--- /dev/null
+From 6491d4d02893d9787ba67279595990217177b351 Mon Sep 17 00:00:00 2001
+From: "Woodhouse, David" <david.woodhouse@intel.com>
+Date: Wed, 19 Dec 2012 13:25:35 +0000
+Subject: intel-iommu: Free old page tables before creating superpage
+
+From: "Woodhouse, David" <david.woodhouse@intel.com>
+
+commit 6491d4d02893d9787ba67279595990217177b351 upstream.
+
+The dma_pte_free_pagetable() function will only free a page table page
+if it is asked to free the *entire* 2MiB range that it covers. So if a
+page table page was used for one or more small mappings, it's likely to
+end up still present in the page tables... but with no valid PTEs.
+
+This was fine when we'd only be repopulating it with 4KiB PTEs anyway
+but the same virtual address range can end up being reused for a
+*large-page* mapping. And in that case were were trying to insert the
+large page into the second-level page table, and getting a complaint
+from the sanity check in __domain_mapping() because there was already a
+corresponding entry. This was *relatively* harmless; it led to a memory
+leak of the old page table page, but no other ill-effects.
+
+Fix it by calling dma_pte_clear_range (hopefully redundant) and
+dma_pte_free_pagetable() before setting up the new large page.
+
+Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+Tested-by: Ravi Murty <Ravi.Murty@intel.com>
+Tested-by: Sudeep Dutt <sudeep.dutt@intel.com>
+Cc: stable@kernel.org [3.0+]
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: CAI Qian <caiqian@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/intel-iommu.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/intel-iommu.c
++++ b/drivers/pci/intel-iommu.c
+@@ -1793,10 +1793,17 @@ static int __domain_mapping(struct dmar_
+ if (!pte)
+ return -ENOMEM;
+ /* It is large page*/
+- if (largepage_lvl > 1)
++ if (largepage_lvl > 1) {
+ pteval |= DMA_PTE_LARGE_PAGE;
+- else
++ /* Ensure that old small page tables are removed to make room
++ for superpage, if they exist. */
++ dma_pte_clear_range(domain, iov_pfn,
++ iov_pfn + lvl_to_nr_pages(largepage_lvl) - 1);
++ dma_pte_free_pagetable(domain, iov_pfn,
++ iov_pfn + lvl_to_nr_pages(largepage_lvl) - 1);
++ } else {
+ pteval &= ~(uint64_t)DMA_PTE_LARGE_PAGE;
++ }
+
+ }
+ /* We don't need lock here, nobody else
--- /dev/null
+From e43a028752fed049e4bd94ef895542f96d79fa74 Mon Sep 17 00:00:00 2001
+From: Alexander Graf <agraf@suse.de>
+Date: Sat, 6 Oct 2012 03:56:35 +0200
+Subject: KVM: PPC: 44x: fix DCR read/write
+
+From: Alexander Graf <agraf@suse.de>
+
+commit e43a028752fed049e4bd94ef895542f96d79fa74 upstream.
+
+When remembering the direction of a DCR transaction, we should write
+to the same variable that we interpret on later when doing vcpu_run
+again.
+
+Signed-off-by: Alexander Graf <agraf@suse.de>
+Signed-off-by: CAI Qian <caiqian@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/44x_emulate.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/powerpc/kvm/44x_emulate.c
++++ b/arch/powerpc/kvm/44x_emulate.c
+@@ -79,6 +79,7 @@ int kvmppc_core_emulate_op(struct kvm_ru
+ run->dcr.dcrn = dcrn;
+ run->dcr.data = 0;
+ run->dcr.is_write = 0;
++ vcpu->arch.dcr_is_write = 0;
+ vcpu->arch.io_gpr = rt;
+ vcpu->arch.dcr_needed = 1;
+ kvmppc_account_exit(vcpu, DCR_EXITS);
+@@ -100,6 +101,7 @@ int kvmppc_core_emulate_op(struct kvm_ru
+ run->dcr.dcrn = dcrn;
+ run->dcr.data = kvmppc_get_gpr(vcpu, rs);
+ run->dcr.is_write = 1;
++ vcpu->arch.dcr_is_write = 1;
+ vcpu->arch.dcr_needed = 1;
+ kvmppc_account_exit(vcpu, DCR_EXITS);
+ emulated = EMULATE_DO_DCR;
projects / thirdparty / kernel / stable-queue.git / commitdiff
