4.19-stable patches

added patches:
	kvm-prevent-module-exit-until-all-vms-are-freed.patch
	kvm-x86-fix-sending-pv-ipi.patch

diff --git a/queue-4.19/kvm-prevent-module-exit-until-all-vms-are-freed.patch b/queue-4.19/kvm-prevent-module-exit-until-all-vms-are-freed.patch
new file mode 100644 (file)
index 0000000..e5a1537
--- /dev/null
+++ b/queue-4.19/kvm-prevent-module-exit-until-all-vms-are-freed.patch
@@ -0,0 +1,75 @@
+From 5f6de5cbebee925a612856fce6f9182bb3eee0db Mon Sep 17 00:00:00 2001
+From: David Matlack <dmatlack@google.com>
+Date: Thu, 3 Mar 2022 18:33:27 +0000
+Subject: KVM: Prevent module exit until all VMs are freed
+
+From: David Matlack <dmatlack@google.com>
+
+commit 5f6de5cbebee925a612856fce6f9182bb3eee0db upstream.
+
+Tie the lifetime the KVM module to the lifetime of each VM via
+kvm.users_count. This way anything that grabs a reference to the VM via
+kvm_get_kvm() cannot accidentally outlive the KVM module.
+
+Prior to this commit, the lifetime of the KVM module was tied to the
+lifetime of /dev/kvm file descriptors, VM file descriptors, and vCPU
+file descriptors by their respective file_operations "owner" field.
+This approach is insufficient because references grabbed via
+kvm_get_kvm() do not prevent closing any of the aforementioned file
+descriptors.
+
+This fixes a long standing theoretical bug in KVM that at least affects
+async page faults. kvm_setup_async_pf() grabs a reference via
+kvm_get_kvm(), and drops it in an asynchronous work callback. Nothing
+prevents the VM file descriptor from being closed and the KVM module
+from being unloaded before this callback runs.
+
+Fixes: af585b921e5d ("KVM: Halt vcpu if page it tries to access is swapped out")
+Fixes: 3d3aab1b973b ("KVM: set owner of cpu and vm file operations")
+Cc: stable@vger.kernel.org
+Suggested-by: Ben Gardon <bgardon@google.com>
+[ Based on a patch from Ben implemented for Google's kernel. ]
+Signed-off-by: David Matlack <dmatlack@google.com>
+Message-Id: <20220303183328.1499189-2-dmatlack@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/kvm_main.c |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -112,6 +112,8 @@ EXPORT_SYMBOL_GPL(kvm_debugfs_dir);
+ static int kvm_debugfs_num_entries;
+ static const struct file_operations *stat_fops_per_vm[];
+ 
++static struct file_operations kvm_chardev_ops;
++
+ static long kvm_vcpu_ioctl(struct file *file, unsigned int ioctl,
+                          unsigned long arg);
+ #ifdef CONFIG_KVM_COMPAT
+@@ -741,6 +743,16 @@ static struct kvm *kvm_create_vm(unsigne
+ 
+       preempt_notifier_inc();
+ 
++      /*
++       * When the fd passed to this ioctl() is opened it pins the module,
++       * but try_module_get() also prevents getting a reference if the module
++       * is in MODULE_STATE_GOING (e.g. if someone ran "rmmod --wait").
++       */
++      if (!try_module_get(kvm_chardev_ops.owner)) {
++              r = -ENODEV;
++              goto out_err;
++      }
++
+       return kvm;
+ 
+ out_err:
+@@ -817,6 +829,7 @@ static void kvm_destroy_vm(struct kvm *k
+       preempt_notifier_dec();
+       hardware_disable_all();
+       mmdrop(mm);
++      module_put(kvm_chardev_ops.owner);
+ }
+ 
+ void kvm_get_kvm(struct kvm *kvm)

diff --git a/queue-4.19/kvm-x86-fix-sending-pv-ipi.patch b/queue-4.19/kvm-x86-fix-sending-pv-ipi.patch
new file mode 100644 (file)
index 0000000..9feb31d
--- /dev/null
+++ b/queue-4.19/kvm-x86-fix-sending-pv-ipi.patch
@@ -0,0 +1,38 @@
+From c15e0ae42c8e5a61e9aca8aac920517cf7b3e94e Mon Sep 17 00:00:00 2001
+From: Li RongQing <lirongqing@baidu.com>
+Date: Wed, 9 Mar 2022 16:35:44 +0800
+Subject: KVM: x86: fix sending PV IPI
+
+From: Li RongQing <lirongqing@baidu.com>
+
+commit c15e0ae42c8e5a61e9aca8aac920517cf7b3e94e upstream.
+
+If apic_id is less than min, and (max - apic_id) is greater than
+KVM_IPI_CLUSTER_SIZE, then the third check condition is satisfied but
+the new apic_id does not fit the bitmask.  In this case __send_ipi_mask
+should send the IPI.
+
+This is mostly theoretical, but it can happen if the apic_ids on three
+iterations of the loop are for example 1, KVM_IPI_CLUSTER_SIZE, 0.
+
+Fixes: aaffcfd1e82 ("KVM: X86: Implement PV IPIs in linux guest")
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Message-Id: <1646814944-51801-1-git-send-email-lirongqing@baidu.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/kvm.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/kvm.c
++++ b/arch/x86/kernel/kvm.c
+@@ -480,7 +480,7 @@ static void __send_ipi_mask(const struct
+               } else if (apic_id < min && max - apic_id < KVM_IPI_CLUSTER_SIZE) {
+                       ipi_bitmap <<= min - apic_id;
+                       min = apic_id;
+-              } else if (apic_id < min + KVM_IPI_CLUSTER_SIZE) {
++              } else if (apic_id > min && apic_id < min + KVM_IPI_CLUSTER_SIZE) {
+                       max = apic_id < max ? max : apic_id;
+               } else {
+                       ret = kvm_hypercall4(KVM_HC_SEND_IPI, (unsigned long)ipi_bitmap,

diff --git a/queue-4.19/series b/queue-4.19/series
index 18a9bc1dea593dad7f37f25a91100b88e7bc5291..df7aa4aea7f74cbb13556c008657750872be3cb4 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -230,3 +230,5 @@ scsi-qla2xxx-fix-incorrect-reporting-of-task-management-failure.patch
 scsi-qla2xxx-fix-hang-due-to-session-stuck.patch
 scsi-qla2xxx-reduce-false-trigger-to-login.patch
 scsi-qla2xxx-use-correct-feature-type-field-during-rff_id-processing.patch
+kvm-prevent-module-exit-until-all-vms-are-freed.patch
+kvm-x86-fix-sending-pv-ipi.patch