From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Wed, 28 Jul 2010 23:47:46 +0000 (-0700)
Subject: .34 patches
X-Git-Tag: v2.6.27.49~16
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4b677988d0e790b5d868d4fdae59cea82067f252;p=thirdparty%2Fkernel%2Fstable-queue.git

.34 patches
---

diff --git a/queue-2.6.34/0001-KVM-MMU-Remove-user-access-when-allowing-kernel-acce.patch b/queue-2.6.34/0001-KVM-MMU-Remove-user-access-when-allowing-kernel-acce.patch
new file mode 100644
index 00000000000..c0b94e92be5
--- /dev/null
+++ b/queue-2.6.34/0001-KVM-MMU-Remove-user-access-when-allowing-kernel-acce.patch
@@ -0,0 +1,29 @@
+From 8ddb9c422646ba4e151218a2a89e4872b1e0cb5d Mon Sep 17 00:00:00 2001
+From: Avi Kivity <avi@redhat.com>
+Date: Thu, 27 May 2010 14:35:58 +0300
+Subject: KVM: MMU: Remove user access when allowing kernel access to gpte.w=0 page
+
+If cr0.wp=0, we have to allow the guest kernel access to a page with pte.w=0.
+We do that by setting spte.w=1, since the host cr0.wp must remain set so the
+host can write protect pages.  Once we allow write access, we must remove
+user access otherwise we mistakenly allow the user to write the page.
+
+Reviewed-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+(cherry picked from commit 69325a122580d3a7b26589e8efdd6663001c3297)
+---
+ arch/x86/kvm/mmu.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -1837,6 +1837,9 @@ static int set_spte(struct kvm_vcpu *vcp
+ 
+ 		spte |= PT_WRITABLE_MASK;
+ 
++		if (!tdp_enabled && !(pte_access & ACC_WRITE_MASK))
++			spte &= ~PT_USER_MASK;
++
+ 		/*
+ 		 * Optimization: for pte sync, if spte was writable the hash
+ 		 * lookup is unnecessary (and expensive). Write protection
diff --git a/queue-2.6.34/0002-KVM-SVM-Handle-MCEs-early-in-the-vmexit-process.patch b/queue-2.6.34/0002-KVM-SVM-Handle-MCEs-early-in-the-vmexit-process.patch
new file mode 100644
index 00000000000..37231f63150
--- /dev/null
+++ b/queue-2.6.34/0002-KVM-SVM-Handle-MCEs-early-in-the-vmexit-process.patch
@@ -0,0 +1,56 @@
+From 7bbe8446ec84034782b2b04d4ba97519ba90d870 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <joerg.roedel@amd.com>
+Date: Mon, 17 May 2010 14:43:34 +0200
+Subject: KVM: SVM: Handle MCEs early in the vmexit process
+
+This patch moves handling of the MC vmexits to an earlier
+point in the vmexit. The handle_exit function is too late
+because the vcpu might alreadry have changed its physical
+cpu.
+
+Cc: stable@kernel.org
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+(cherry picked from commit fe5913e4e1700cbfc337f4b1da9ddb26f6a55586)
+---
+ arch/x86/kvm/svm.c |   15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -1280,7 +1280,7 @@ static int nm_interception(struct vcpu_s
+ 	return 1;
+ }
+ 
+-static int mc_interception(struct vcpu_svm *svm)
++static void svm_handle_mce(struct vcpu_svm *svm)
+ {
+ 	/*
+ 	 * On an #MC intercept the MCE handler is not called automatically in
+@@ -1290,6 +1290,11 @@ static int mc_interception(struct vcpu_s
+ 		"int $0x12\n");
+ 	/* not sure if we ever come back to this point */
+ 
++	return;
++}
++
++static int mc_interception(struct vcpu_svm *svm)
++{
+ 	return 1;
+ }
+ 
+@@ -2842,6 +2847,14 @@ static void svm_vcpu_run(struct kvm_vcpu
+ 		vcpu->arch.regs_avail &= ~(1 << VCPU_EXREG_PDPTR);
+ 		vcpu->arch.regs_dirty &= ~(1 << VCPU_EXREG_PDPTR);
+ 	}
++
++	/*
++	 * We need to handle MC intercepts here before the vcpu has a chance to
++	 * change the physical cpu
++	 */
++	if (unlikely(svm->vmcb->control.exit_code ==
++		     SVM_EXIT_EXCP_BASE + MC_VECTOR))
++		svm_handle_mce(svm);
+ }
+ 
+ #undef R
diff --git a/queue-2.6.34/0003-KVM-SVM-Implement-workaround-for-Erratum-383.patch b/queue-2.6.34/0003-KVM-SVM-Implement-workaround-for-Erratum-383.patch
new file mode 100644
index 00000000000..0219fd7dc1b
--- /dev/null
+++ b/queue-2.6.34/0003-KVM-SVM-Implement-workaround-for-Erratum-383.patch
@@ -0,0 +1,155 @@
+From 62f60d37fb2f475ccef1fb81d1d40dfbbb0a180b Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <joerg.roedel@amd.com>
+Date: Mon, 17 May 2010 14:43:35 +0200
+Subject: KVM: SVM: Implement workaround for Erratum 383
+
+This patch implements a workaround for AMD erratum 383 into
+KVM. Without this erratum fix it is possible for a guest to
+kill the host machine. This patch implements the suggested
+workaround for hypervisors which will be published by the
+next revision guide update.
+
+[jan: fix overflow warning on i386]
+[xiao: fix unused variable warning]
+
+Cc: stable@kernel.org
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+(cherry picked from commit 67ec66077799f2fef84b21a643912b179c422281)
+---
+ arch/x86/include/asm/msr-index.h |    1 
+ arch/x86/kvm/svm.c               |   81 +++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 82 insertions(+)
+
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -107,6 +107,7 @@
+ #define MSR_AMD64_PATCH_LOADER		0xc0010020
+ #define MSR_AMD64_OSVW_ID_LENGTH	0xc0010140
+ #define MSR_AMD64_OSVW_STATUS		0xc0010141
++#define MSR_AMD64_DC_CFG		0xc0011022
+ #define MSR_AMD64_IBSFETCHCTL		0xc0011030
+ #define MSR_AMD64_IBSFETCHLINAD		0xc0011031
+ #define MSR_AMD64_IBSFETCHPHYSAD	0xc0011032
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -28,6 +28,7 @@
+ #include <linux/ftrace_event.h>
+ #include <linux/slab.h>
+ 
++#include <asm/tlbflush.h>
+ #include <asm/desc.h>
+ 
+ #include <asm/virtext.h>
+@@ -55,6 +56,8 @@ MODULE_LICENSE("GPL");
+ 
+ #define DEBUGCTL_RESERVED_BITS (~(0x3fULL))
+ 
++static bool erratum_383_found __read_mostly;
++
+ static const u32 host_save_user_msrs[] = {
+ #ifdef CONFIG_X86_64
+ 	MSR_STAR, MSR_LSTAR, MSR_CSTAR, MSR_SYSCALL_MASK, MSR_KERNEL_GS_BASE,
+@@ -298,6 +301,31 @@ static void skip_emulated_instruction(st
+ 	svm_set_interrupt_shadow(vcpu, 0);
+ }
+ 
++static void svm_init_erratum_383(void)
++{
++	u32 low, high;
++	int err;
++	u64 val;
++
++	/* Only Fam10h is affected */
++	if (boot_cpu_data.x86 != 0x10)
++		return;
++
++	/* Use _safe variants to not break nested virtualization */
++	val = native_read_msr_safe(MSR_AMD64_DC_CFG, &err);
++	if (err)
++		return;
++
++	val |= (1ULL << 47);
++
++	low  = lower_32_bits(val);
++	high = upper_32_bits(val);
++
++	native_write_msr_safe(MSR_AMD64_DC_CFG, low, high);
++
++	erratum_383_found = true;
++}
++
+ static int has_svm(void)
+ {
+ 	const char *msg;
+@@ -353,6 +381,8 @@ static int svm_hardware_enable(void *gar
+ 
+ 	wrmsrl(MSR_VM_HSAVE_PA, page_to_pfn(sd->save_area) << PAGE_SHIFT);
+ 
++	svm_init_erratum_383();
++
+ 	return 0;
+ }
+ 
+@@ -1280,8 +1310,59 @@ static int nm_interception(struct vcpu_s
+ 	return 1;
+ }
+ 
++static bool is_erratum_383(void)
++{
++	int err, i;
++	u64 value;
++
++	if (!erratum_383_found)
++		return false;
++
++	value = native_read_msr_safe(MSR_IA32_MC0_STATUS, &err);
++	if (err)
++		return false;
++
++	/* Bit 62 may or may not be set for this mce */
++	value &= ~(1ULL << 62);
++
++	if (value != 0xb600000000010015ULL)
++		return false;
++
++	/* Clear MCi_STATUS registers */
++	for (i = 0; i < 6; ++i)
++		native_write_msr_safe(MSR_IA32_MCx_STATUS(i), 0, 0);
++
++	value = native_read_msr_safe(MSR_IA32_MCG_STATUS, &err);
++	if (!err) {
++		u32 low, high;
++
++		value &= ~(1ULL << 2);
++		low    = lower_32_bits(value);
++		high   = upper_32_bits(value);
++
++		native_write_msr_safe(MSR_IA32_MCG_STATUS, low, high);
++	}
++
++	/* Flush tlb to evict multi-match entries */
++	__flush_tlb_all();
++
++	return true;
++}
++
+ static void svm_handle_mce(struct vcpu_svm *svm)
+ {
++	if (is_erratum_383()) {
++		/*
++		 * Erratum 383 triggered. Guest state is corrupt so kill the
++		 * guest.
++		 */
++		pr_err("KVM: Guest triggered AMD Erratum 383\n");
++
++		set_bit(KVM_REQ_TRIPLE_FAULT, &svm->vcpu.requests);
++
++		return;
++	}
++
+ 	/*
+ 	 * On an #MC intercept the MCE handler is not called automatically in
+ 	 * the host. So do it by hand here.
diff --git a/queue-2.6.34/0004-KVM-MMU-invalidate-and-flush-on-spte-small-large-pag.patch b/queue-2.6.34/0004-KVM-MMU-invalidate-and-flush-on-spte-small-large-pag.patch
new file mode 100644
index 00000000000..3613a12412e
--- /dev/null
+++ b/queue-2.6.34/0004-KVM-MMU-invalidate-and-flush-on-spte-small-large-pag.patch
@@ -0,0 +1,34 @@
+From b5b864715452f937b7d532bfb44cda61dde0d02d Mon Sep 17 00:00:00 2001
+From: Marcelo Tosatti <mtosatti@redhat.com>
+Date: Fri, 28 May 2010 09:44:59 -0300
+Subject: KVM: MMU: invalidate and flush on spte small->large page size change
+
+Always invalidate spte and flush TLBs when changing page size, to make
+sure different sized translations for the same address are never cached
+in a CPU's TLB.
+
+Currently the only case where this occurs is when a non-leaf spte pointer is
+overwritten by a leaf, large spte entry. This can happen after dirty
+logging is disabled on a memslot, for example.
+
+Noticed by Andrea.
+
+KVM-Stable-Tag
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+(cherry picked from commit 3be2264be3c00865116f997dc53ebcc90fe7fc4b)
+---
+ arch/x86/kvm/mmu.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -1895,6 +1895,8 @@ static void mmu_set_spte(struct kvm_vcpu
+ 
+ 			child = page_header(pte & PT64_BASE_ADDR_MASK);
+ 			mmu_page_remove_parent_pte(child, sptep);
++			__set_spte(sptep, shadow_trap_nonpresent_pte);
++			kvm_flush_remote_tlbs(vcpu->kvm);
+ 		} else if (pfn != spte_to_pfn(*sptep)) {
+ 			pgprintk("hfn old %lx new %lx\n",
+ 				 spte_to_pfn(*sptep), pfn);
diff --git a/queue-2.6.34/0005-KVM-read-apic-irr-with-ioapic-lock-held.patch b/queue-2.6.34/0005-KVM-read-apic-irr-with-ioapic-lock-held.patch
new file mode 100644
index 00000000000..074ffae0bf5
--- /dev/null
+++ b/queue-2.6.34/0005-KVM-read-apic-irr-with-ioapic-lock-held.patch
@@ -0,0 +1,31 @@
+From 871c386c6231ece7a8631c57013cdbf4193eb1bc Mon Sep 17 00:00:00 2001
+From: Marcelo Tosatti <mtosatti@redhat.com>
+Date: Wed, 2 Jun 2010 11:26:26 -0300
+Subject: KVM: read apic->irr with ioapic lock held
+
+Read ioapic->irr inside ioapic->lock protected section.
+
+KVM-Stable-Tag
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+(cherry picked from commit 07dc7263b99e4ddad2b4c69765a428ccb7d48938)
+---
+ virt/kvm/ioapic.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/virt/kvm/ioapic.c
++++ b/virt/kvm/ioapic.c
+@@ -192,12 +192,13 @@ static int ioapic_deliver(struct kvm_ioa
+ 
+ int kvm_ioapic_set_irq(struct kvm_ioapic *ioapic, int irq, int level)
+ {
+-	u32 old_irr = ioapic->irr;
++	u32 old_irr;
+ 	u32 mask = 1 << irq;
+ 	union kvm_ioapic_redirect_entry entry;
+ 	int ret = 1;
+ 
+ 	spin_lock(&ioapic->lock);
++	old_irr = ioapic->irr;
+ 	if (irq >= 0 && irq < IOAPIC_NUM_PINS) {
+ 		entry = ioapic->redirtbl[irq];
+ 		level ^= entry.fields.polarity;
diff --git a/queue-2.6.34/series b/queue-2.6.34/series
index 921c5b43a2e..bf2420e0069 100644
--- a/queue-2.6.34/series
+++ b/queue-2.6.34/series
@@ -145,3 +145,8 @@ drm-i915-don-t-queue-flips-during-a-flip-pending-event.patch
 drm-i915-hold-the-spinlock-whilst-resetting-unpin_work-along-error-path.patch
 drm-i915-handle-shared-framebuffers-when-flipping.patch
 ethtool-fix-potential-user-buffer-overflow-for-ethtool_-g-s-rxfh.patch
+0001-KVM-MMU-Remove-user-access-when-allowing-kernel-acce.patch
+0002-KVM-SVM-Handle-MCEs-early-in-the-vmexit-process.patch
+0003-KVM-SVM-Implement-workaround-for-Erratum-383.patch
+0004-KVM-MMU-invalidate-and-flush-on-spte-small-large-pag.patch
+0005-KVM-read-apic-irr-with-ioapic-lock-held.patch