +62,9 @@ endif
 KBUILD_CFLAGS += -mno-sse -mno-mmx -mno-sse2 -mno-3dnow
 KBUILD_CFLAGS += $(call cc-option,-mno-avx,)
 
+# Intel CET isn't enabled in the kernel
+KBUILD_CFLAGS += $(call cc-option,-fcf-protection=none)
+
 ifeq ($(CONFIG_X86_32),y)
         BITS := 32
         UTS_MACHINE := i386

arch/x86/entry/entry_64_compat.S

@@ -357,13 +357,13 @@ ENTRY(entry_INT80_compat)
 	pushq	%rdx			/* pt_regs->dx */
 	pushq	%rcx			/* pt_regs->cx */
 	pushq	$-ENOSYS		/* pt_regs->ax */
-	pushq   $0			/* pt_regs->r8  = 0 */
+	pushq   %r8			/* pt_regs->r8 */
 	xorl	%r8d, %r8d		/* nospec   r8 */
-	pushq   $0			/* pt_regs->r9  = 0 */
+	pushq   %r9			/* pt_regs->r9 */
 	xorl	%r9d, %r9d		/* nospec   r9 */
-	pushq   $0			/* pt_regs->r10 = 0 */
+	pushq   %r10			/* pt_regs->r10*/
 	xorl	%r10d, %r10d		/* nospec   r10 */
-	pushq   $0			/* pt_regs->r11 = 0 */
+	pushq   %r11			/* pt_regs->r11 */
 	xorl	%r11d, %r11d		/* nospec   r11 */
 	pushq   %rbx                    /* pt_regs->rbx */
 	xorl	%ebx, %ebx		/* nospec   rbx */

arch/x86/include/asm/apic.h

@@ -174,16 +174,6 @@ static inline void lapic_update_tsc_freq(void) { }
 #endif /* !CONFIG_X86_LOCAL_APIC */
 
 #ifdef CONFIG_X86_X2APIC
-/*
- * Make previous memory operations globally visible before
- * sending the IPI through x2apic wrmsr. We need a serializing instruction or
- * mfence for this.
- */
-static inline void x2apic_wrmsr_fence(void)
-{
-	asm volatile("mfence" : : : "memory");
-}
-
 static inline void native_apic_msr_write(u32 reg, u32 v)
 {
 	if (reg == APIC_DFR || reg == APIC_ID || reg == APIC_LDR ||

arch/x86/include/asm/barrier.h

@@ -111,4 +111,22 @@ do {									\
 
 #include <asm-generic/barrier.h>
 
+/*
+ * Make previous memory operations globally visible before
+ * a WRMSR.
+ *
+ * MFENCE makes writes visible, but only affects load/store
+ * instructions.  WRMSR is unfortunately not a load/store
+ * instruction and is unaffected by MFENCE.  The LFENCE ensures
+ * that the WRMSR is not reordered.
+ *
+ * Most WRMSRs are full serializing instructions themselves and
+ * do not require this barrier.  This is only required for the
+ * IA32_TSC_DEADLINE and X2APIC MSRs.
+ */
+static inline void weak_wrmsr_fence(void)
+{
+	asm volatile("mfence; lfence" : : : "memory");
+}
+
 #endif /* _ASM_X86_BARRIER_H */

arch/x86/include/asm/msr.h

@@ -88,7 +88,7 @@ static inline void do_trace_rdpmc(unsigned int msr, u64 val, int failed) {}
  * think of extending them - you will be slapped with a stinking trout or a frozen
  * shark will reach you, wherever you are! You've been warned.
  */
-static inline unsigned long long notrace __rdmsr(unsigned int msr)
+static __always_inline unsigned long long __rdmsr(unsigned int msr)
 {
 	DECLARE_ARGS(val, low, high);
 
@@ -100,7 +100,7 @@ static inline unsigned long long notrace __rdmsr(unsigned int msr)
 	return EAX_EDX_VAL(val, low, high);
 }
 
-static inline void notrace __wrmsr(unsigned int msr, u32 low, u32 high)
+static __always_inline void __wrmsr(unsigned int msr, u32 low, u32 high)
 {
 	asm volatile("1: wrmsr\n"
 		     "2:\n"

arch/x86/kernel/apic/apic.c

@@ -42,6 +42,7 @@
 #include <asm/x86_init.h>
 #include <asm/pgalloc.h>
 #include <linux/atomic.h>
+#include <asm/barrier.h>
 #include <asm/mpspec.h>
 #include <asm/i8259.h>
 #include <asm/proto.h>
@@ -473,6 +474,9 @@ static int lapic_next_deadline(unsigned long delta,
 {
 	u64 tsc;
 
+	/* This MSR is special and need a special fence: */
+	weak_wrmsr_fence();
+
 	tsc = rdtsc();
 	wrmsrl(MSR_IA32_TSC_DEADLINE, tsc + (((u64) delta) * TSC_DIVISOR));
 	return 0;

arch/x86/kernel/apic/x2apic_cluster.c

@@ -29,7 +29,8 @@ static void x2apic_send_IPI(int cpu, int vector)
 {
 	u32 dest = per_cpu(x86_cpu_to_logical_apicid, cpu);
 
-	x2apic_wrmsr_fence();
+	/* x2apic MSRs are special and need a special fence: */
+	weak_wrmsr_fence();
 	__x2apic_send_IPI_dest(dest, vector, APIC_DEST_LOGICAL);
 }
 
@@ -42,7 +43,8 @@ __x2apic_send_IPI_mask(const struct cpumask *mask, int vector, int apic_dest)
 	unsigned long flags;
 	u32 dest;
 
-	x2apic_wrmsr_fence();
+	/* x2apic MSRs are special and need a special fence: */
+	weak_wrmsr_fence();
 
 	local_irq_save(flags);
 

arch/x86/kernel/apic/x2apic_phys.c

@@ -41,7 +41,8 @@ static void x2apic_send_IPI(int cpu, int vector)
 {
 	u32 dest = per_cpu(x86_cpu_to_apicid, cpu);
 
-	x2apic_wrmsr_fence();
+	/* x2apic MSRs are special and need a special fence: */
+	weak_wrmsr_fence();
 	__x2apic_send_IPI_dest(dest, vector, APIC_DEST_PHYSICAL);
 }
 
@@ -52,7 +53,8 @@ __x2apic_send_IPI_mask(const struct cpumask *mask, int vector, int apic_dest)
 	unsigned long this_cpu;
 	unsigned long flags;
 
-	x2apic_wrmsr_fence();
+	/* x2apic MSRs are special and need a special fence: */
+	weak_wrmsr_fence();
 
 	local_irq_save(flags);
 

arch/x86/kvm/pmu_intel.c

@@ -29,7 +29,7 @@ static struct kvm_event_hw_type_mapping intel_arch_events[] = {
 	[4] = { 0x2e, 0x41, PERF_COUNT_HW_CACHE_MISSES },
 	[5] = { 0xc4, 0x00, PERF_COUNT_HW_BRANCH_INSTRUCTIONS },
 	[6] = { 0xc5, 0x00, PERF_COUNT_HW_BRANCH_MISSES },
-	[7] = { 0x00, 0x30, PERF_COUNT_HW_REF_CPU_CYCLES },
+	[7] = { 0x00, 0x03, PERF_COUNT_HW_REF_CPU_CYCLES },
 };
 
 /* mapping between fixed pmc index and intel_arch_events array */

arch/x86/kvm/x86.c

@@ -98,6 +98,7 @@ static u64 __read_mostly efer_reserved_bits = ~((u64)EFER_SCE);
 
 static void update_cr8_intercept(struct kvm_vcpu *vcpu);
 static void process_nmi(struct kvm_vcpu *vcpu);
+static void process_smi(struct kvm_vcpu *vcpu);
 static void enter_smm(struct kvm_vcpu *vcpu);
 static void __kvm_set_rflags(struct kvm_vcpu *vcpu, unsigned long rflags);
 
@@ -3290,6 +3291,10 @@ static void kvm_vcpu_ioctl_x86_get_vcpu_events(struct kvm_vcpu *vcpu,
 					       struct kvm_vcpu_events *events)
 {
 	process_nmi(vcpu);
+
+	if (kvm_check_request(KVM_REQ_SMI, vcpu))
+		process_smi(vcpu);
+
 	/*
 	 * FIXME: pass injected and pending separately.  This is only
 	 * needed for nested virtualization, whose state cannot be