From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 3 Apr 2022 06:58:09 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v5.17.2~157
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1d602cab2154b26dc0a32445d79fa4617aea8067;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	kvm-prevent-module-exit-until-all-vms-are-freed.patch
	kvm-x86-fix-sending-pv-ipi.patch
---

diff --git a/queue-5.4/kvm-prevent-module-exit-until-all-vms-are-freed.patch b/queue-5.4/kvm-prevent-module-exit-until-all-vms-are-freed.patch
new file mode 100644
index 00000000000..95af1bf2b95
--- /dev/null
+++ b/queue-5.4/kvm-prevent-module-exit-until-all-vms-are-freed.patch
@@ -0,0 +1,75 @@
+From 5f6de5cbebee925a612856fce6f9182bb3eee0db Mon Sep 17 00:00:00 2001
+From: David Matlack <dmatlack@google.com>
+Date: Thu, 3 Mar 2022 18:33:27 +0000
+Subject: KVM: Prevent module exit until all VMs are freed
+
+From: David Matlack <dmatlack@google.com>
+
+commit 5f6de5cbebee925a612856fce6f9182bb3eee0db upstream.
+
+Tie the lifetime the KVM module to the lifetime of each VM via
+kvm.users_count. This way anything that grabs a reference to the VM via
+kvm_get_kvm() cannot accidentally outlive the KVM module.
+
+Prior to this commit, the lifetime of the KVM module was tied to the
+lifetime of /dev/kvm file descriptors, VM file descriptors, and vCPU
+file descriptors by their respective file_operations "owner" field.
+This approach is insufficient because references grabbed via
+kvm_get_kvm() do not prevent closing any of the aforementioned file
+descriptors.
+
+This fixes a long standing theoretical bug in KVM that at least affects
+async page faults. kvm_setup_async_pf() grabs a reference via
+kvm_get_kvm(), and drops it in an asynchronous work callback. Nothing
+prevents the VM file descriptor from being closed and the KVM module
+from being unloaded before this callback runs.
+
+Fixes: af585b921e5d ("KVM: Halt vcpu if page it tries to access is swapped out")
+Fixes: 3d3aab1b973b ("KVM: set owner of cpu and vm file operations")
+Cc: stable@vger.kernel.org
+Suggested-by: Ben Gardon <bgardon@google.com>
+[ Based on a patch from Ben implemented for Google's kernel. ]
+Signed-off-by: David Matlack <dmatlack@google.com>
+Message-Id: <20220303183328.1499189-2-dmatlack@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/kvm_main.c |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -115,6 +115,8 @@ EXPORT_SYMBOL_GPL(kvm_debugfs_dir);
+ static int kvm_debugfs_num_entries;
+ static const struct file_operations *stat_fops_per_vm[];
+ 
++static struct file_operations kvm_chardev_ops;
++
+ static long kvm_vcpu_ioctl(struct file *file, unsigned int ioctl,
+ 			   unsigned long arg);
+ #ifdef CONFIG_KVM_COMPAT
+@@ -766,6 +768,16 @@ static struct kvm *kvm_create_vm(unsigne
+ 
+ 	preempt_notifier_inc();
+ 
++	/*
++	 * When the fd passed to this ioctl() is opened it pins the module,
++	 * but try_module_get() also prevents getting a reference if the module
++	 * is in MODULE_STATE_GOING (e.g. if someone ran "rmmod --wait").
++	 */
++	if (!try_module_get(kvm_chardev_ops.owner)) {
++		r = -ENODEV;
++		goto out_err;
++	}
++
+ 	return kvm;
+ 
+ out_err:
+@@ -844,6 +856,7 @@ static void kvm_destroy_vm(struct kvm *k
+ 	preempt_notifier_dec();
+ 	hardware_disable_all();
+ 	mmdrop(mm);
++	module_put(kvm_chardev_ops.owner);
+ }
+ 
+ void kvm_get_kvm(struct kvm *kvm)
diff --git a/queue-5.4/kvm-x86-fix-sending-pv-ipi.patch b/queue-5.4/kvm-x86-fix-sending-pv-ipi.patch
new file mode 100644
index 00000000000..b5fdd4c652d
--- /dev/null
+++ b/queue-5.4/kvm-x86-fix-sending-pv-ipi.patch
@@ -0,0 +1,38 @@
+From c15e0ae42c8e5a61e9aca8aac920517cf7b3e94e Mon Sep 17 00:00:00 2001
+From: Li RongQing <lirongqing@baidu.com>
+Date: Wed, 9 Mar 2022 16:35:44 +0800
+Subject: KVM: x86: fix sending PV IPI
+
+From: Li RongQing <lirongqing@baidu.com>
+
+commit c15e0ae42c8e5a61e9aca8aac920517cf7b3e94e upstream.
+
+If apic_id is less than min, and (max - apic_id) is greater than
+KVM_IPI_CLUSTER_SIZE, then the third check condition is satisfied but
+the new apic_id does not fit the bitmask.  In this case __send_ipi_mask
+should send the IPI.
+
+This is mostly theoretical, but it can happen if the apic_ids on three
+iterations of the loop are for example 1, KVM_IPI_CLUSTER_SIZE, 0.
+
+Fixes: aaffcfd1e82 ("KVM: X86: Implement PV IPIs in linux guest")
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Message-Id: <1646814944-51801-1-git-send-email-lirongqing@baidu.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/kvm.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/kvm.c
++++ b/arch/x86/kernel/kvm.c
+@@ -487,7 +487,7 @@ static void __send_ipi_mask(const struct
+ 		} else if (apic_id < min && max - apic_id < KVM_IPI_CLUSTER_SIZE) {
+ 			ipi_bitmap <<= min - apic_id;
+ 			min = apic_id;
+-		} else if (apic_id < min + KVM_IPI_CLUSTER_SIZE) {
++		} else if (apic_id > min && apic_id < min + KVM_IPI_CLUSTER_SIZE) {
+ 			max = apic_id < max ? max : apic_id;
+ 		} else {
+ 			ret = kvm_hypercall4(KVM_HC_SEND_IPI, (unsigned long)ipi_bitmap,
diff --git a/queue-5.4/series b/queue-5.4/series
index f2f03164d79..73d41cc2467 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -328,3 +328,5 @@ scsi-qla2xxx-fix-missed-dma-unmap-for-nvme-ls-requests.patch
 scsi-qla2xxx-fix-n2n-inconsistent-plogi.patch
 scsi-qla2xxx-reduce-false-trigger-to-login.patch
 scsi-qla2xxx-use-correct-feature-type-field-during-rff_id-processing.patch
+kvm-prevent-module-exit-until-all-vms-are-freed.patch
+kvm-x86-fix-sending-pv-ipi.patch