From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 1 Jul 2015 18:17:26 +0000 (-0700)
Subject: 3.14-stable patches
X-Git-Tag: v3.10.83~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=629689e7a2aad2f4e2483cbc76e53653ce782f7b;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	arm-arm64-kvm-fix-set_clear_sgi_pend_reg-offset.patch
	arm-arm64-kvm-fix-use-of-wnr-bit-in-kvm_is_write_fault.patch
	kvm-arm-vgic-plug-irq-injection-race.patch
---

diff --git a/queue-3.14/arm-arm64-kvm-fix-set_clear_sgi_pend_reg-offset.patch b/queue-3.14/arm-arm64-kvm-fix-set_clear_sgi_pend_reg-offset.patch
new file mode 100644
index 00000000000..a153bc936d0
--- /dev/null
+++ b/queue-3.14/arm-arm64-kvm-fix-set_clear_sgi_pend_reg-offset.patch
@@ -0,0 +1,48 @@
+From 0fea6d7628ed6e25a9ee1b67edf7c859718d39e8 Mon Sep 17 00:00:00 2001
+From: Christoffer Dall <christoffer.dall@linaro.org>
+Date: Thu, 25 Sep 2014 18:41:07 +0200
+Subject: arm/arm64: KVM: Fix set_clear_sgi_pend_reg offset
+
+From: Christoffer Dall <christoffer.dall@linaro.org>
+
+commit 0fea6d7628ed6e25a9ee1b67edf7c859718d39e8 upstream.
+
+The sgi values calculated in read_set_clear_sgi_pend_reg() and
+write_set_clear_sgi_pend_reg() were horribly incorrectly multiplied by 4
+with catastrophic results in that subfunctions ended up overwriting
+memory not allocated for the expected purpose.
+
+This showed up as bugs in kfree() and the kernel complaining a lot of
+you turn on memory debugging.
+
+This addresses: http://marc.info/?l=kvm&m=141164910007868&w=2
+
+Reported-by: Shannon Zhao <zhaoshenglong@huawei.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/vgic.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/virt/kvm/arm/vgic.c
++++ b/virt/kvm/arm/vgic.c
+@@ -674,7 +674,7 @@ static bool read_set_clear_sgi_pend_reg(
+ {
+ 	struct vgic_dist *dist = &vcpu->kvm->arch.vgic;
+ 	int sgi;
+-	int min_sgi = (offset & ~0x3) * 4;
++	int min_sgi = (offset & ~0x3);
+ 	int max_sgi = min_sgi + 3;
+ 	int vcpu_id = vcpu->vcpu_id;
+ 	u32 reg = 0;
+@@ -695,7 +695,7 @@ static bool write_set_clear_sgi_pend_reg
+ {
+ 	struct vgic_dist *dist = &vcpu->kvm->arch.vgic;
+ 	int sgi;
+-	int min_sgi = (offset & ~0x3) * 4;
++	int min_sgi = (offset & ~0x3);
+ 	int max_sgi = min_sgi + 3;
+ 	int vcpu_id = vcpu->vcpu_id;
+ 	u32 reg;
diff --git a/queue-3.14/arm-arm64-kvm-fix-use-of-wnr-bit-in-kvm_is_write_fault.patch b/queue-3.14/arm-arm64-kvm-fix-use-of-wnr-bit-in-kvm_is_write_fault.patch
new file mode 100644
index 00000000000..38a21789692
--- /dev/null
+++ b/queue-3.14/arm-arm64-kvm-fix-use-of-wnr-bit-in-kvm_is_write_fault.patch
@@ -0,0 +1,105 @@
+From a7d079cea2dffb112e26da2566dd84c0ef1fce97 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Tue, 9 Sep 2014 11:27:09 +0100
+Subject: ARM/arm64: KVM: fix use of WnR bit in kvm_is_write_fault()
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+commit a7d079cea2dffb112e26da2566dd84c0ef1fce97 upstream.
+
+[Since we don't backport commit 9804788 (arm/arm64: KVM: Support
+KVM_CAP_READONLY_MEM), ingore the changes in kvm_handle_guest_abort
+introduced by this patch.]
+
+The ISS encoding for an exception from a Data Abort has a WnR
+bit[6] that indicates whether the Data Abort was caused by a
+read or a write instruction. While there are several fields
+in the encoding that are only valid if the ISV bit[24] is set,
+WnR is not one of them, so we can read it unconditionally.
+
+Instead of fixing both implementations of kvm_is_write_fault()
+in place, reimplement it just once using kvm_vcpu_dabt_iswrite(),
+which already does the right thing with respect to the WnR bit.
+Also fix up the callers to pass 'vcpu'
+
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/include/asm/kvm_mmu.h   |   11 -----------
+ arch/arm/kvm/mmu.c               |   10 +++++++++-
+ arch/arm64/include/asm/kvm_mmu.h |   13 -------------
+ 3 files changed, 9 insertions(+), 25 deletions(-)
+
+--- a/arch/arm/include/asm/kvm_mmu.h
++++ b/arch/arm/include/asm/kvm_mmu.h
+@@ -78,17 +78,6 @@ static inline void kvm_set_pte(pte_t *pt
+ 	flush_pmd_entry(pte);
+ }
+ 
+-static inline bool kvm_is_write_fault(unsigned long hsr)
+-{
+-	unsigned long hsr_ec = hsr >> HSR_EC_SHIFT;
+-	if (hsr_ec == HSR_EC_IABT)
+-		return false;
+-	else if ((hsr & HSR_ISV) && !(hsr & HSR_WNR))
+-		return false;
+-	else
+-		return true;
+-}
+-
+ static inline void kvm_clean_pgd(pgd_t *pgd)
+ {
+ 	clean_dcache_area(pgd, PTRS_PER_S2_PGD * sizeof(pgd_t));
+--- a/arch/arm/kvm/mmu.c
++++ b/arch/arm/kvm/mmu.c
+@@ -746,6 +746,14 @@ static bool transparent_hugepage_adjust(
+ 	return false;
+ }
+ 
++static bool kvm_is_write_fault(struct kvm_vcpu *vcpu)
++{
++	if (kvm_vcpu_trap_is_iabt(vcpu))
++		return false;
++
++	return kvm_vcpu_dabt_iswrite(vcpu);
++}
++
+ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
+ 			  struct kvm_memory_slot *memslot,
+ 			  unsigned long fault_status)
+@@ -761,7 +769,7 @@ static int user_mem_abort(struct kvm_vcp
+ 	pfn_t pfn;
+ 	pgprot_t mem_type = PAGE_S2;
+ 
+-	write_fault = kvm_is_write_fault(kvm_vcpu_get_hsr(vcpu));
++	write_fault = kvm_is_write_fault(vcpu);
+ 	if (fault_status == FSC_PERM && !write_fault) {
+ 		kvm_err("Unexpected L2 read permission error\n");
+ 		return -EFAULT;
+--- a/arch/arm64/include/asm/kvm_mmu.h
++++ b/arch/arm64/include/asm/kvm_mmu.h
+@@ -93,19 +93,6 @@ void kvm_clear_hyp_idmap(void);
+ #define	kvm_set_pte(ptep, pte)		set_pte(ptep, pte)
+ #define	kvm_set_pmd(pmdp, pmd)		set_pmd(pmdp, pmd)
+ 
+-static inline bool kvm_is_write_fault(unsigned long esr)
+-{
+-	unsigned long esr_ec = esr >> ESR_EL2_EC_SHIFT;
+-
+-	if (esr_ec == ESR_EL2_EC_IABT)
+-		return false;
+-
+-	if ((esr & ESR_EL2_ISV) && !(esr & ESR_EL2_WNR))
+-		return false;
+-
+-	return true;
+-}
+-
+ static inline void kvm_clean_pgd(pgd_t *pgd) {}
+ static inline void kvm_clean_pmd_entry(pmd_t *pmd) {}
+ static inline void kvm_clean_pte(pte_t *pte) {}
diff --git a/queue-3.14/kvm-arm-vgic-plug-irq-injection-race.patch b/queue-3.14/kvm-arm-vgic-plug-irq-injection-race.patch
new file mode 100644
index 00000000000..93908688ddb
--- /dev/null
+++ b/queue-3.14/kvm-arm-vgic-plug-irq-injection-race.patch
@@ -0,0 +1,44 @@
+From 71afaba4a2e98bb7bdeba5078370ab43d46e67a1 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Tue, 8 Jul 2014 12:09:00 +0100
+Subject: KVM: ARM: vgic: plug irq injection race
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 71afaba4a2e98bb7bdeba5078370ab43d46e67a1 upstream.
+
+[Since we don't backport commit 227844f (arm/arm64: KVM: Rename irq_state
+to irq_pending) for linux-3.14.y, here we still use vgic_update_irq_state
+instead of vgic_update_irq_pending.]
+
+As it stands, nothing prevents userspace from injecting an interrupt
+before the guest's GIC is actually initialized.
+
+This goes unnoticed so far (as everything is pretty much statically
+allocated), but ends up exploding in a spectacular way once we switch
+to a more dynamic allocation (the GIC data structure isn't there yet).
+
+The fix is to test for the "ready" flag in the VGIC distributor before
+trying to inject the interrupt. Note that in order to avoid breaking
+userspace, we have to ignore what is essentially an error.
+
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/arm/vgic.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/virt/kvm/arm/vgic.c
++++ b/virt/kvm/arm/vgic.c
+@@ -1387,7 +1387,8 @@ out:
+ int kvm_vgic_inject_irq(struct kvm *kvm, int cpuid, unsigned int irq_num,
+ 			bool level)
+ {
+-	if (vgic_update_irq_state(kvm, cpuid, irq_num, level))
++	if (likely(vgic_initialized(kvm)) &&
++	    vgic_update_irq_state(kvm, cpuid, irq_num, level))
+ 		vgic_kick_vcpus(kvm);
+ 
+ 	return 0;
diff --git a/queue-3.14/series b/queue-3.14/series
index d3d1ee8c29f..501f8fed008 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -15,3 +15,6 @@ splice-apply-generic-position-and-size-checks-to-each-write.patch
 arm-clk-imx6q-refine-sata-s-parent.patch
 kvm-nsvm-check-for-nrips-support-before-updating-control-field.patch
 bus-mvebu-pass-the-coherency-availability-information-at-init-time.patch
+arm-arm64-kvm-fix-use-of-wnr-bit-in-kvm_is_write_fault.patch
+kvm-arm-vgic-plug-irq-injection-race.patch
+arm-arm64-kvm-fix-set_clear_sgi_pend_reg-offset.patch