]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
.30 patches
authorGreg Kroah-Hartman <gregkh@suse.de>
Wed, 30 Sep 2009 23:28:33 +0000 (16:28 -0700)
committerGreg Kroah-Hartman <gregkh@suse.de>
Wed, 30 Sep 2009 23:28:33 +0000 (16:28 -0700)
12 files changed:
queue-2.6.30/ahci-restore-pci_intx-handling.patch [new file with mode: 0644]
queue-2.6.30/kvm-fix-cpuid-e2big-handling-for-extended-request-types.patch [new file with mode: 0644]
queue-2.6.30/kvm-guest-fix-bogus-wallclock-physical-address-calculation.patch [new file with mode: 0644]
queue-2.6.30/kvm-limit-lapic-periodic-timer-frequency.patch [new file with mode: 0644]
queue-2.6.30/kvm-mmu-fix-bogus-alloc_mmu_pages-assignment.patch [new file with mode: 0644]
queue-2.6.30/kvm-mmu-fix-missing-locking-in-alloc_mmu_pages.patch [new file with mode: 0644]
queue-2.6.30/kvm-mmu-make-__kvm_mmu_free_some_pages-handle-empty-list.patch [new file with mode: 0644]
queue-2.6.30/kvm-vmx-check-cpl-before-emulating-debug-register-access.patch [new file with mode: 0644]
queue-2.6.30/kvm-vmx-fix-cr8-exiting-control-clobbering-by-ept.patch [new file with mode: 0644]
queue-2.6.30/kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch [new file with mode: 0644]
queue-2.6.30/revert-kvm-x86-check-for-cr3-validity-in-ioctl_set_sregs.patch [new file with mode: 0644]
queue-2.6.30/series

diff --git a/queue-2.6.30/ahci-restore-pci_intx-handling.patch b/queue-2.6.30/ahci-restore-pci_intx-handling.patch
new file mode 100644 (file)
index 0000000..74112b0
--- /dev/null
@@ -0,0 +1,45 @@
+From 31b239ad1ba7225435e13f5afc47e48eb674c0cc Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Thu, 17 Sep 2009 00:34:39 +0900
+Subject: ahci: restore pci_intx() handling
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 31b239ad1ba7225435e13f5afc47e48eb674c0cc upstream.
+
+Commit a5bfc4714b3f01365aef89a92673f2ceb1ccf246 dropped explicit
+pci_intx() manipulation from ahci because it seemed unnecessary and
+ahci doesn't seem to be the right place to be tweaking it if it were.
+This was largely okay but there are exceptions.  There was one on an
+embedded platform which was fixed via firmware and now bko#14124
+reports it on a HP DL320.
+
+  http://bugzilla.kernel.org/show_bug.cgi?id=14124
+
+I still think this isn't something libata drivers should be caring
+about (the only ones which are calling pci_intx() explicitly are
+libata ones and one other driver) but for now reverting the change
+seems to be the right thing to do.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ata/ahci.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -2744,8 +2744,8 @@ static int ahci_init_one(struct pci_dev 
+       if (board_id == board_ahci_sb700 && pdev->revision >= 0x40)
+               hpriv->flags &= ~AHCI_HFLAG_IGN_SERR_INTERNAL;
+-      if (!(hpriv->flags & AHCI_HFLAG_NO_MSI))
+-              pci_enable_msi(pdev);
++      if ((hpriv->flags & AHCI_HFLAG_NO_MSI) || pci_enable_msi(pdev))
++              pci_intx(pdev, 1);
+       /* save initial config */
+       ahci_save_initial_config(pdev, hpriv);
diff --git a/queue-2.6.30/kvm-fix-cpuid-e2big-handling-for-extended-request-types.patch b/queue-2.6.30/kvm-fix-cpuid-e2big-handling-for-extended-request-types.patch
new file mode 100644 (file)
index 0000000..78840de
--- /dev/null
@@ -0,0 +1,37 @@
+From mtosatti@redhat.com  Wed Sep 30 16:23:18 2009
+From: Mark McLoughlin <markmc@redhat.com>
+Date: Fri, 18 Sep 2009 20:08:07 -0300
+Subject: KVM: fix cpuid E2BIG handling for extended request types
+To: stable@kernel.org
+Cc: Mark McLoughlin <markmc@redhat.com>, avi@redhat.com
+Message-ID: <1253315287-12229-10-git-send-email-mtosatti@redhat.com>
+
+
+From: Mark McLoughlin <markmc@redhat.com>
+
+(cherry picked from commit cb007648de83cf226d69ec76e1c01848b4e8e49f)
+
+If we run out of cpuid entries for extended request types
+we should return -E2BIG, just like we do for the standard
+request types.
+
+Signed-off-by: Mark McLoughlin <markmc@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/x86.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1438,6 +1438,10 @@ static int kvm_dev_ioctl_get_supported_c
+       for (func = 0x80000001; func <= limit && nent < cpuid->nent; ++func)
+               do_cpuid_ent(&cpuid_entries[nent], func, 0,
+                            &nent, cpuid->nent);
++      r = -E2BIG;
++      if (nent >= cpuid->nent)
++              goto out_free;
++
+       r = -EFAULT;
+       if (copy_to_user(entries, cpuid_entries,
+                        nent * sizeof(struct kvm_cpuid_entry2)))
diff --git a/queue-2.6.30/kvm-guest-fix-bogus-wallclock-physical-address-calculation.patch b/queue-2.6.30/kvm-guest-fix-bogus-wallclock-physical-address-calculation.patch
new file mode 100644 (file)
index 0000000..fee4adf
--- /dev/null
@@ -0,0 +1,41 @@
+From mtosatti@redhat.com  Wed Sep 30 16:22:59 2009
+From: Glauber Costa <glommer@redhat.com>
+Date: Fri, 18 Sep 2009 20:08:06 -0300
+Subject: KVM guest: fix bogus wallclock physical address calculation
+To: stable@kernel.org
+Cc: Glauber Costa <glommer@redhat.com>, avi@redhat.com
+Message-ID: <1253315287-12229-9-git-send-email-mtosatti@redhat.com>
+
+
+From: Glauber Costa <glommer@redhat.com>
+
+(cherry picked from commit a20316d2aa41a8f4fd171648bad8f044f6060826)
+
+The use of __pa() to calculate the address of a C-visible symbol
+is wrong, and can lead to unpredictable results. See arch/x86/include/asm/page.h
+for details.
+
+It should be replaced with __pa_symbol(), that does the correct math here,
+by taking relocations into account.  This ensures the correct wallclock data
+structure physical address is passed to the hypervisor.
+
+Signed-off-by: Glauber Costa <glommer@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kernel/kvmclock.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/kvmclock.c
++++ b/arch/x86/kernel/kvmclock.c
+@@ -50,8 +50,8 @@ static unsigned long kvm_get_wallclock(v
+       struct timespec ts;
+       int low, high;
+-      low = (int)__pa(&wall_clock);
+-      high = ((u64)__pa(&wall_clock) >> 32);
++      low = (int)__pa_symbol(&wall_clock);
++      high = ((u64)__pa_symbol(&wall_clock) >> 32);
+       native_write_msr(MSR_KVM_WALL_CLOCK, low, high);
+       vcpu_time = &get_cpu_var(hv_clock);
diff --git a/queue-2.6.30/kvm-limit-lapic-periodic-timer-frequency.patch b/queue-2.6.30/kvm-limit-lapic-periodic-timer-frequency.patch
new file mode 100644 (file)
index 0000000..de2500a
--- /dev/null
@@ -0,0 +1,41 @@
+From mtosatti@redhat.com  Wed Sep 30 16:22:41 2009
+From: Marcelo Tosatti <mtosatti@redhat.com>
+Date: Fri, 18 Sep 2009 20:08:05 -0300
+Subject: KVM: limit lapic periodic timer frequency
+To: stable@kernel.org
+Cc: Marcelo Tosatti <mtosatti@redhat.com>, avi@redhat.com
+Message-ID: <1253315287-12229-8-git-send-email-mtosatti@redhat.com>
+
+From: Marcelo Tosatti <mtosatti@redhat.com>
+
+(cherry picked from commit 1444885a045fe3b1905a14ea1b52540bf556578b)
+
+Otherwise its possible to starve the host by programming lapic timer
+with a very high frequency.
+
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/lapic.c |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -635,6 +635,15 @@ static void start_apic_timer(struct kvm_
+       if (!apic->timer.period)
+               return;
++      /*
++       * Do not allow the guest to program periodic timers with small
++       * interval, since the hrtimers are not throttled by the host
++       * scheduler.
++       */
++      if (apic_lvtt_period(apic)) {
++              if (apic->timer.period < NSEC_PER_MSEC/2)
++                      apic->timer.period = NSEC_PER_MSEC/2;
++      }
+       hrtimer_start(&apic->timer.dev,
+                     ktime_add_ns(now, apic->timer.period),
diff --git a/queue-2.6.30/kvm-mmu-fix-bogus-alloc_mmu_pages-assignment.patch b/queue-2.6.30/kvm-mmu-fix-bogus-alloc_mmu_pages-assignment.patch
new file mode 100644 (file)
index 0000000..2f92a68
--- /dev/null
@@ -0,0 +1,42 @@
+From mtosatti@redhat.com  Wed Sep 30 16:22:20 2009
+From: Marcelo Tosatti <mtosatti@redhat.com>
+Date: Fri, 18 Sep 2009 20:08:04 -0300
+Subject: KVM: MMU: fix bogus alloc_mmu_pages assignment
+To: stable@kernel.org
+Cc: Marcelo Tosatti <mtosatti@redhat.com>, avi@redhat.com
+Message-ID: <1253315287-12229-7-git-send-email-mtosatti@redhat.com>
+
+From: Marcelo Tosatti <mtosatti@redhat.com>
+
+(cherry picked from commit b90c062c65cc8839edfac39778a37a55ca9bda36)
+
+Remove the bogus n_free_mmu_pages assignment from alloc_mmu_pages.
+
+It breaks accounting of mmu pages, since n_free_mmu_pages is modified
+but the real number of pages remains the same.
+
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/mmu.c |    8 --------
+ 1 file changed, 8 deletions(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -2692,14 +2692,6 @@ static int alloc_mmu_pages(struct kvm_vc
+       ASSERT(vcpu);
+-      spin_lock(&vcpu->kvm->mmu_lock);
+-      if (vcpu->kvm->arch.n_requested_mmu_pages)
+-              vcpu->kvm->arch.n_free_mmu_pages =
+-                                      vcpu->kvm->arch.n_requested_mmu_pages;
+-      else
+-              vcpu->kvm->arch.n_free_mmu_pages =
+-                                      vcpu->kvm->arch.n_alloc_mmu_pages;
+-      spin_unlock(&vcpu->kvm->mmu_lock);
+       /*
+        * When emulating 32-bit mode, cr3 is only 32 bits even on x86_64.
+        * Therefore we need to allocate shadow page tables in the first
diff --git a/queue-2.6.30/kvm-mmu-fix-missing-locking-in-alloc_mmu_pages.patch b/queue-2.6.30/kvm-mmu-fix-missing-locking-in-alloc_mmu_pages.patch
new file mode 100644 (file)
index 0000000..c540871
--- /dev/null
@@ -0,0 +1,42 @@
+From mtosatti@redhat.com  Wed Sep 30 16:22:02 2009
+From: Marcelo Tosatti <mtosatti@redhat.com>
+Date: Fri, 18 Sep 2009 20:08:03 -0300
+Subject: KVM: MMU: fix missing locking in alloc_mmu_pages
+To: stable@kernel.org
+Cc: Marcelo Tosatti <mtosatti@redhat.com>, avi@redhat.com
+Message-ID: <1253315287-12229-6-git-send-email-mtosatti@redhat.com>
+
+From: Marcelo Tosatti <mtosatti@redhat.com>
+
+(cherry picked from commit 6a1ac77110ee3e8d8dfdef8442f3b30b3d83e6a2)
+
+n_requested_mmu_pages/n_free_mmu_pages are used by
+kvm_mmu_change_mmu_pages to calculate the number of pages to zap.
+
+alloc_mmu_pages, called from the vcpu initialization path, modifies this
+variables without proper locking, which can result in a negative value
+in kvm_mmu_change_mmu_pages (say, with cpu hotplug).
+
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/mmu.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -2692,12 +2692,14 @@ static int alloc_mmu_pages(struct kvm_vc
+       ASSERT(vcpu);
++      spin_lock(&vcpu->kvm->mmu_lock);
+       if (vcpu->kvm->arch.n_requested_mmu_pages)
+               vcpu->kvm->arch.n_free_mmu_pages =
+                                       vcpu->kvm->arch.n_requested_mmu_pages;
+       else
+               vcpu->kvm->arch.n_free_mmu_pages =
+                                       vcpu->kvm->arch.n_alloc_mmu_pages;
++      spin_unlock(&vcpu->kvm->mmu_lock);
+       /*
+        * When emulating 32-bit mode, cr3 is only 32 bits even on x86_64.
+        * Therefore we need to allocate shadow page tables in the first
diff --git a/queue-2.6.30/kvm-mmu-make-__kvm_mmu_free_some_pages-handle-empty-list.patch b/queue-2.6.30/kvm-mmu-make-__kvm_mmu_free_some_pages-handle-empty-list.patch
new file mode 100644 (file)
index 0000000..b6ee185
--- /dev/null
@@ -0,0 +1,36 @@
+From mtosatti@redhat.com  Wed Sep 30 16:21:30 2009
+From: Izik Eidus <ieidus@redhat.com>
+Date: Fri, 18 Sep 2009 20:08:01 -0300
+Subject: KVM: MMU: make __kvm_mmu_free_some_pages handle empty list
+To: stable@kernel.org
+Cc: Izik Eidus <ieidus@redhat.com>, avi@redhat.com, Marcelo Tosatti <mtosatti@redhat.com>
+Message-ID: <1253315287-12229-4-git-send-email-mtosatti@redhat.com>
+
+
+From: Izik Eidus <ieidus@redhat.com>
+
+(cherry picked from commit 3b80fffe2b31fb716d3ebe729c54464ee7856723)
+
+First check if the list is empty before attempting to look at list
+entries.
+
+Signed-off-by: Izik Eidus <ieidus@redhat.com>
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/mmu.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -2612,7 +2612,8 @@ EXPORT_SYMBOL_GPL(kvm_mmu_unprotect_page
+ void __kvm_mmu_free_some_pages(struct kvm_vcpu *vcpu)
+ {
+-      while (vcpu->kvm->arch.n_free_mmu_pages < KVM_REFILL_PAGES) {
++      while (vcpu->kvm->arch.n_free_mmu_pages < KVM_REFILL_PAGES &&
++             !list_empty(&vcpu->kvm->arch.active_mmu_pages)) {
+               struct kvm_mmu_page *sp;
+               sp = container_of(vcpu->kvm->arch.active_mmu_pages.prev,
diff --git a/queue-2.6.30/kvm-vmx-check-cpl-before-emulating-debug-register-access.patch b/queue-2.6.30/kvm-vmx-check-cpl-before-emulating-debug-register-access.patch
new file mode 100644 (file)
index 0000000..37f9442
--- /dev/null
@@ -0,0 +1,69 @@
+From mtosatti@redhat.com  Wed Sep 30 16:20:39 2009
+From: Avi Kivity <avi@redhat.com>
+Date: Fri, 18 Sep 2009 20:07:59 -0300
+Subject: KVM: VMX: Check cpl before emulating debug register access
+To: stable@kernel.org
+Cc: Marcelo Tosatti <mtosatti@redhat.com>, Avi Kivity <avi@redhat.com>
+Message-ID: <1253315287-12229-2-git-send-email-mtosatti@redhat.com>
+
+
+From: Avi Kivity <avi@redhat.com>
+
+(cherry picked from commit 0a79b009525b160081d75cef5dbf45817956acf2)
+
+Debug registers may only be accessed from cpl 0.  Unfortunately, vmx will
+code to emulate the instruction even though it was issued from guest
+userspace, possibly leading to an unexpected trap later.
+
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/include/asm/kvm_host.h |    1 +
+ arch/x86/kvm/vmx.c              |    2 ++
+ arch/x86/kvm/x86.c              |   13 +++++++++++++
+ 3 files changed, 16 insertions(+)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -620,6 +620,7 @@ void kvm_queue_exception(struct kvm_vcpu
+ void kvm_queue_exception_e(struct kvm_vcpu *vcpu, unsigned nr, u32 error_code);
+ void kvm_inject_page_fault(struct kvm_vcpu *vcpu, unsigned long cr2,
+                          u32 error_code);
++bool kvm_require_cpl(struct kvm_vcpu *vcpu, int required_cpl);
+ int kvm_pic_set_irq(void *opaque, int irq, int level);
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2865,6 +2865,8 @@ static int handle_dr(struct kvm_vcpu *vc
+       unsigned long val;
+       int dr, reg;
++      if (!kvm_require_cpl(vcpu, 0))
++              return 1;
+       dr = vmcs_readl(GUEST_DR7);
+       if (dr & DR7_GD) {
+               /*
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -217,6 +217,19 @@ static void __queue_exception(struct kvm
+ }
+ /*
++ * Checks if cpl <= required_cpl; if true, return true.  Otherwise queue
++ * a #GP and return false.
++ */
++bool kvm_require_cpl(struct kvm_vcpu *vcpu, int required_cpl)
++{
++      if (kvm_x86_ops->get_cpl(vcpu) <= required_cpl)
++              return true;
++      kvm_queue_exception_e(vcpu, GP_VECTOR, 0);
++      return false;
++}
++EXPORT_SYMBOL_GPL(kvm_require_cpl);
++
++/*
+  * Load the pae pdptrs.  Return true is they are all valid.
+  */
+ int load_pdptrs(struct kvm_vcpu *vcpu, unsigned long cr3)
diff --git a/queue-2.6.30/kvm-vmx-fix-cr8-exiting-control-clobbering-by-ept.patch b/queue-2.6.30/kvm-vmx-fix-cr8-exiting-control-clobbering-by-ept.patch
new file mode 100644 (file)
index 0000000..e416cc8
--- /dev/null
@@ -0,0 +1,41 @@
+From mtosatti@redhat.com  Wed Sep 30 16:21:01 2009
+From: Gleb Natapov <gleb@redhat.com>
+Date: Fri, 18 Sep 2009 20:08:00 -0300
+Subject: KVM: VMX: Fix cr8 exiting control clobbering by EPT
+To: stable@kernel.org
+Cc: avi@redhat.com, Gleb Natapov <gleb@redhat.com>
+Message-ID: <1253315287-12229-3-git-send-email-mtosatti@redhat.com>
+
+
+From: Gleb Natapov <gleb@redhat.com>
+
+(cherry picked from commit 5fff7d270bd6a4759b6d663741b729cdee370257)
+Don't call adjust_vmx_controls() two times for the same control.
+It restores options that were dropped earlier.  This loses us the cr8
+exit control, which causes a massive performance regression Windows x64.
+
+Signed-off-by: Gleb Natapov <gleb@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/vmx.c |    9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -1206,12 +1206,9 @@ static __init int setup_vmcs_config(stru
+       if (_cpu_based_2nd_exec_control & SECONDARY_EXEC_ENABLE_EPT) {
+               /* CR3 accesses and invlpg don't need to cause VM Exits when EPT
+                  enabled */
+-              min &= ~(CPU_BASED_CR3_LOAD_EXITING |
+-                       CPU_BASED_CR3_STORE_EXITING |
+-                       CPU_BASED_INVLPG_EXITING);
+-              if (adjust_vmx_controls(min, opt, MSR_IA32_VMX_PROCBASED_CTLS,
+-                                      &_cpu_based_exec_control) < 0)
+-                      return -EIO;
++              _cpu_based_exec_control &= ~(CPU_BASED_CR3_LOAD_EXITING |
++                                           CPU_BASED_CR3_STORE_EXITING |
++                                           CPU_BASED_INVLPG_EXITING);
+               rdmsr(MSR_IA32_VMX_EPT_VPID_CAP,
+                     vmx_capability.ept, vmx_capability.vpid);
+       }
diff --git a/queue-2.6.30/kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch b/queue-2.6.30/kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch
new file mode 100644 (file)
index 0000000..cb40f3d
--- /dev/null
@@ -0,0 +1,62 @@
+From mtosatti@redhat.com  Wed Sep 30 16:21:46 2009
+From: Jan Kiszka <jan.kiszka@siemens.com>
+Date: Fri, 18 Sep 2009 20:08:02 -0300
+Subject: KVM: x86: Disallow hypercalls for guest callers in rings > 0
+To: stable@kernel.org
+Cc: Jan Kiszka <jan.kiszka@siemens.com>, avi@redhat.com
+Message-ID: <1253315287-12229-5-git-send-email-mtosatti@redhat.com>
+
+
+From: Jan Kiszka <jan.kiszka@siemens.com>
+
+(cherry picked from commit 07708c4af1346ab1521b26a202f438366b7bcffd)
+
+So far unprivileged guest callers running in ring 3 can issue, e.g., MMU
+hypercalls. Normally, such callers cannot provide any hand-crafted MMU
+command structure as it has to be passed by its physical address, but
+they can still crash the guest kernel by passing random addresses.
+
+To close the hole, this patch considers hypercalls valid only if issued
+from guest ring 0. This may still be relaxed on a per-hypercall base in
+the future once required.
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/x86.c       |    6 ++++++
+ include/linux/kvm_para.h |    1 +
+ 2 files changed, 7 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2898,6 +2898,11 @@ int kvm_emulate_hypercall(struct kvm_vcp
+               a3 &= 0xFFFFFFFF;
+       }
++      if (kvm_x86_ops->get_cpl(vcpu) != 0) {
++              ret = -KVM_EPERM;
++              goto out;
++      }
++
+       switch (nr) {
+       case KVM_HC_VAPIC_POLL_IRQ:
+               ret = 0;
+@@ -2909,6 +2914,7 @@ int kvm_emulate_hypercall(struct kvm_vcp
+               ret = -KVM_ENOSYS;
+               break;
+       }
++out:
+       kvm_register_write(vcpu, VCPU_REGS_RAX, ret);
+       ++vcpu->stat.hypercalls;
+       return r;
+--- a/include/linux/kvm_para.h
++++ b/include/linux/kvm_para.h
+@@ -13,6 +13,7 @@
+ #define KVM_ENOSYS            1000
+ #define KVM_EFAULT            EFAULT
+ #define KVM_E2BIG             E2BIG
++#define KVM_EPERM             EPERM
+ #define KVM_HC_VAPIC_POLL_IRQ         1
+ #define KVM_HC_MMU_OP                 2
diff --git a/queue-2.6.30/revert-kvm-x86-check-for-cr3-validity-in-ioctl_set_sregs.patch b/queue-2.6.30/revert-kvm-x86-check-for-cr3-validity-in-ioctl_set_sregs.patch
new file mode 100644 (file)
index 0000000..c18a021
--- /dev/null
@@ -0,0 +1,50 @@
+From mtosatti@redhat.com  Wed Sep 30 16:23:51 2009
+From: Marcelo Tosatti <mtosatti@redhat.com>
+Date: Mon, 28 Sep 2009 15:05:53 -0300
+Subject: Revert "KVM: x86: check for cr3 validity in ioctl_set_sregs"
+To: stable@kernel.org, avi@redhat.com
+Cc: Juan Quintela <quintela@redhat.com>
+Message-ID: <20090928180553.GA9603@amt.cnet>
+Content-Disposition: inline
+
+From: Marcelo Tosatti <mtosatti@redhat.com>
+
+(cherry picked from commit dc7e795e3dd2a763e5ceaa1615f307e808cf3932)
+
+This reverts commit 6c20e1442bb1c62914bb85b7f4a38973d2a423ba.
+
+To my understanding, it became obsolete with the advent of the more
+robust check in mmu_alloc_roots (89da4ff17f). Moreover, it prevents
+the conceptually safe pattern
+
+ 1. set sregs
+ 2. register mem-slots
+ 3. run vcpu
+
+by setting a sticky triple fault during step 1.
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/x86.c |    8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -4012,13 +4012,7 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct
+       vcpu->arch.cr2 = sregs->cr2;
+       mmu_reset_needed |= vcpu->arch.cr3 != sregs->cr3;
+-
+-      down_read(&vcpu->kvm->slots_lock);
+-      if (gfn_to_memslot(vcpu->kvm, sregs->cr3 >> PAGE_SHIFT))
+-              vcpu->arch.cr3 = sregs->cr3;
+-      else
+-              set_bit(KVM_REQ_TRIPLE_FAULT, &vcpu->requests);
+-      up_read(&vcpu->kvm->slots_lock);
++      vcpu->arch.cr3 = sregs->cr3;
+       kvm_set_cr8(vcpu, sregs->cr8);
index 6e69e3de086afed1c8d32cf402dafe1ce6cc7016..d8485b283741b8647a7b9b8af43a447c80545324 100644 (file)
@@ -4,3 +4,14 @@ kallsyms-fix-segfault-in-prefix_underscores_count.patch
 nilfs2-fix-missing-zero-fill-initialization-of-btree-node-cache.patch
 p54usb-add-zcomax-xg-705a-usbid.patch
 re-enable-lanman-security.patch
+kvm-vmx-check-cpl-before-emulating-debug-register-access.patch
+kvm-vmx-fix-cr8-exiting-control-clobbering-by-ept.patch
+kvm-mmu-make-__kvm_mmu_free_some_pages-handle-empty-list.patch
+kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch
+kvm-mmu-fix-missing-locking-in-alloc_mmu_pages.patch
+kvm-mmu-fix-bogus-alloc_mmu_pages-assignment.patch
+kvm-limit-lapic-periodic-timer-frequency.patch
+kvm-guest-fix-bogus-wallclock-physical-address-calculation.patch
+kvm-fix-cpuid-e2big-handling-for-extended-request-types.patch
+revert-kvm-x86-check-for-cr3-validity-in-ioctl_set_sregs.patch
+ahci-restore-pci_intx-handling.patch