From: Greg Kroah-Hartman Date: Tue, 13 Oct 2015 18:20:59 +0000 (-0700) Subject: 4.1-stable patches X-Git-Tag: v3.10.91~88 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a5827b2afa4958b2c4ebba58f1a533496deda3d2;p=thirdparty%2Fkernel%2Fstable-queue.git 4.1-stable patches added patches: arm-kvm-disable-virtual-timer-even-if-the-guest-is-not-using-it.patch arm-kvm-fix-incorrect-device-to-ipa-mapping.patch kvm-don-t-try-to-register-to-kvm_fast_mmio_bus-for-non-mmio-eventfd.patch kvm-factor-out-core-eventfd-assign-deassign-logic.patch kvm-fix-double-free-for-fast-mmio-eventfd.patch kvm-fix-zero-length-mmio-searching.patch kvm-ppc-book3s-hv-pass-the-correct-trap-argument-to-kvmhv_commence_exit.patch kvm-ppc-book3s-take-the-kvm-srcu-lock-in-kvmppc_h_logical_ci_load-store.patch kvm-vmx-fix-vpid-is-0000h-in-non-root-operation.patch time-fix-timekeeping_freqadjust-s-incorrect-use-of-abs-instead-of-abs64.patch --- diff --git a/queue-4.1/arm-kvm-disable-virtual-timer-even-if-the-guest-is-not-using-it.patch b/queue-4.1/arm-kvm-disable-virtual-timer-even-if-the-guest-is-not-using-it.patch new file mode 100644 index 00000000000..a9efc168ee9 --- /dev/null +++ b/queue-4.1/arm-kvm-disable-virtual-timer-even-if-the-guest-is-not-using-it.patch @@ -0,0 +1,46 @@ +From 688bc577ac42ae3d07c889a1f0a72f0b23763d58 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Wed, 16 Sep 2015 16:18:59 +0100 +Subject: arm: KVM: Disable virtual timer even if the guest is not using it + +From: Marc Zyngier + +commit 688bc577ac42ae3d07c889a1f0a72f0b23763d58 upstream. + +When running a guest with the architected timer disabled (with QEMU and +the kernel_irqchip=off option, for example), it is important to make +sure the timer gets turned off. Otherwise, the guest may try to +enable it anyway, leading to a screaming HW interrupt. + +The fix is to unconditionally turn off the virtual timer on guest +exit. + +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kvm/interrupts_head.S | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/arm/kvm/interrupts_head.S ++++ b/arch/arm/kvm/interrupts_head.S +@@ -518,8 +518,7 @@ ARM_BE8(rev r6, r6 ) + + mrc p15, 0, r2, c14, c3, 1 @ CNTV_CTL + str r2, [vcpu, #VCPU_TIMER_CNTV_CTL] +- bic r2, #1 @ Clear ENABLE +- mcr p15, 0, r2, c14, c3, 1 @ CNTV_CTL ++ + isb + + mrrc p15, 3, rr_lo_hi(r2, r3), c14 @ CNTV_CVAL +@@ -532,6 +531,9 @@ ARM_BE8(rev r6, r6 ) + mcrr p15, 4, r2, r2, c14 @ CNTVOFF + + 1: ++ mov r2, #0 @ Clear ENABLE ++ mcr p15, 0, r2, c14, c3, 1 @ CNTV_CTL ++ + @ Allow physical timer/counter access for the host + mrc p15, 4, r2, c14, c1, 0 @ CNTHCTL + orr r2, r2, #(CNTHCTL_PL1PCEN | CNTHCTL_PL1PCTEN) diff --git a/queue-4.1/arm-kvm-fix-incorrect-device-to-ipa-mapping.patch b/queue-4.1/arm-kvm-fix-incorrect-device-to-ipa-mapping.patch new file mode 100644 index 00000000000..85a167cefe3 --- /dev/null +++ b/queue-4.1/arm-kvm-fix-incorrect-device-to-ipa-mapping.patch @@ -0,0 +1,47 @@ +From ca09f02f122b2ecb0f5ddfc5fd47b29ed657d4fd Mon Sep 17 00:00:00 2001 +From: Marek Majtyka +Date: Wed, 16 Sep 2015 12:04:55 +0200 +Subject: arm: KVM: Fix incorrect device to IPA mapping + +From: Marek Majtyka + +commit ca09f02f122b2ecb0f5ddfc5fd47b29ed657d4fd upstream. + +A critical bug has been found in device memory stage1 translation for +VMs with more then 4GB of address space. Once vm_pgoff size is smaller +then pa (which is true for LPAE case, u32 and u64 respectively) some +more significant bits of pa may be lost as a shift operation is performed +on u32 and later cast onto u64. + +Example: vm_pgoff(u32)=0x00210030, PAGE_SHIFT=12 + expected pa(u64): 0x0000002010030000 + produced pa(u64): 0x0000000010030000 + +The fix is to change the order of operations (casting first onto phys_addr_t +and then shifting). + +Reviewed-by: Marc Zyngier +[maz: fixed changelog and patch formatting] +Signed-off-by: Marek Majtyka +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kvm/mmu.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/arm/kvm/mmu.c ++++ b/arch/arm/kvm/mmu.c +@@ -1790,8 +1790,10 @@ int kvm_arch_prepare_memory_region(struc + if (vma->vm_flags & VM_PFNMAP) { + gpa_t gpa = mem->guest_phys_addr + + (vm_start - mem->userspace_addr); +- phys_addr_t pa = (vma->vm_pgoff << PAGE_SHIFT) + +- vm_start - vma->vm_start; ++ phys_addr_t pa; ++ ++ pa = (phys_addr_t)vma->vm_pgoff << PAGE_SHIFT; ++ pa += vm_start - vma->vm_start; + + /* IO region dirty page logging not allowed */ + if (memslot->flags & KVM_MEM_LOG_DIRTY_PAGES) diff --git a/queue-4.1/kvm-don-t-try-to-register-to-kvm_fast_mmio_bus-for-non-mmio-eventfd.patch b/queue-4.1/kvm-don-t-try-to-register-to-kvm_fast_mmio_bus-for-non-mmio-eventfd.patch new file mode 100644 index 00000000000..b2de9fc27c4 --- /dev/null +++ b/queue-4.1/kvm-don-t-try-to-register-to-kvm_fast_mmio_bus-for-non-mmio-eventfd.patch @@ -0,0 +1,44 @@ +From 8453fecbecae26edb3f278627376caab05d9a88d Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Tue, 15 Sep 2015 14:41:54 +0800 +Subject: kvm: don't try to register to KVM_FAST_MMIO_BUS for non mmio eventfd + +From: Jason Wang + +commit 8453fecbecae26edb3f278627376caab05d9a88d upstream. + +We only want zero length mmio eventfd to be registered on +KVM_FAST_MMIO_BUS. So check this explicitly when arg->len is zero to +make sure this. + +Cc: Gleb Natapov +Cc: Paolo Bonzini +Signed-off-by: Jason Wang +Reviewed-by: Cornelia Huck +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/eventfd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/virt/kvm/eventfd.c ++++ b/virt/kvm/eventfd.c +@@ -846,7 +846,7 @@ kvm_assign_ioeventfd(struct kvm *kvm, st + /* When length is ignored, MMIO is also put on a separate bus, for + * faster lookups. + */ +- if (!args->len && !(args->flags & KVM_IOEVENTFD_FLAG_PIO)) { ++ if (!args->len && bus_idx == KVM_MMIO_BUS) { + ret = kvm_io_bus_register_dev(kvm, KVM_FAST_MMIO_BUS, + p->addr, 0, &p->dev); + if (ret < 0) +@@ -901,7 +901,7 @@ kvm_deassign_ioeventfd(struct kvm *kvm, + continue; + + kvm_io_bus_unregister_dev(kvm, bus_idx, &p->dev); +- if (!p->length) { ++ if (!p->length && p->bus_idx == KVM_MMIO_BUS) { + kvm_io_bus_unregister_dev(kvm, KVM_FAST_MMIO_BUS, + &p->dev); + } diff --git a/queue-4.1/kvm-factor-out-core-eventfd-assign-deassign-logic.patch b/queue-4.1/kvm-factor-out-core-eventfd-assign-deassign-logic.patch new file mode 100644 index 00000000000..854a613096e --- /dev/null +++ b/queue-4.1/kvm-factor-out-core-eventfd-assign-deassign-logic.patch @@ -0,0 +1,138 @@ +From 85da11ca587c8eb73993a1b503052391a73586f9 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Tue, 15 Sep 2015 14:41:55 +0800 +Subject: kvm: factor out core eventfd assign/deassign logic + +From: Jason Wang + +commit 85da11ca587c8eb73993a1b503052391a73586f9 upstream. + +This patch factors out core eventfd assign/deassign logic and leaves +the argument checking and bus index selection to callers. + +Cc: Gleb Natapov +Cc: Paolo Bonzini +Signed-off-by: Jason Wang +Reviewed-by: Cornelia Huck +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/eventfd.c | 85 +++++++++++++++++++++++++++++++---------------------- + 1 file changed, 50 insertions(+), 35 deletions(-) + +--- a/virt/kvm/eventfd.c ++++ b/virt/kvm/eventfd.c +@@ -771,40 +771,14 @@ static enum kvm_bus ioeventfd_bus_from_f + return KVM_MMIO_BUS; + } + +-static int +-kvm_assign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args) ++static int kvm_assign_ioeventfd_idx(struct kvm *kvm, ++ enum kvm_bus bus_idx, ++ struct kvm_ioeventfd *args) + { +- enum kvm_bus bus_idx; +- struct _ioeventfd *p; +- struct eventfd_ctx *eventfd; +- int ret; + +- bus_idx = ioeventfd_bus_from_flags(args->flags); +- /* must be natural-word sized, or 0 to ignore length */ +- switch (args->len) { +- case 0: +- case 1: +- case 2: +- case 4: +- case 8: +- break; +- default: +- return -EINVAL; +- } +- +- /* check for range overflow */ +- if (args->addr + args->len < args->addr) +- return -EINVAL; +- +- /* check for extra flags that we don't understand */ +- if (args->flags & ~KVM_IOEVENTFD_VALID_FLAG_MASK) +- return -EINVAL; +- +- /* ioeventfd with no length can't be combined with DATAMATCH */ +- if (!args->len && +- args->flags & (KVM_IOEVENTFD_FLAG_PIO | +- KVM_IOEVENTFD_FLAG_DATAMATCH)) +- return -EINVAL; ++ struct eventfd_ctx *eventfd; ++ struct _ioeventfd *p; ++ int ret; + + eventfd = eventfd_ctx_fdget(args->fd); + if (IS_ERR(eventfd)) +@@ -873,14 +847,13 @@ fail: + } + + static int +-kvm_deassign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args) ++kvm_deassign_ioeventfd_idx(struct kvm *kvm, enum kvm_bus bus_idx, ++ struct kvm_ioeventfd *args) + { +- enum kvm_bus bus_idx; + struct _ioeventfd *p, *tmp; + struct eventfd_ctx *eventfd; + int ret = -ENOENT; + +- bus_idx = ioeventfd_bus_from_flags(args->flags); + eventfd = eventfd_ctx_fdget(args->fd); + if (IS_ERR(eventfd)) + return PTR_ERR(eventfd); +@@ -918,6 +891,48 @@ kvm_deassign_ioeventfd(struct kvm *kvm, + return ret; + } + ++static int kvm_deassign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args) ++{ ++ enum kvm_bus bus_idx = ioeventfd_bus_from_flags(args->flags); ++ ++ return kvm_deassign_ioeventfd_idx(kvm, bus_idx, args); ++} ++ ++static int ++kvm_assign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args) ++{ ++ enum kvm_bus bus_idx; ++ ++ bus_idx = ioeventfd_bus_from_flags(args->flags); ++ /* must be natural-word sized, or 0 to ignore length */ ++ switch (args->len) { ++ case 0: ++ case 1: ++ case 2: ++ case 4: ++ case 8: ++ break; ++ default: ++ return -EINVAL; ++ } ++ ++ /* check for range overflow */ ++ if (args->addr + args->len < args->addr) ++ return -EINVAL; ++ ++ /* check for extra flags that we don't understand */ ++ if (args->flags & ~KVM_IOEVENTFD_VALID_FLAG_MASK) ++ return -EINVAL; ++ ++ /* ioeventfd with no length can't be combined with DATAMATCH */ ++ if (!args->len && ++ args->flags & (KVM_IOEVENTFD_FLAG_PIO | ++ KVM_IOEVENTFD_FLAG_DATAMATCH)) ++ return -EINVAL; ++ ++ return kvm_assign_ioeventfd_idx(kvm, bus_idx, args); ++} ++ + int + kvm_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args) + { diff --git a/queue-4.1/kvm-fix-double-free-for-fast-mmio-eventfd.patch b/queue-4.1/kvm-fix-double-free-for-fast-mmio-eventfd.patch new file mode 100644 index 00000000000..cfe65d7af8e --- /dev/null +++ b/queue-4.1/kvm-fix-double-free-for-fast-mmio-eventfd.patch @@ -0,0 +1,153 @@ +From eefd6b06b17c5478e7c24bea6f64beaa2c431ca6 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Tue, 15 Sep 2015 14:41:56 +0800 +Subject: kvm: fix double free for fast mmio eventfd + +From: Jason Wang + +commit eefd6b06b17c5478e7c24bea6f64beaa2c431ca6 upstream. + +We register wildcard mmio eventfd on two buses, once for KVM_MMIO_BUS +and once on KVM_FAST_MMIO_BUS but with a single iodev +instance. This will lead to an issue: kvm_io_bus_destroy() knows +nothing about the devices on two buses pointing to a single dev. Which +will lead to double free[1] during exit. Fix this by allocating two +instances of iodevs then registering one on KVM_MMIO_BUS and another +on KVM_FAST_MMIO_BUS. + +CPU: 1 PID: 2894 Comm: qemu-system-x86 Not tainted 3.19.0-26-generic #28-Ubuntu +Hardware name: LENOVO 2356BG6/2356BG6, BIOS G7ET96WW (2.56 ) 09/12/2013 +task: ffff88009ae0c4b0 ti: ffff88020e7f0000 task.ti: ffff88020e7f0000 +RIP: 0010:[] [] ioeventfd_release+0x28/0x60 [kvm] +RSP: 0018:ffff88020e7f3bc8 EFLAGS: 00010292 +RAX: dead000000200200 RBX: ffff8801ec19c900 RCX: 000000018200016d +RDX: ffff8801ec19cf80 RSI: ffffea0008bf1d40 RDI: ffff8801ec19c900 +RBP: ffff88020e7f3bd8 R08: 000000002fc75a01 R09: 000000018200016d +R10: ffffffffc07df6ae R11: ffff88022fc75a98 R12: ffff88021e7cc000 +R13: ffff88021e7cca48 R14: ffff88021e7cca50 R15: ffff8801ec19c880 +FS: 00007fc1ee3e6700(0000) GS:ffff88023e240000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f8f389d8000 CR3: 000000023dc13000 CR4: 00000000001427e0 +Stack: +ffff88021e7cc000 0000000000000000 ffff88020e7f3be8 ffffffffc07e2622 +ffff88020e7f3c38 ffffffffc07df69a ffff880232524160 ffff88020e792d80 + 0000000000000000 ffff880219b78c00 0000000000000008 ffff8802321686a8 +Call Trace: +[] ioeventfd_destructor+0x12/0x20 [kvm] +[] kvm_put_kvm+0xca/0x210 [kvm] +[] kvm_vcpu_release+0x18/0x20 [kvm] +[] __fput+0xe7/0x250 +[] ____fput+0xe/0x10 +[] task_work_run+0xd4/0xf0 +[] do_exit+0x368/0xa50 +[] ? recalc_sigpending+0x1f/0x60 +[] do_group_exit+0x45/0xb0 +[] get_signal+0x291/0x750 +[] do_signal+0x28/0xab0 +[] ? do_futex+0xdb/0x5d0 +[] ? __wake_up_locked_key+0x18/0x20 +[] ? SyS_futex+0x76/0x170 +[] do_notify_resume+0x69/0xb0 +[] int_signal+0x12/0x17 +Code: 5d c3 90 0f 1f 44 00 00 55 48 89 e5 53 48 89 fb 48 83 ec 08 48 8b 7f 20 e8 06 d6 a5 c0 48 8b 43 08 48 8b 13 48 89 df 48 89 42 08 <48> 89 10 48 b8 00 01 10 00 00 + RIP [] ioeventfd_release+0x28/0x60 [kvm] + RSP + +Cc: Gleb Natapov +Cc: Paolo Bonzini +Signed-off-by: Jason Wang +Reviewed-by: Cornelia Huck +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/eventfd.c | 43 +++++++++++++++++++++++++------------------ + 1 file changed, 25 insertions(+), 18 deletions(-) + +--- a/virt/kvm/eventfd.c ++++ b/virt/kvm/eventfd.c +@@ -817,16 +817,6 @@ static int kvm_assign_ioeventfd_idx(stru + if (ret < 0) + goto unlock_fail; + +- /* When length is ignored, MMIO is also put on a separate bus, for +- * faster lookups. +- */ +- if (!args->len && bus_idx == KVM_MMIO_BUS) { +- ret = kvm_io_bus_register_dev(kvm, KVM_FAST_MMIO_BUS, +- p->addr, 0, &p->dev); +- if (ret < 0) +- goto register_fail; +- } +- + kvm->buses[bus_idx]->ioeventfd_count++; + list_add_tail(&p->list, &kvm->ioeventfds); + +@@ -834,8 +824,6 @@ static int kvm_assign_ioeventfd_idx(stru + + return 0; + +-register_fail: +- kvm_io_bus_unregister_dev(kvm, bus_idx, &p->dev); + unlock_fail: + mutex_unlock(&kvm->slots_lock); + +@@ -874,10 +862,6 @@ kvm_deassign_ioeventfd_idx(struct kvm *k + continue; + + kvm_io_bus_unregister_dev(kvm, bus_idx, &p->dev); +- if (!p->length && p->bus_idx == KVM_MMIO_BUS) { +- kvm_io_bus_unregister_dev(kvm, KVM_FAST_MMIO_BUS, +- &p->dev); +- } + kvm->buses[bus_idx]->ioeventfd_count--; + ioeventfd_release(p); + ret = 0; +@@ -894,14 +878,19 @@ kvm_deassign_ioeventfd_idx(struct kvm *k + static int kvm_deassign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args) + { + enum kvm_bus bus_idx = ioeventfd_bus_from_flags(args->flags); ++ int ret = kvm_deassign_ioeventfd_idx(kvm, bus_idx, args); ++ ++ if (!args->len && bus_idx == KVM_MMIO_BUS) ++ kvm_deassign_ioeventfd_idx(kvm, KVM_FAST_MMIO_BUS, args); + +- return kvm_deassign_ioeventfd_idx(kvm, bus_idx, args); ++ return ret; + } + + static int + kvm_assign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args) + { + enum kvm_bus bus_idx; ++ int ret; + + bus_idx = ioeventfd_bus_from_flags(args->flags); + /* must be natural-word sized, or 0 to ignore length */ +@@ -930,7 +919,25 @@ kvm_assign_ioeventfd(struct kvm *kvm, st + KVM_IOEVENTFD_FLAG_DATAMATCH)) + return -EINVAL; + +- return kvm_assign_ioeventfd_idx(kvm, bus_idx, args); ++ ret = kvm_assign_ioeventfd_idx(kvm, bus_idx, args); ++ if (ret) ++ goto fail; ++ ++ /* When length is ignored, MMIO is also put on a separate bus, for ++ * faster lookups. ++ */ ++ if (!args->len && bus_idx == KVM_MMIO_BUS) { ++ ret = kvm_assign_ioeventfd_idx(kvm, KVM_FAST_MMIO_BUS, args); ++ if (ret < 0) ++ goto fast_fail; ++ } ++ ++ return 0; ++ ++fast_fail: ++ kvm_deassign_ioeventfd_idx(kvm, bus_idx, args); ++fail: ++ return ret; + } + + int diff --git a/queue-4.1/kvm-fix-zero-length-mmio-searching.patch b/queue-4.1/kvm-fix-zero-length-mmio-searching.patch new file mode 100644 index 00000000000..84fc8d55c7d --- /dev/null +++ b/queue-4.1/kvm-fix-zero-length-mmio-searching.patch @@ -0,0 +1,57 @@ +From 8f4216c7d28976f7ec1b2bcbfa0a9f787133c45e Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Tue, 15 Sep 2015 14:41:57 +0800 +Subject: kvm: fix zero length mmio searching + +From: Jason Wang + +commit 8f4216c7d28976f7ec1b2bcbfa0a9f787133c45e upstream. + +Currently, if we had a zero length mmio eventfd assigned on +KVM_MMIO_BUS. It will never be found by kvm_io_bus_cmp() since it +always compares the kvm_io_range() with the length that guest +wrote. This will cause e.g for vhost, kick will be trapped by qemu +userspace instead of vhost. Fixing this by using zero length if an +iodevice is zero length. + +Cc: Gleb Natapov +Cc: Paolo Bonzini +Signed-off-by: Jason Wang +Reviewed-by: Cornelia Huck +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/kvm_main.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2935,10 +2935,25 @@ static void kvm_io_bus_destroy(struct kv + static inline int kvm_io_bus_cmp(const struct kvm_io_range *r1, + const struct kvm_io_range *r2) + { +- if (r1->addr < r2->addr) ++ gpa_t addr1 = r1->addr; ++ gpa_t addr2 = r2->addr; ++ ++ if (addr1 < addr2) + return -1; +- if (r1->addr + r1->len > r2->addr + r2->len) ++ ++ /* If r2->len == 0, match the exact address. If r2->len != 0, ++ * accept any overlapping write. Any order is acceptable for ++ * overlapping ranges, because kvm_io_bus_get_first_dev ensures ++ * we process all of them. ++ */ ++ if (r2->len) { ++ addr1 += r1->len; ++ addr2 += r2->len; ++ } ++ ++ if (addr1 > addr2) + return 1; ++ + return 0; + } + diff --git a/queue-4.1/kvm-ppc-book3s-hv-pass-the-correct-trap-argument-to-kvmhv_commence_exit.patch b/queue-4.1/kvm-ppc-book3s-hv-pass-the-correct-trap-argument-to-kvmhv_commence_exit.patch new file mode 100644 index 00000000000..8633b9f7fca --- /dev/null +++ b/queue-4.1/kvm-ppc-book3s-hv-pass-the-correct-trap-argument-to-kvmhv_commence_exit.patch @@ -0,0 +1,36 @@ +From 7e022e717f54897e396504306d0c9b61452adf4e Mon Sep 17 00:00:00 2001 +From: "Gautham R. Shenoy" +Date: Thu, 21 May 2015 13:57:04 +0530 +Subject: KVM: PPC: Book3S HV: Pass the correct trap argument to kvmhv_commence_exit + +From: "Gautham R. Shenoy" + +commit 7e022e717f54897e396504306d0c9b61452adf4e upstream. + +In guest_exit_cont we call kvmhv_commence_exit which expects the trap +number as the argument. However r3 doesn't contain the trap number at +this point and as a result we would be calling the function with a +spurious trap number. + +Fix this by copying r12 into r3 before calling kvmhv_commence_exit as +r12 contains the trap number. + +Fixes: eddb60fb1443 +Signed-off-by: Gautham R. Shenoy +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_hv_rmhandlers.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S ++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +@@ -1171,6 +1171,7 @@ mc_cont: + bl kvmhv_accumulate_time + #endif + ++ mr r3, r12 + /* Increment exit count, poke other threads to exit */ + bl kvmhv_commence_exit + nop diff --git a/queue-4.1/kvm-ppc-book3s-take-the-kvm-srcu-lock-in-kvmppc_h_logical_ci_load-store.patch b/queue-4.1/kvm-ppc-book3s-take-the-kvm-srcu-lock-in-kvmppc_h_logical_ci_load-store.patch new file mode 100644 index 00000000000..94ddbbe4675 --- /dev/null +++ b/queue-4.1/kvm-ppc-book3s-take-the-kvm-srcu-lock-in-kvmppc_h_logical_ci_load-store.patch @@ -0,0 +1,61 @@ +From 3eb4ee68254235e4f47bc0410538fcdaede39589 Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Fri, 18 Sep 2015 08:57:28 +0200 +Subject: KVM: PPC: Book3S: Take the kvm->srcu lock in kvmppc_h_logical_ci_load/store() + +From: Thomas Huth + +commit 3eb4ee68254235e4f47bc0410538fcdaede39589 upstream. + +Access to the kvm->buses (like with the kvm_io_bus_read() and -write() +functions) has to be protected via the kvm->srcu lock. +The kvmppc_h_logical_ci_load() and -store() functions are missing +this lock so far, so let's add it there, too. +This fixes the problem that the kernel reports "suspicious RCU usage" +when lock debugging is enabled. + +Fixes: 99342cf8044420eebdf9297ca03a14cb6a7085a1 +Signed-off-by: Thomas Huth +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/powerpc/kvm/book3s.c ++++ b/arch/powerpc/kvm/book3s.c +@@ -826,12 +826,15 @@ int kvmppc_h_logical_ci_load(struct kvm_ + unsigned long size = kvmppc_get_gpr(vcpu, 4); + unsigned long addr = kvmppc_get_gpr(vcpu, 5); + u64 buf; ++ int srcu_idx; + int ret; + + if (!is_power_of_2(size) || (size > sizeof(buf))) + return H_TOO_HARD; + ++ srcu_idx = srcu_read_lock(&vcpu->kvm->srcu); + ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, size, &buf); ++ srcu_read_unlock(&vcpu->kvm->srcu, srcu_idx); + if (ret != 0) + return H_TOO_HARD; + +@@ -866,6 +869,7 @@ int kvmppc_h_logical_ci_store(struct kvm + unsigned long addr = kvmppc_get_gpr(vcpu, 5); + unsigned long val = kvmppc_get_gpr(vcpu, 6); + u64 buf; ++ int srcu_idx; + int ret; + + switch (size) { +@@ -889,7 +893,9 @@ int kvmppc_h_logical_ci_store(struct kvm + return H_TOO_HARD; + } + ++ srcu_idx = srcu_read_lock(&vcpu->kvm->srcu); + ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, addr, size, &buf); ++ srcu_read_unlock(&vcpu->kvm->srcu, srcu_idx); + if (ret != 0) + return H_TOO_HARD; + diff --git a/queue-4.1/kvm-vmx-fix-vpid-is-0000h-in-non-root-operation.patch b/queue-4.1/kvm-vmx-fix-vpid-is-0000h-in-non-root-operation.patch new file mode 100644 index 00000000000..903eee31bea --- /dev/null +++ b/queue-4.1/kvm-vmx-fix-vpid-is-0000h-in-non-root-operation.patch @@ -0,0 +1,50 @@ +From 04bb92e4b4cf06a66889d37b892b78f926faa9d4 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Wed, 16 Sep 2015 19:31:11 +0800 +Subject: KVM: vmx: fix VPID is 0000H in non-root operation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit 04bb92e4b4cf06a66889d37b892b78f926faa9d4 upstream. + +Reference SDM 28.1: + +The current VPID is 0000H in the following situations: +- Outside VMX operation. (This includes operation in system-management + mode under the default treatment of SMIs and SMM with VMX operation; + see Section 34.14.) +- In VMX root operation. +- In VMX non-root operation when the “enable VPID” VM-execution control + is 0. + +The VPID should never be 0000H in non-root operation when "enable VPID" +VM-execution control is 1. However, commit 34a1cd60 ("kvm: x86: vmx: +move some vmx setting from vmx_init() to hardware_setup()") remove the +codes which reserve 0000H for VMX root operation. + +This patch fix it by again reserving 0000H for VMX root operation. + +Fixes: 34a1cd60d17f62c1f077c1478a6c2ca8c3d17af4 +Reported-by: Wincy Van +Signed-off-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6144,6 +6144,8 @@ static __init int hardware_setup(void) + memcpy(vmx_msr_bitmap_longmode_x2apic, + vmx_msr_bitmap_longmode, PAGE_SIZE); + ++ set_bit(0, vmx_vpid_bitmap); /* 0 is reserved for host */ ++ + if (enable_apicv) { + for (msr = 0x800; msr <= 0x8ff; msr++) + vmx_disable_intercept_msr_read_x2apic(msr); diff --git a/queue-4.1/time-fix-timekeeping_freqadjust-s-incorrect-use-of-abs-instead-of-abs64.patch b/queue-4.1/time-fix-timekeeping_freqadjust-s-incorrect-use-of-abs-instead-of-abs64.patch new file mode 100644 index 00000000000..643ee66d1ed --- /dev/null +++ b/queue-4.1/time-fix-timekeeping_freqadjust-s-incorrect-use-of-abs-instead-of-abs64.patch @@ -0,0 +1,66 @@ +From 2619d7e9c92d524cb155ec89fd72875321512e5b Mon Sep 17 00:00:00 2001 +From: John Stultz +Date: Wed, 9 Sep 2015 16:07:30 -0700 +Subject: time: Fix timekeeping_freqadjust()'s incorrect use of abs() instead of abs64() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: John Stultz + +commit 2619d7e9c92d524cb155ec89fd72875321512e5b upstream. + +The internal clocksteering done for fine-grained error +correction uses a logarithmic approximation, so any time +adjtimex() adjusts the clock steering, timekeeping_freqadjust() +quickly approximates the correct clock frequency over a series +of ticks. + +Unfortunately, the logic in timekeeping_freqadjust(), introduced +in commit: + + dc491596f639 ("timekeeping: Rework frequency adjustments to work better w/ nohz") + +used the abs() function with a s64 error value to calculate the +size of the approximated adjustment to be made. + +Per include/linux/kernel.h: + + "abs() should not be used for 64-bit types (s64, u64, long long) - use abs64()". + +Thus on 32-bit platforms, this resulted in the clocksteering to +take a quite dampended random walk trying to converge on the +proper frequency, which caused the adjustments to be made much +slower then intended (most easily observed when large +adjustments are made). + +This patch fixes the issue by using abs64() instead. + +Reported-by: Nuno Gonçalves +Tested-by: Nuno Goncalves +Signed-off-by: John Stultz +Cc: Linus Torvalds +Cc: Miroslav Lichvar +Cc: Peter Zijlstra +Cc: Prarit Bhargava +Cc: Richard Cochran +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/1441840051-20244-1-git-send-email-john.stultz@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/timekeeping.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -1615,7 +1615,7 @@ static __always_inline void timekeeping_ + negative = (tick_error < 0); + + /* Sort out the magnitude of the correction */ +- tick_error = abs(tick_error); ++ tick_error = abs64(tick_error); + for (adj = 0; tick_error > interval; adj++) + tick_error >>= 1; +