From b4963b045bdc55d863a2c69c84a3b889818bc4e7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 30 Mar 2017 11:27:41 +0200 Subject: [PATCH] 4.9-stable patches added patches: kvm-x86-cleanup-the-page-tracking-srcu-instance.patch --- ...vmx-fix-nested-vpid-vmx-exec-control.patch | 66 ------------- ...m-nvmx-invvpid-handling-improvements.patch | 98 ------------------- ...anup-the-page-tracking-srcu-instance.patch | 62 ++++++++++++ queue-4.9/series | 3 +- 4 files changed, 63 insertions(+), 166 deletions(-) delete mode 100644 queue-4.9/kvm-nvmx-fix-nested-vpid-vmx-exec-control.patch delete mode 100644 queue-4.9/kvm-nvmx-invvpid-handling-improvements.patch create mode 100644 queue-4.9/kvm-x86-cleanup-the-page-tracking-srcu-instance.patch diff --git a/queue-4.9/kvm-nvmx-fix-nested-vpid-vmx-exec-control.patch b/queue-4.9/kvm-nvmx-fix-nested-vpid-vmx-exec-control.patch deleted file mode 100644 index 36551d194e3..00000000000 --- a/queue-4.9/kvm-nvmx-fix-nested-vpid-vmx-exec-control.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 63cb6d5f004ca44f9b8e562b6dd191f717a4960e Mon Sep 17 00:00:00 2001 -From: Wanpeng Li -Date: Mon, 20 Mar 2017 21:18:53 -0700 -Subject: KVM: nVMX: Fix nested VPID vmx exec control -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Wanpeng Li - -commit 63cb6d5f004ca44f9b8e562b6dd191f717a4960e upstream. - -This can be reproduced by running kvm-unit-tests/vmx.flat on L0 w/ vpid disabled. - -Test suite: VPID -Unhandled exception 6 #UD at ip 00000000004051a6 -error_code=0000 rflags=00010047 cs=00000008 -rax=0000000000000000 rcx=0000000000000001 rdx=0000000000000047 rbx=0000000000402f79 -rbp=0000000000456240 rsi=0000000000000001 rdi=0000000000000000 -r8=000000000000000a r9=00000000000003f8 r10=0000000080010011 r11=0000000000000000 -r12=0000000000000003 r13=0000000000000708 r14=0000000000000000 r15=0000000000000000 -cr0=0000000080010031 cr2=0000000000000000 cr3=0000000007fff000 cr4=0000000000002020 -cr8=0000000000000000 -STACK: @4051a6 40523e 400f7f 402059 40028f - -We should hide and forbid VPID in L1 if it is disabled on L0. However, nested VPID -enable bit is set unconditionally during setup nested vmx exec controls though VPID -is not exposed through nested VMX capablity. This patch fixes it by don't set nested -VPID enable bit if it is disabled on L0. - -Cc: Paolo Bonzini -Cc: Radim Krčmář -Fixes: 5c614b3583e (KVM: nVMX: nested VPID emulation) -Signed-off-by: Wanpeng Li -Signed-off-by: Paolo Bonzini -Signed-off-by: Greg Kroah-Hartman - ---- - arch/x86/kvm/vmx.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -2787,7 +2787,6 @@ static void nested_vmx_setup_ctls_msrs(s - SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES | - SECONDARY_EXEC_RDTSCP | - SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE | -- SECONDARY_EXEC_ENABLE_VPID | - SECONDARY_EXEC_APIC_REGISTER_VIRT | - SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY | - SECONDARY_EXEC_WBINVD_EXITING | -@@ -2815,10 +2814,12 @@ static void nested_vmx_setup_ctls_msrs(s - * though it is treated as global context. The alternative is - * not failing the single-context invvpid, and it is worse. - */ -- if (enable_vpid) -+ if (enable_vpid) { -+ vmx->nested.nested_vmx_secondary_ctls_high |= -+ SECONDARY_EXEC_ENABLE_VPID; - vmx->nested.nested_vmx_vpid_caps = VMX_VPID_INVVPID_BIT | - VMX_VPID_EXTENT_SUPPORTED_MASK; -- else -+ } else - vmx->nested.nested_vmx_vpid_caps = 0; - - if (enable_unrestricted_guest) diff --git a/queue-4.9/kvm-nvmx-invvpid-handling-improvements.patch b/queue-4.9/kvm-nvmx-invvpid-handling-improvements.patch deleted file mode 100644 index 2b324902012..00000000000 --- a/queue-4.9/kvm-nvmx-invvpid-handling-improvements.patch +++ /dev/null @@ -1,98 +0,0 @@ -From bcdde302b8268ef7dbc4ddbdaffb5b44eafe9a1e Mon Sep 17 00:00:00 2001 -From: Jan Dakinevich -Date: Fri, 28 Oct 2016 07:00:30 +0300 -Subject: KVM: nVMX: invvpid handling improvements -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Jan Dakinevich - -commit bcdde302b8268ef7dbc4ddbdaffb5b44eafe9a1e upstream. - - - Expose all invalidation types to the L1 - - - Reject invvpid instruction, if L1 passed zero vpid value to single - context invalidations - -Signed-off-by: Jan Dakinevich -Tested-by: Ladi Prosek -Signed-off-by: Radim Krčmář -Signed-off-by: Greg Kroah-Hartman - ---- - arch/x86/kvm/vmx.c | 36 ++++++++++++++++++++++++------------ - 1 file changed, 24 insertions(+), 12 deletions(-) - ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -132,6 +132,12 @@ module_param_named(preemption_timer, ena - - #define VMX_MISC_EMULATED_PREEMPTION_TIMER_RATE 5 - -+#define VMX_VPID_EXTENT_SUPPORTED_MASK \ -+ (VMX_VPID_EXTENT_INDIVIDUAL_ADDR_BIT | \ -+ VMX_VPID_EXTENT_SINGLE_CONTEXT_BIT | \ -+ VMX_VPID_EXTENT_GLOBAL_CONTEXT_BIT | \ -+ VMX_VPID_EXTENT_SINGLE_NON_GLOBAL_BIT) -+ - /* - * These 2 parameters are used to config the controls for Pause-Loop Exiting: - * ple_gap: upper bound on the amount of time between two successive -@@ -2811,8 +2817,7 @@ static void nested_vmx_setup_ctls_msrs(s - */ - if (enable_vpid) - vmx->nested.nested_vmx_vpid_caps = VMX_VPID_INVVPID_BIT | -- VMX_VPID_EXTENT_SINGLE_CONTEXT_BIT | -- VMX_VPID_EXTENT_GLOBAL_CONTEXT_BIT; -+ VMX_VPID_EXTENT_SUPPORTED_MASK; - else - vmx->nested.nested_vmx_vpid_caps = 0; - -@@ -7698,7 +7703,8 @@ static int handle_invvpid(struct kvm_vcp - vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO); - type = kvm_register_readl(vcpu, (vmx_instruction_info >> 28) & 0xf); - -- types = (vmx->nested.nested_vmx_vpid_caps >> 8) & 0x7; -+ types = (vmx->nested.nested_vmx_vpid_caps & -+ VMX_VPID_EXTENT_SUPPORTED_MASK) >> 8; - - if (type >= 32 || !(types & (1 << type))) { - nested_vmx_failValid(vcpu, -@@ -7720,21 +7726,27 @@ static int handle_invvpid(struct kvm_vcp - } - - switch (type) { -+ case VMX_VPID_EXTENT_INDIVIDUAL_ADDR: - case VMX_VPID_EXTENT_SINGLE_CONTEXT: -- /* -- * Old versions of KVM use the single-context version so we -- * have to support it; just treat it the same as all-context. -- */ -+ case VMX_VPID_EXTENT_SINGLE_NON_GLOBAL: -+ if (!vpid) { -+ nested_vmx_failValid(vcpu, -+ VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID); -+ skip_emulated_instruction(vcpu); -+ return 1; -+ } -+ break; - case VMX_VPID_EXTENT_ALL_CONTEXT: -- __vmx_flush_tlb(vcpu, to_vmx(vcpu)->nested.vpid02); -- nested_vmx_succeed(vcpu); - break; - default: -- /* Trap individual address invalidation invvpid calls */ -- BUG_ON(1); -- break; -+ WARN_ON_ONCE(1); -+ skip_emulated_instruction(vcpu); -+ return 1; - } - -+ __vmx_flush_tlb(vcpu, vmx->nested.vpid02); -+ nested_vmx_succeed(vcpu); -+ - skip_emulated_instruction(vcpu); - return 1; - } diff --git a/queue-4.9/kvm-x86-cleanup-the-page-tracking-srcu-instance.patch b/queue-4.9/kvm-x86-cleanup-the-page-tracking-srcu-instance.patch new file mode 100644 index 00000000000..eb506ffcf17 --- /dev/null +++ b/queue-4.9/kvm-x86-cleanup-the-page-tracking-srcu-instance.patch @@ -0,0 +1,62 @@ +From 2beb6dad2e8f95d710159d5befb390e4f62ab5cf Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 27 Mar 2017 17:53:50 +0200 +Subject: KVM: x86: cleanup the page tracking SRCU instance + +From: Paolo Bonzini + +commit 2beb6dad2e8f95d710159d5befb390e4f62ab5cf upstream. + +SRCU uses a delayed work item. Skip cleaning it up, and +the result is use-after-free in the work item callbacks. + +Reported-by: Dmitry Vyukov +Suggested-by: Dmitry Vyukov +Fixes: 0eb05bf290cfe8610d9680b49abef37febd1c38a +Reviewed-by: Xiao Guangrong +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_page_track.h | 1 + + arch/x86/kvm/page_track.c | 8 ++++++++ + arch/x86/kvm/x86.c | 1 + + 3 files changed, 10 insertions(+) + +--- a/arch/x86/include/asm/kvm_page_track.h ++++ b/arch/x86/include/asm/kvm_page_track.h +@@ -35,6 +35,7 @@ struct kvm_page_track_notifier_node { + }; + + void kvm_page_track_init(struct kvm *kvm); ++void kvm_page_track_cleanup(struct kvm *kvm); + + void kvm_page_track_free_memslot(struct kvm_memory_slot *free, + struct kvm_memory_slot *dont); +--- a/arch/x86/kvm/page_track.c ++++ b/arch/x86/kvm/page_track.c +@@ -156,6 +156,14 @@ bool kvm_page_track_is_active(struct kvm + return !!ACCESS_ONCE(slot->arch.gfn_track[mode][index]); + } + ++void kvm_page_track_cleanup(struct kvm *kvm) ++{ ++ struct kvm_page_track_notifier_head *head; ++ ++ head = &kvm->arch.track_notifier_head; ++ cleanup_srcu_struct(&head->track_srcu); ++} ++ + void kvm_page_track_init(struct kvm *kvm) + { + struct kvm_page_track_notifier_head *head; +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -7976,6 +7976,7 @@ void kvm_arch_destroy_vm(struct kvm *kvm + kvm_free_vcpus(kvm); + kvfree(rcu_dereference_check(kvm->arch.apic_map, 1)); + kvm_mmu_uninit_vm(kvm); ++ kvm_page_track_cleanup(kvm); + } + + void kvm_arch_free_memslot(struct kvm *kvm, struct kvm_memory_slot *free, diff --git a/queue-4.9/series b/queue-4.9/series index c62286021f4..1a9217325fb 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1,8 +1,7 @@ xfrm-policy-init-locks-early.patch xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch -kvm-nvmx-invvpid-handling-improvements.patch -kvm-nvmx-fix-nested-vpid-vmx-exec-control.patch +kvm-x86-cleanup-the-page-tracking-srcu-instance.patch virtio_balloon-init-1st-buffer-in-stats-vq.patch pinctrl-qcom-don-t-clear-status-bit-on-irq_unmask.patch c6x-ptrace-remove-useless-ptrace_setregset-implementation.patch -- 2.47.3