--- /dev/null
+From fa7a549d321a4189677b0cea86e58d9db7977f7b Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 14 Jul 2021 17:37:49 -0400
+Subject: KVM: x86: accept userspace interrupt only if no event is injected
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit fa7a549d321a4189677b0cea86e58d9db7977f7b upstream.
+
+Once an exception has been injected, any side effects related to
+the exception (such as setting CR2 or DR6) have been taked place.
+Therefore, once KVM sets the VM-entry interruption information
+field or the AMD EVENTINJ field, the next VM-entry must deliver that
+exception.
+
+Pending interrupts are processed after injected exceptions, so
+in theory it would not be a problem to use KVM_INTERRUPT when
+an injected exception is present. However, DOSEMU is using
+run->ready_for_interrupt_injection to detect interrupt windows
+and then using KVM_SET_SREGS/KVM_SET_REGS to inject the
+interrupt manually. For this to work, the interrupt window
+must be delayed after the completion of the previous event
+injection.
+
+Cc: stable@vger.kernel.org
+Reported-by: Stas Sergeev <stsp2@yandex.ru>
+Tested-by: Stas Sergeev <stsp2@yandex.ru>
+Fixes: 71cc849b7093 ("KVM: x86: Fix split-irqchip vs interrupt injection window request")
+Reviewed-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -3366,8 +3366,17 @@ static int kvm_cpu_accept_dm_intr(struct
+
+ static int kvm_vcpu_ready_for_interrupt_injection(struct kvm_vcpu *vcpu)
+ {
+- return kvm_arch_interrupt_allowed(vcpu) &&
+- kvm_cpu_accept_dm_intr(vcpu);
++ /*
++ * Do not cause an interrupt window exit if an exception
++ * is pending or an event needs reinjection; userspace
++ * might want to inject the interrupt manually using KVM_SET_REGS
++ * or KVM_SET_SREGS. For that to work, we must be at an
++ * instruction boundary and with no events half-injected.
++ */
++ return (kvm_arch_interrupt_allowed(vcpu) &&
++ kvm_cpu_accept_dm_intr(vcpu) &&
++ !kvm_event_needs_reinjection(vcpu) &&
++ !vcpu->arch.exception.pending);
+ }
+
+ static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
--- /dev/null
+From d5aaad6f83420efb8357ac8e11c868708b22d0a9 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Wed, 4 Aug 2021 14:46:09 -0700
+Subject: KVM: x86/mmu: Fix per-cpu counter corruption on 32-bit builds
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit d5aaad6f83420efb8357ac8e11c868708b22d0a9 upstream.
+
+Take a signed 'long' instead of an 'unsigned long' for the number of
+pages to add/subtract to the total number of pages used by the MMU. This
+fixes a zero-extension bug on 32-bit kernels that effectively corrupts
+the per-cpu counter used by the shrinker.
+
+Per-cpu counters take a signed 64-bit value on both 32-bit and 64-bit
+kernels, whereas kvm_mod_used_mmu_pages() takes an unsigned long and thus
+an unsigned 32-bit value on 32-bit kernels. As a result, the value used
+to adjust the per-cpu counter is zero-extended (unsigned -> signed), not
+sign-extended (signed -> signed), and so KVM's intended -1 gets morphed to
+4294967295 and effectively corrupts the counter.
+
+This was found by a staggering amount of sheer dumb luck when running
+kvm-unit-tests on a 32-bit KVM build. The shrinker just happened to kick
+in while running tests and do_shrink_slab() logged an error about trying
+to free a negative number of objects. The truly lucky part is that the
+kernel just happened to be a slightly stale build, as the shrinker no
+longer yells about negative objects as of commit 18bb473e5031 ("mm:
+vmscan: shrink deferred objects proportional to priority").
+
+ vmscan: shrink_slab: mmu_shrink_scan+0x0/0x210 [kvm] negative objects to delete nr=-858993460
+
+Fixes: bc8a3d8925a8 ("kvm: mmu: Fix overflow on kvm mmu page limit calculation")
+Cc: stable@vger.kernel.org
+Cc: Ben Gardon <bgardon@google.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20210804214609.1096003-1-seanjc@google.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/mmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -2042,7 +2042,7 @@ static int is_empty_shadow_page(u64 *spt
+ * aggregate version in order to make the slab shrinker
+ * faster
+ */
+-static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, unsigned long nr)
++static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, long nr)
+ {
+ kvm->arch.n_used_mmu_pages += nr;
+ percpu_counter_add(&kvm_total_used_mmu_pages, nr);
--- /dev/null
+From e39cdacf2f664b09029e7c1eb354c91a20c367af Mon Sep 17 00:00:00 2001
+From: Zheyu Ma <zheyuma97@gmail.com>
+Date: Tue, 22 Jun 2021 07:11:31 +0000
+Subject: pcmcia: i82092: fix a null pointer dereference bug
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+commit e39cdacf2f664b09029e7c1eb354c91a20c367af upstream.
+
+During the driver loading process, the 'dev' field was not assigned, but
+the 'dev' field was referenced in the subsequent 'i82092aa_set_mem_map'
+function.
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+CC: <stable@vger.kernel.org>
+[linux@dominikbrodowski.net: shorten commit message, add Cc to stable]
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pcmcia/i82092.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pcmcia/i82092.c
++++ b/drivers/pcmcia/i82092.c
+@@ -105,6 +105,7 @@ static int i82092aa_pci_probe(struct pci
+ for (i = 0;i<socket_count;i++) {
+ sockets[i].card_state = 1; /* 1 = present but empty */
+ sockets[i].io_base = pci_resource_start(dev, 0);
++ sockets[i].dev = dev;
+ sockets[i].socket.features |= SS_CAP_PCCARD;
+ sockets[i].socket.map_size = 0x1000;
+ sockets[i].socket.irq_mask = 0;
ext4-fix-potential-htree-corruption-when-growing-large_dir-directories.patch
serial-8250-mask-out-floating-16-32-bit-bus-bits.patch
mips-malta-do-not-byte-swap-accesses-to-the-cbus-uart.patch
+pcmcia-i82092-fix-a-null-pointer-dereference-bug.patch
+kvm-x86-accept-userspace-interrupt-only-if-no-event-is-injected.patch
+kvm-x86-mmu-fix-per-cpu-counter-corruption-on-32-bit-builds.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
