4.9-stable patches

added patches:
	kvm-x86-cleanup-the-page-tracking-srcu-instance.patch

diff --git a/queue-4.9/kvm-nvmx-fix-nested-vpid-vmx-exec-control.patch b/queue-4.9/kvm-nvmx-fix-nested-vpid-vmx-exec-control.patch
deleted file mode 100644 (file)
index 36551d1..0000000
--- a/queue-4.9/kvm-nvmx-fix-nested-vpid-vmx-exec-control.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From 63cb6d5f004ca44f9b8e562b6dd191f717a4960e Mon Sep 17 00:00:00 2001
-From: Wanpeng Li <wanpeng.li@hotmail.com>
-Date: Mon, 20 Mar 2017 21:18:53 -0700
-Subject: KVM: nVMX: Fix nested VPID vmx exec control
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Wanpeng Li <wanpeng.li@hotmail.com>
-
-commit 63cb6d5f004ca44f9b8e562b6dd191f717a4960e upstream.
-
-This can be reproduced by running kvm-unit-tests/vmx.flat on L0 w/ vpid disabled.
-
-Test suite: VPID
-Unhandled exception 6 #UD at ip 00000000004051a6
-error_code=0000      rflags=00010047      cs=00000008
-rax=0000000000000000 rcx=0000000000000001 rdx=0000000000000047 rbx=0000000000402f79
-rbp=0000000000456240 rsi=0000000000000001 rdi=0000000000000000
-r8=000000000000000a  r9=00000000000003f8 r10=0000000080010011 r11=0000000000000000
-r12=0000000000000003 r13=0000000000000708 r14=0000000000000000 r15=0000000000000000
-cr0=0000000080010031 cr2=0000000000000000 cr3=0000000007fff000 cr4=0000000000002020
-cr8=0000000000000000
-STACK: @4051a6 40523e 400f7f 402059 40028f
-
-We should hide and forbid VPID in L1 if it is disabled on L0. However, nested VPID
-enable bit is set unconditionally during setup nested vmx exec controls though VPID
-is not exposed through nested VMX capablity. This patch fixes it by don't set nested
-VPID enable bit if it is disabled on L0.
-
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Radim Krčmář <rkrcmar@redhat.com>
-Fixes: 5c614b3583e (KVM: nVMX: nested VPID emulation)
-Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- arch/x86/kvm/vmx.c |    7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -2787,7 +2787,6 @@ static void nested_vmx_setup_ctls_msrs(s
-               SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES |
-               SECONDARY_EXEC_RDTSCP |
-               SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE |
--              SECONDARY_EXEC_ENABLE_VPID |
-               SECONDARY_EXEC_APIC_REGISTER_VIRT |
-               SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY |
-               SECONDARY_EXEC_WBINVD_EXITING |
-@@ -2815,10 +2814,12 @@ static void nested_vmx_setup_ctls_msrs(s
-        * though it is treated as global context.  The alternative is
-        * not failing the single-context invvpid, and it is worse.
-        */
--      if (enable_vpid)
-+      if (enable_vpid) {
-+              vmx->nested.nested_vmx_secondary_ctls_high |=
-+                      SECONDARY_EXEC_ENABLE_VPID;
-               vmx->nested.nested_vmx_vpid_caps = VMX_VPID_INVVPID_BIT |
-                       VMX_VPID_EXTENT_SUPPORTED_MASK;
--      else
-+      } else
-               vmx->nested.nested_vmx_vpid_caps = 0;
- 
-       if (enable_unrestricted_guest)

diff --git a/queue-4.9/kvm-nvmx-invvpid-handling-improvements.patch b/queue-4.9/kvm-nvmx-invvpid-handling-improvements.patch
deleted file mode 100644 (file)
index 2b32490..0000000
--- a/queue-4.9/kvm-nvmx-invvpid-handling-improvements.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From bcdde302b8268ef7dbc4ddbdaffb5b44eafe9a1e Mon Sep 17 00:00:00 2001
-From: Jan Dakinevich <jan.dakinevich@gmail.com>
-Date: Fri, 28 Oct 2016 07:00:30 +0300
-Subject: KVM: nVMX: invvpid handling improvements
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Jan Dakinevich <jan.dakinevich@gmail.com>
-
-commit bcdde302b8268ef7dbc4ddbdaffb5b44eafe9a1e upstream.
-
- - Expose all invalidation types to the L1
-
- - Reject invvpid instruction, if L1 passed zero vpid value to single
-   context invalidations
-
-Signed-off-by: Jan Dakinevich <jan.dakinevich@gmail.com>
-Tested-by: Ladi Prosek <lprosek@redhat.com>
-Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- arch/x86/kvm/vmx.c |   36 ++++++++++++++++++++++++------------
- 1 file changed, 24 insertions(+), 12 deletions(-)
-
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -132,6 +132,12 @@ module_param_named(preemption_timer, ena
- 
- #define VMX_MISC_EMULATED_PREEMPTION_TIMER_RATE 5
- 
-+#define VMX_VPID_EXTENT_SUPPORTED_MASK                \
-+      (VMX_VPID_EXTENT_INDIVIDUAL_ADDR_BIT |  \
-+      VMX_VPID_EXTENT_SINGLE_CONTEXT_BIT |    \
-+      VMX_VPID_EXTENT_GLOBAL_CONTEXT_BIT |    \
-+      VMX_VPID_EXTENT_SINGLE_NON_GLOBAL_BIT)
-+
- /*
-  * These 2 parameters are used to config the controls for Pause-Loop Exiting:
-  * ple_gap:    upper bound on the amount of time between two successive
-@@ -2811,8 +2817,7 @@ static void nested_vmx_setup_ctls_msrs(s
-        */
-       if (enable_vpid)
-               vmx->nested.nested_vmx_vpid_caps = VMX_VPID_INVVPID_BIT |
--                              VMX_VPID_EXTENT_SINGLE_CONTEXT_BIT |
--                              VMX_VPID_EXTENT_GLOBAL_CONTEXT_BIT;
-+                      VMX_VPID_EXTENT_SUPPORTED_MASK;
-       else
-               vmx->nested.nested_vmx_vpid_caps = 0;
- 
-@@ -7698,7 +7703,8 @@ static int handle_invvpid(struct kvm_vcp
-       vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO);
-       type = kvm_register_readl(vcpu, (vmx_instruction_info >> 28) & 0xf);
- 
--      types = (vmx->nested.nested_vmx_vpid_caps >> 8) & 0x7;
-+      types = (vmx->nested.nested_vmx_vpid_caps &
-+                      VMX_VPID_EXTENT_SUPPORTED_MASK) >> 8;
- 
-       if (type >= 32 || !(types & (1 << type))) {
-               nested_vmx_failValid(vcpu,
-@@ -7720,21 +7726,27 @@ static int handle_invvpid(struct kvm_vcp
-       }
- 
-       switch (type) {
-+      case VMX_VPID_EXTENT_INDIVIDUAL_ADDR:
-       case VMX_VPID_EXTENT_SINGLE_CONTEXT:
--              /*
--               * Old versions of KVM use the single-context version so we
--               * have to support it; just treat it the same as all-context.
--               */
-+      case VMX_VPID_EXTENT_SINGLE_NON_GLOBAL:
-+              if (!vpid) {
-+                      nested_vmx_failValid(vcpu,
-+                              VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
-+                      skip_emulated_instruction(vcpu);
-+                      return 1;
-+              }
-+              break;
-       case VMX_VPID_EXTENT_ALL_CONTEXT:
--              __vmx_flush_tlb(vcpu, to_vmx(vcpu)->nested.vpid02);
--              nested_vmx_succeed(vcpu);
-               break;
-       default:
--              /* Trap individual address invalidation invvpid calls */
--              BUG_ON(1);
--              break;
-+              WARN_ON_ONCE(1);
-+              skip_emulated_instruction(vcpu);
-+              return 1;
-       }
- 
-+      __vmx_flush_tlb(vcpu, vmx->nested.vpid02);
-+      nested_vmx_succeed(vcpu);
-+
-       skip_emulated_instruction(vcpu);
-       return 1;
- }

diff --git a/queue-4.9/kvm-x86-cleanup-the-page-tracking-srcu-instance.patch b/queue-4.9/kvm-x86-cleanup-the-page-tracking-srcu-instance.patch
new file mode 100644 (file)
index 0000000..eb506ff
--- /dev/null
+++ b/queue-4.9/kvm-x86-cleanup-the-page-tracking-srcu-instance.patch
@@ -0,0 +1,62 @@
+From 2beb6dad2e8f95d710159d5befb390e4f62ab5cf Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 27 Mar 2017 17:53:50 +0200
+Subject: KVM: x86: cleanup the page tracking SRCU instance
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 2beb6dad2e8f95d710159d5befb390e4f62ab5cf upstream.
+
+SRCU uses a delayed work item.  Skip cleaning it up, and
+the result is use-after-free in the work item callbacks.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Suggested-by: Dmitry Vyukov <dvyukov@google.com>
+Fixes: 0eb05bf290cfe8610d9680b49abef37febd1c38a
+Reviewed-by: Xiao Guangrong <xiaoguangrong.eric@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/kvm_page_track.h |    1 +
+ arch/x86/kvm/page_track.c             |    8 ++++++++
+ arch/x86/kvm/x86.c                    |    1 +
+ 3 files changed, 10 insertions(+)
+
+--- a/arch/x86/include/asm/kvm_page_track.h
++++ b/arch/x86/include/asm/kvm_page_track.h
+@@ -35,6 +35,7 @@ struct kvm_page_track_notifier_node {
+ };
+ 
+ void kvm_page_track_init(struct kvm *kvm);
++void kvm_page_track_cleanup(struct kvm *kvm);
+ 
+ void kvm_page_track_free_memslot(struct kvm_memory_slot *free,
+                                struct kvm_memory_slot *dont);
+--- a/arch/x86/kvm/page_track.c
++++ b/arch/x86/kvm/page_track.c
+@@ -156,6 +156,14 @@ bool kvm_page_track_is_active(struct kvm
+       return !!ACCESS_ONCE(slot->arch.gfn_track[mode][index]);
+ }
+ 
++void kvm_page_track_cleanup(struct kvm *kvm)
++{
++      struct kvm_page_track_notifier_head *head;
++
++      head = &kvm->arch.track_notifier_head;
++      cleanup_srcu_struct(&head->track_srcu);
++}
++
+ void kvm_page_track_init(struct kvm *kvm)
+ {
+       struct kvm_page_track_notifier_head *head;
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -7976,6 +7976,7 @@ void kvm_arch_destroy_vm(struct kvm *kvm
+       kvm_free_vcpus(kvm);
+       kvfree(rcu_dereference_check(kvm->arch.apic_map, 1));
+       kvm_mmu_uninit_vm(kvm);
++      kvm_page_track_cleanup(kvm);
+ }
+ 
+ void kvm_arch_free_memslot(struct kvm *kvm, struct kvm_memory_slot *free,

diff --git a/queue-4.9/series b/queue-4.9/series
index c62286021f49a4a3edc190ce89ccf7fcb2070c95..1a9217325fbcaa0b49c9b7efb6812938328dd30f 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -1,8 +1,7 @@
 xfrm-policy-init-locks-early.patch
 xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
 xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
-kvm-nvmx-invvpid-handling-improvements.patch
-kvm-nvmx-fix-nested-vpid-vmx-exec-control.patch
+kvm-x86-cleanup-the-page-tracking-srcu-instance.patch
 virtio_balloon-init-1st-buffer-in-stats-vq.patch
 pinctrl-qcom-don-t-clear-status-bit-on-irq_unmask.patch
 c6x-ptrace-remove-useless-ptrace_setregset-implementation.patch