--- /dev/null
+From f798217dfd038af981a18bbe4bc57027a08bb182 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Wed, 4 Feb 2015 17:06:37 +0000
+Subject: KVM: MIPS: Don't leak FPU/DSP to guest
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit f798217dfd038af981a18bbe4bc57027a08bb182 upstream.
+
+The FPU and DSP are enabled via the CP0 Status CU1 and MX bits by
+kvm_mips_set_c0_status() on a guest exit, presumably in case there is
+active state that needs saving if pre-emption occurs. However neither of
+these bits are cleared again when returning to the guest.
+
+This effectively gives the guest access to the FPU/DSP hardware after
+the first guest exit even though it is not aware of its presence,
+allowing FP instructions in guest user code to intermittently actually
+execute instead of trapping into the guest OS for emulation. It will
+then read & manipulate the hardware FP registers which technically
+belong to the user process (e.g. QEMU), or are stale from another user
+process. It can also crash the guest OS by causing an FP exception, for
+which a guest exception handler won't have been registered.
+
+First lets save and disable the FPU (and MSA) state with lose_fpu(1)
+before entering the guest. This simplifies the problem, especially for
+when guest FPU/MSA support is added in the future, and prevents FR=1 FPU
+state being live when the FR bit gets cleared for the guest, which
+according to the architecture causes the contents of the FPU and vector
+registers to become UNPREDICTABLE.
+
+We can then safely remove the enabling of the FPU in
+kvm_mips_set_c0_status(), since there should never be any active FPU or
+MSA state to save at pre-emption, which should plug the FPU leak.
+
+DSP state is always live rather than being lazily restored, so for that
+it is simpler to just clear the MX bit again when re-entering the guest.
+
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Sanjay Lal <sanjayl@kymasys.com>
+Cc: Gleb Natapov <gleb@kernel.org>
+Cc: kvm@vger.kernel.org
+Cc: linux-mips@linux-mips.org
+Cc: <stable@vger.kernel.org> # v3.10+: 044f0f03eca0: MIPS: KVM: Deliver guest interrupts
+Cc: <stable@vger.kernel.org> # v3.10+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kvm/kvm_locore.S | 2 +-
+ arch/mips/kvm/kvm_mips.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/mips/kvm/kvm_locore.S
++++ b/arch/mips/kvm/kvm_locore.S
+@@ -431,7 +431,7 @@ __kvm_mips_return_to_guest:
+ /* Setup status register for running guest in UM */
+ .set at
+ or v1, v1, (ST0_EXL | KSU_USER | ST0_IE)
+- and v1, v1, ~ST0_CU0
++ and v1, v1, ~(ST0_CU0 | ST0_MX)
+ .set noat
+ mtc0 v1, CP0_STATUS
+ ehb
+--- a/arch/mips/kvm/kvm_mips.c
++++ b/arch/mips/kvm/kvm_mips.c
+@@ -15,6 +15,7 @@
+ #include <linux/vmalloc.h>
+ #include <linux/fs.h>
+ #include <linux/bootmem.h>
++#include <asm/fpu.h>
+ #include <asm/page.h>
+ #include <asm/cacheflush.h>
+ #include <asm/mmu_context.h>
+@@ -413,6 +414,8 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_v
+ vcpu->mmio_needed = 0;
+ }
+
++ lose_fpu(1);
++
+ local_irq_disable();
+ /* Check if we have any exceptions/interrupts pending */
+ kvm_mips_deliver_interrupts(vcpu,
+@@ -1017,9 +1020,6 @@ void kvm_mips_set_c0_status(void)
+ {
+ uint32_t status = read_c0_status();
+
+- if (cpu_has_fpu)
+- status |= (ST0_CU1);
+-
+ if (cpu_has_dsp)
+ status |= (ST0_MX);
+
--- /dev/null
+From 8e2207cdd087ebb031e9118d1fd0902c6533a5e5 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Date: Thu, 15 Jan 2015 17:56:18 +0100
+Subject: KVM: s390: floating irqs: fix user triggerable endless loop
+
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+
+commit 8e2207cdd087ebb031e9118d1fd0902c6533a5e5 upstream.
+
+If a vm with no VCPUs is created, the injection of a floating irq
+leads to an endless loop in the kernel.
+
+Let's skip the search for a destination VCPU for a floating irq if no
+VCPUs were created.
+
+Reviewed-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
+Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
+Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/interrupt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/s390/kvm/interrupt.c
++++ b/arch/s390/kvm/interrupt.c
+@@ -736,6 +736,8 @@ int kvm_s390_inject_vm(struct kvm *kvm,
+ list_add_tail(&inti->list, &iter->list);
+ }
+ atomic_set(&fi->active, 1);
++ if (atomic_read(&kvm->online_vcpus) == 0)
++ goto unlock_fi;
+ sigcpu = find_first_bit(fi->idle_mask, KVM_MAX_VCPUS);
+ if (sigcpu == KVM_MAX_VCPUS) {
+ do {
projects / thirdparty / kernel / stable-queue.git / commitdiff
