From eb7e0e32ead58cc1af7983f0a0c85aef4074d73a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 13 Oct 2015 11:21:24 -0700 Subject: [PATCH] 4.2-stable patches added patches: arm-kvm-disable-virtual-timer-even-if-the-guest-is-not-using-it.patch arm-kvm-fix-incorrect-device-to-ipa-mapping.patch kvm-don-t-try-to-register-to-kvm_fast_mmio_bus-for-non-mmio-eventfd.patch kvm-factor-out-core-eventfd-assign-deassign-logic.patch kvm-fix-double-free-for-fast-mmio-eventfd.patch kvm-fix-zero-length-mmio-searching.patch kvm-ppc-book3s-hv-pass-the-correct-trap-argument-to-kvmhv_commence_exit.patch kvm-ppc-book3s-take-the-kvm-srcu-lock-in-kvmppc_h_logical_ci_load-store.patch kvm-svm-reset-mmu-on-vcpu-reset.patch kvm-vmx-fix-vpid-is-0000h-in-non-root-operation.patch kvm-x86-trap-amd-msrs-for-the-tseg-base-and-mask.patch revert-kvm-svm-sync-g_pat-with-guest-written-pat-value.patch revert-kvm-svm-use-npt-page-attributes.patch revert-kvm-x86-apply-guest-mtrr-virtualization-on-host-reserved-pages.patch time-fix-timekeeping_freqadjust-s-incorrect-use-of-abs-instead-of-abs64.patch --- ...er-even-if-the-guest-is-not-using-it.patch | 46 +++++ ...-fix-incorrect-device-to-ipa-mapping.patch | 47 +++++ ...m_fast_mmio_bus-for-non-mmio-eventfd.patch | 44 +++++ ...t-core-eventfd-assign-deassign-logic.patch | 138 +++++++++++++++ ...ix-double-free-for-fast-mmio-eventfd.patch | 153 +++++++++++++++++ .../kvm-fix-zero-length-mmio-searching.patch | 57 +++++++ ...trap-argument-to-kvmhv_commence_exit.patch | 36 ++++ ...ck-in-kvmppc_h_logical_ci_load-store.patch | 61 +++++++ .../kvm-svm-reset-mmu-on-vcpu-reset.patch | 87 ++++++++++ ...-vpid-is-0000h-in-non-root-operation.patch | 50 ++++++ ...-amd-msrs-for-the-tseg-base-and-mask.patch | 46 +++++ ...c-g_pat-with-guest-written-pat-value.patch | 38 +++++ ...vert-kvm-svm-use-npt-page-attributes.patch | 161 ++++++++++++++++++ ...irtualization-on-host-reserved-pages.patch | 68 ++++++++ ...ncorrect-use-of-abs-instead-of-abs64.patch | 66 +++++++ 15 files changed, 1098 insertions(+) create mode 100644 queue-4.2/arm-kvm-disable-virtual-timer-even-if-the-guest-is-not-using-it.patch create mode 100644 queue-4.2/arm-kvm-fix-incorrect-device-to-ipa-mapping.patch create mode 100644 queue-4.2/kvm-don-t-try-to-register-to-kvm_fast_mmio_bus-for-non-mmio-eventfd.patch create mode 100644 queue-4.2/kvm-factor-out-core-eventfd-assign-deassign-logic.patch create mode 100644 queue-4.2/kvm-fix-double-free-for-fast-mmio-eventfd.patch create mode 100644 queue-4.2/kvm-fix-zero-length-mmio-searching.patch create mode 100644 queue-4.2/kvm-ppc-book3s-hv-pass-the-correct-trap-argument-to-kvmhv_commence_exit.patch create mode 100644 queue-4.2/kvm-ppc-book3s-take-the-kvm-srcu-lock-in-kvmppc_h_logical_ci_load-store.patch create mode 100644 queue-4.2/kvm-svm-reset-mmu-on-vcpu-reset.patch create mode 100644 queue-4.2/kvm-vmx-fix-vpid-is-0000h-in-non-root-operation.patch create mode 100644 queue-4.2/kvm-x86-trap-amd-msrs-for-the-tseg-base-and-mask.patch create mode 100644 queue-4.2/revert-kvm-svm-sync-g_pat-with-guest-written-pat-value.patch create mode 100644 queue-4.2/revert-kvm-svm-use-npt-page-attributes.patch create mode 100644 queue-4.2/revert-kvm-x86-apply-guest-mtrr-virtualization-on-host-reserved-pages.patch create mode 100644 queue-4.2/time-fix-timekeeping_freqadjust-s-incorrect-use-of-abs-instead-of-abs64.patch diff --git a/queue-4.2/arm-kvm-disable-virtual-timer-even-if-the-guest-is-not-using-it.patch b/queue-4.2/arm-kvm-disable-virtual-timer-even-if-the-guest-is-not-using-it.patch new file mode 100644 index 00000000000..1350e3ad028 --- /dev/null +++ b/queue-4.2/arm-kvm-disable-virtual-timer-even-if-the-guest-is-not-using-it.patch @@ -0,0 +1,46 @@ +From 688bc577ac42ae3d07c889a1f0a72f0b23763d58 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Wed, 16 Sep 2015 16:18:59 +0100 +Subject: arm: KVM: Disable virtual timer even if the guest is not using it + +From: Marc Zyngier + +commit 688bc577ac42ae3d07c889a1f0a72f0b23763d58 upstream. + +When running a guest with the architected timer disabled (with QEMU and +the kernel_irqchip=off option, for example), it is important to make +sure the timer gets turned off. Otherwise, the guest may try to +enable it anyway, leading to a screaming HW interrupt. + +The fix is to unconditionally turn off the virtual timer on guest +exit. + +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kvm/interrupts_head.S | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/arm/kvm/interrupts_head.S ++++ b/arch/arm/kvm/interrupts_head.S +@@ -515,8 +515,7 @@ ARM_BE8(rev r6, r6 ) + + mrc p15, 0, r2, c14, c3, 1 @ CNTV_CTL + str r2, [vcpu, #VCPU_TIMER_CNTV_CTL] +- bic r2, #1 @ Clear ENABLE +- mcr p15, 0, r2, c14, c3, 1 @ CNTV_CTL ++ + isb + + mrrc p15, 3, rr_lo_hi(r2, r3), c14 @ CNTV_CVAL +@@ -529,6 +528,9 @@ ARM_BE8(rev r6, r6 ) + mcrr p15, 4, r2, r2, c14 @ CNTVOFF + + 1: ++ mov r2, #0 @ Clear ENABLE ++ mcr p15, 0, r2, c14, c3, 1 @ CNTV_CTL ++ + @ Allow physical timer/counter access for the host + mrc p15, 4, r2, c14, c1, 0 @ CNTHCTL + orr r2, r2, #(CNTHCTL_PL1PCEN | CNTHCTL_PL1PCTEN) diff --git a/queue-4.2/arm-kvm-fix-incorrect-device-to-ipa-mapping.patch b/queue-4.2/arm-kvm-fix-incorrect-device-to-ipa-mapping.patch new file mode 100644 index 00000000000..4267ebd01a0 --- /dev/null +++ b/queue-4.2/arm-kvm-fix-incorrect-device-to-ipa-mapping.patch @@ -0,0 +1,47 @@ +From ca09f02f122b2ecb0f5ddfc5fd47b29ed657d4fd Mon Sep 17 00:00:00 2001 +From: Marek Majtyka +Date: Wed, 16 Sep 2015 12:04:55 +0200 +Subject: arm: KVM: Fix incorrect device to IPA mapping + +From: Marek Majtyka + +commit ca09f02f122b2ecb0f5ddfc5fd47b29ed657d4fd upstream. + +A critical bug has been found in device memory stage1 translation for +VMs with more then 4GB of address space. Once vm_pgoff size is smaller +then pa (which is true for LPAE case, u32 and u64 respectively) some +more significant bits of pa may be lost as a shift operation is performed +on u32 and later cast onto u64. + +Example: vm_pgoff(u32)=0x00210030, PAGE_SHIFT=12 + expected pa(u64): 0x0000002010030000 + produced pa(u64): 0x0000000010030000 + +The fix is to change the order of operations (casting first onto phys_addr_t +and then shifting). + +Reviewed-by: Marc Zyngier +[maz: fixed changelog and patch formatting] +Signed-off-by: Marek Majtyka +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kvm/mmu.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/arm/kvm/mmu.c ++++ b/arch/arm/kvm/mmu.c +@@ -1792,8 +1792,10 @@ int kvm_arch_prepare_memory_region(struc + if (vma->vm_flags & VM_PFNMAP) { + gpa_t gpa = mem->guest_phys_addr + + (vm_start - mem->userspace_addr); +- phys_addr_t pa = (vma->vm_pgoff << PAGE_SHIFT) + +- vm_start - vma->vm_start; ++ phys_addr_t pa; ++ ++ pa = (phys_addr_t)vma->vm_pgoff << PAGE_SHIFT; ++ pa += vm_start - vma->vm_start; + + /* IO region dirty page logging not allowed */ + if (memslot->flags & KVM_MEM_LOG_DIRTY_PAGES) diff --git a/queue-4.2/kvm-don-t-try-to-register-to-kvm_fast_mmio_bus-for-non-mmio-eventfd.patch b/queue-4.2/kvm-don-t-try-to-register-to-kvm_fast_mmio_bus-for-non-mmio-eventfd.patch new file mode 100644 index 00000000000..b2de9fc27c4 --- /dev/null +++ b/queue-4.2/kvm-don-t-try-to-register-to-kvm_fast_mmio_bus-for-non-mmio-eventfd.patch @@ -0,0 +1,44 @@ +From 8453fecbecae26edb3f278627376caab05d9a88d Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Tue, 15 Sep 2015 14:41:54 +0800 +Subject: kvm: don't try to register to KVM_FAST_MMIO_BUS for non mmio eventfd + +From: Jason Wang + +commit 8453fecbecae26edb3f278627376caab05d9a88d upstream. + +We only want zero length mmio eventfd to be registered on +KVM_FAST_MMIO_BUS. So check this explicitly when arg->len is zero to +make sure this. + +Cc: Gleb Natapov +Cc: Paolo Bonzini +Signed-off-by: Jason Wang +Reviewed-by: Cornelia Huck +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/eventfd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/virt/kvm/eventfd.c ++++ b/virt/kvm/eventfd.c +@@ -846,7 +846,7 @@ kvm_assign_ioeventfd(struct kvm *kvm, st + /* When length is ignored, MMIO is also put on a separate bus, for + * faster lookups. + */ +- if (!args->len && !(args->flags & KVM_IOEVENTFD_FLAG_PIO)) { ++ if (!args->len && bus_idx == KVM_MMIO_BUS) { + ret = kvm_io_bus_register_dev(kvm, KVM_FAST_MMIO_BUS, + p->addr, 0, &p->dev); + if (ret < 0) +@@ -901,7 +901,7 @@ kvm_deassign_ioeventfd(struct kvm *kvm, + continue; + + kvm_io_bus_unregister_dev(kvm, bus_idx, &p->dev); +- if (!p->length) { ++ if (!p->length && p->bus_idx == KVM_MMIO_BUS) { + kvm_io_bus_unregister_dev(kvm, KVM_FAST_MMIO_BUS, + &p->dev); + } diff --git a/queue-4.2/kvm-factor-out-core-eventfd-assign-deassign-logic.patch b/queue-4.2/kvm-factor-out-core-eventfd-assign-deassign-logic.patch new file mode 100644 index 00000000000..854a613096e --- /dev/null +++ b/queue-4.2/kvm-factor-out-core-eventfd-assign-deassign-logic.patch @@ -0,0 +1,138 @@ +From 85da11ca587c8eb73993a1b503052391a73586f9 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Tue, 15 Sep 2015 14:41:55 +0800 +Subject: kvm: factor out core eventfd assign/deassign logic + +From: Jason Wang + +commit 85da11ca587c8eb73993a1b503052391a73586f9 upstream. + +This patch factors out core eventfd assign/deassign logic and leaves +the argument checking and bus index selection to callers. + +Cc: Gleb Natapov +Cc: Paolo Bonzini +Signed-off-by: Jason Wang +Reviewed-by: Cornelia Huck +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/eventfd.c | 85 +++++++++++++++++++++++++++++++---------------------- + 1 file changed, 50 insertions(+), 35 deletions(-) + +--- a/virt/kvm/eventfd.c ++++ b/virt/kvm/eventfd.c +@@ -771,40 +771,14 @@ static enum kvm_bus ioeventfd_bus_from_f + return KVM_MMIO_BUS; + } + +-static int +-kvm_assign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args) ++static int kvm_assign_ioeventfd_idx(struct kvm *kvm, ++ enum kvm_bus bus_idx, ++ struct kvm_ioeventfd *args) + { +- enum kvm_bus bus_idx; +- struct _ioeventfd *p; +- struct eventfd_ctx *eventfd; +- int ret; + +- bus_idx = ioeventfd_bus_from_flags(args->flags); +- /* must be natural-word sized, or 0 to ignore length */ +- switch (args->len) { +- case 0: +- case 1: +- case 2: +- case 4: +- case 8: +- break; +- default: +- return -EINVAL; +- } +- +- /* check for range overflow */ +- if (args->addr + args->len < args->addr) +- return -EINVAL; +- +- /* check for extra flags that we don't understand */ +- if (args->flags & ~KVM_IOEVENTFD_VALID_FLAG_MASK) +- return -EINVAL; +- +- /* ioeventfd with no length can't be combined with DATAMATCH */ +- if (!args->len && +- args->flags & (KVM_IOEVENTFD_FLAG_PIO | +- KVM_IOEVENTFD_FLAG_DATAMATCH)) +- return -EINVAL; ++ struct eventfd_ctx *eventfd; ++ struct _ioeventfd *p; ++ int ret; + + eventfd = eventfd_ctx_fdget(args->fd); + if (IS_ERR(eventfd)) +@@ -873,14 +847,13 @@ fail: + } + + static int +-kvm_deassign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args) ++kvm_deassign_ioeventfd_idx(struct kvm *kvm, enum kvm_bus bus_idx, ++ struct kvm_ioeventfd *args) + { +- enum kvm_bus bus_idx; + struct _ioeventfd *p, *tmp; + struct eventfd_ctx *eventfd; + int ret = -ENOENT; + +- bus_idx = ioeventfd_bus_from_flags(args->flags); + eventfd = eventfd_ctx_fdget(args->fd); + if (IS_ERR(eventfd)) + return PTR_ERR(eventfd); +@@ -918,6 +891,48 @@ kvm_deassign_ioeventfd(struct kvm *kvm, + return ret; + } + ++static int kvm_deassign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args) ++{ ++ enum kvm_bus bus_idx = ioeventfd_bus_from_flags(args->flags); ++ ++ return kvm_deassign_ioeventfd_idx(kvm, bus_idx, args); ++} ++ ++static int ++kvm_assign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args) ++{ ++ enum kvm_bus bus_idx; ++ ++ bus_idx = ioeventfd_bus_from_flags(args->flags); ++ /* must be natural-word sized, or 0 to ignore length */ ++ switch (args->len) { ++ case 0: ++ case 1: ++ case 2: ++ case 4: ++ case 8: ++ break; ++ default: ++ return -EINVAL; ++ } ++ ++ /* check for range overflow */ ++ if (args->addr + args->len < args->addr) ++ return -EINVAL; ++ ++ /* check for extra flags that we don't understand */ ++ if (args->flags & ~KVM_IOEVENTFD_VALID_FLAG_MASK) ++ return -EINVAL; ++ ++ /* ioeventfd with no length can't be combined with DATAMATCH */ ++ if (!args->len && ++ args->flags & (KVM_IOEVENTFD_FLAG_PIO | ++ KVM_IOEVENTFD_FLAG_DATAMATCH)) ++ return -EINVAL; ++ ++ return kvm_assign_ioeventfd_idx(kvm, bus_idx, args); ++} ++ + int + kvm_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args) + { diff --git a/queue-4.2/kvm-fix-double-free-for-fast-mmio-eventfd.patch b/queue-4.2/kvm-fix-double-free-for-fast-mmio-eventfd.patch new file mode 100644 index 00000000000..cfe65d7af8e --- /dev/null +++ b/queue-4.2/kvm-fix-double-free-for-fast-mmio-eventfd.patch @@ -0,0 +1,153 @@ +From eefd6b06b17c5478e7c24bea6f64beaa2c431ca6 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Tue, 15 Sep 2015 14:41:56 +0800 +Subject: kvm: fix double free for fast mmio eventfd + +From: Jason Wang + +commit eefd6b06b17c5478e7c24bea6f64beaa2c431ca6 upstream. + +We register wildcard mmio eventfd on two buses, once for KVM_MMIO_BUS +and once on KVM_FAST_MMIO_BUS but with a single iodev +instance. This will lead to an issue: kvm_io_bus_destroy() knows +nothing about the devices on two buses pointing to a single dev. Which +will lead to double free[1] during exit. Fix this by allocating two +instances of iodevs then registering one on KVM_MMIO_BUS and another +on KVM_FAST_MMIO_BUS. + +CPU: 1 PID: 2894 Comm: qemu-system-x86 Not tainted 3.19.0-26-generic #28-Ubuntu +Hardware name: LENOVO 2356BG6/2356BG6, BIOS G7ET96WW (2.56 ) 09/12/2013 +task: ffff88009ae0c4b0 ti: ffff88020e7f0000 task.ti: ffff88020e7f0000 +RIP: 0010:[] [] ioeventfd_release+0x28/0x60 [kvm] +RSP: 0018:ffff88020e7f3bc8 EFLAGS: 00010292 +RAX: dead000000200200 RBX: ffff8801ec19c900 RCX: 000000018200016d +RDX: ffff8801ec19cf80 RSI: ffffea0008bf1d40 RDI: ffff8801ec19c900 +RBP: ffff88020e7f3bd8 R08: 000000002fc75a01 R09: 000000018200016d +R10: ffffffffc07df6ae R11: ffff88022fc75a98 R12: ffff88021e7cc000 +R13: ffff88021e7cca48 R14: ffff88021e7cca50 R15: ffff8801ec19c880 +FS: 00007fc1ee3e6700(0000) GS:ffff88023e240000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f8f389d8000 CR3: 000000023dc13000 CR4: 00000000001427e0 +Stack: +ffff88021e7cc000 0000000000000000 ffff88020e7f3be8 ffffffffc07e2622 +ffff88020e7f3c38 ffffffffc07df69a ffff880232524160 ffff88020e792d80 + 0000000000000000 ffff880219b78c00 0000000000000008 ffff8802321686a8 +Call Trace: +[] ioeventfd_destructor+0x12/0x20 [kvm] +[] kvm_put_kvm+0xca/0x210 [kvm] +[] kvm_vcpu_release+0x18/0x20 [kvm] +[] __fput+0xe7/0x250 +[] ____fput+0xe/0x10 +[] task_work_run+0xd4/0xf0 +[] do_exit+0x368/0xa50 +[] ? recalc_sigpending+0x1f/0x60 +[] do_group_exit+0x45/0xb0 +[] get_signal+0x291/0x750 +[] do_signal+0x28/0xab0 +[] ? do_futex+0xdb/0x5d0 +[] ? __wake_up_locked_key+0x18/0x20 +[] ? SyS_futex+0x76/0x170 +[] do_notify_resume+0x69/0xb0 +[] int_signal+0x12/0x17 +Code: 5d c3 90 0f 1f 44 00 00 55 48 89 e5 53 48 89 fb 48 83 ec 08 48 8b 7f 20 e8 06 d6 a5 c0 48 8b 43 08 48 8b 13 48 89 df 48 89 42 08 <48> 89 10 48 b8 00 01 10 00 00 + RIP [] ioeventfd_release+0x28/0x60 [kvm] + RSP + +Cc: Gleb Natapov +Cc: Paolo Bonzini +Signed-off-by: Jason Wang +Reviewed-by: Cornelia Huck +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/eventfd.c | 43 +++++++++++++++++++++++++------------------ + 1 file changed, 25 insertions(+), 18 deletions(-) + +--- a/virt/kvm/eventfd.c ++++ b/virt/kvm/eventfd.c +@@ -817,16 +817,6 @@ static int kvm_assign_ioeventfd_idx(stru + if (ret < 0) + goto unlock_fail; + +- /* When length is ignored, MMIO is also put on a separate bus, for +- * faster lookups. +- */ +- if (!args->len && bus_idx == KVM_MMIO_BUS) { +- ret = kvm_io_bus_register_dev(kvm, KVM_FAST_MMIO_BUS, +- p->addr, 0, &p->dev); +- if (ret < 0) +- goto register_fail; +- } +- + kvm->buses[bus_idx]->ioeventfd_count++; + list_add_tail(&p->list, &kvm->ioeventfds); + +@@ -834,8 +824,6 @@ static int kvm_assign_ioeventfd_idx(stru + + return 0; + +-register_fail: +- kvm_io_bus_unregister_dev(kvm, bus_idx, &p->dev); + unlock_fail: + mutex_unlock(&kvm->slots_lock); + +@@ -874,10 +862,6 @@ kvm_deassign_ioeventfd_idx(struct kvm *k + continue; + + kvm_io_bus_unregister_dev(kvm, bus_idx, &p->dev); +- if (!p->length && p->bus_idx == KVM_MMIO_BUS) { +- kvm_io_bus_unregister_dev(kvm, KVM_FAST_MMIO_BUS, +- &p->dev); +- } + kvm->buses[bus_idx]->ioeventfd_count--; + ioeventfd_release(p); + ret = 0; +@@ -894,14 +878,19 @@ kvm_deassign_ioeventfd_idx(struct kvm *k + static int kvm_deassign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args) + { + enum kvm_bus bus_idx = ioeventfd_bus_from_flags(args->flags); ++ int ret = kvm_deassign_ioeventfd_idx(kvm, bus_idx, args); ++ ++ if (!args->len && bus_idx == KVM_MMIO_BUS) ++ kvm_deassign_ioeventfd_idx(kvm, KVM_FAST_MMIO_BUS, args); + +- return kvm_deassign_ioeventfd_idx(kvm, bus_idx, args); ++ return ret; + } + + static int + kvm_assign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args) + { + enum kvm_bus bus_idx; ++ int ret; + + bus_idx = ioeventfd_bus_from_flags(args->flags); + /* must be natural-word sized, or 0 to ignore length */ +@@ -930,7 +919,25 @@ kvm_assign_ioeventfd(struct kvm *kvm, st + KVM_IOEVENTFD_FLAG_DATAMATCH)) + return -EINVAL; + +- return kvm_assign_ioeventfd_idx(kvm, bus_idx, args); ++ ret = kvm_assign_ioeventfd_idx(kvm, bus_idx, args); ++ if (ret) ++ goto fail; ++ ++ /* When length is ignored, MMIO is also put on a separate bus, for ++ * faster lookups. ++ */ ++ if (!args->len && bus_idx == KVM_MMIO_BUS) { ++ ret = kvm_assign_ioeventfd_idx(kvm, KVM_FAST_MMIO_BUS, args); ++ if (ret < 0) ++ goto fast_fail; ++ } ++ ++ return 0; ++ ++fast_fail: ++ kvm_deassign_ioeventfd_idx(kvm, bus_idx, args); ++fail: ++ return ret; + } + + int diff --git a/queue-4.2/kvm-fix-zero-length-mmio-searching.patch b/queue-4.2/kvm-fix-zero-length-mmio-searching.patch new file mode 100644 index 00000000000..715ca617335 --- /dev/null +++ b/queue-4.2/kvm-fix-zero-length-mmio-searching.patch @@ -0,0 +1,57 @@ +From 8f4216c7d28976f7ec1b2bcbfa0a9f787133c45e Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Tue, 15 Sep 2015 14:41:57 +0800 +Subject: kvm: fix zero length mmio searching + +From: Jason Wang + +commit 8f4216c7d28976f7ec1b2bcbfa0a9f787133c45e upstream. + +Currently, if we had a zero length mmio eventfd assigned on +KVM_MMIO_BUS. It will never be found by kvm_io_bus_cmp() since it +always compares the kvm_io_range() with the length that guest +wrote. This will cause e.g for vhost, kick will be trapped by qemu +userspace instead of vhost. Fixing this by using zero length if an +iodevice is zero length. + +Cc: Gleb Natapov +Cc: Paolo Bonzini +Signed-off-by: Jason Wang +Reviewed-by: Cornelia Huck +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/kvm_main.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -3080,10 +3080,25 @@ static void kvm_io_bus_destroy(struct kv + static inline int kvm_io_bus_cmp(const struct kvm_io_range *r1, + const struct kvm_io_range *r2) + { +- if (r1->addr < r2->addr) ++ gpa_t addr1 = r1->addr; ++ gpa_t addr2 = r2->addr; ++ ++ if (addr1 < addr2) + return -1; +- if (r1->addr + r1->len > r2->addr + r2->len) ++ ++ /* If r2->len == 0, match the exact address. If r2->len != 0, ++ * accept any overlapping write. Any order is acceptable for ++ * overlapping ranges, because kvm_io_bus_get_first_dev ensures ++ * we process all of them. ++ */ ++ if (r2->len) { ++ addr1 += r1->len; ++ addr2 += r2->len; ++ } ++ ++ if (addr1 > addr2) + return 1; ++ + return 0; + } + diff --git a/queue-4.2/kvm-ppc-book3s-hv-pass-the-correct-trap-argument-to-kvmhv_commence_exit.patch b/queue-4.2/kvm-ppc-book3s-hv-pass-the-correct-trap-argument-to-kvmhv_commence_exit.patch new file mode 100644 index 00000000000..8633b9f7fca --- /dev/null +++ b/queue-4.2/kvm-ppc-book3s-hv-pass-the-correct-trap-argument-to-kvmhv_commence_exit.patch @@ -0,0 +1,36 @@ +From 7e022e717f54897e396504306d0c9b61452adf4e Mon Sep 17 00:00:00 2001 +From: "Gautham R. Shenoy" +Date: Thu, 21 May 2015 13:57:04 +0530 +Subject: KVM: PPC: Book3S HV: Pass the correct trap argument to kvmhv_commence_exit + +From: "Gautham R. Shenoy" + +commit 7e022e717f54897e396504306d0c9b61452adf4e upstream. + +In guest_exit_cont we call kvmhv_commence_exit which expects the trap +number as the argument. However r3 doesn't contain the trap number at +this point and as a result we would be calling the function with a +spurious trap number. + +Fix this by copying r12 into r3 before calling kvmhv_commence_exit as +r12 contains the trap number. + +Fixes: eddb60fb1443 +Signed-off-by: Gautham R. Shenoy +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_hv_rmhandlers.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S ++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +@@ -1171,6 +1171,7 @@ mc_cont: + bl kvmhv_accumulate_time + #endif + ++ mr r3, r12 + /* Increment exit count, poke other threads to exit */ + bl kvmhv_commence_exit + nop diff --git a/queue-4.2/kvm-ppc-book3s-take-the-kvm-srcu-lock-in-kvmppc_h_logical_ci_load-store.patch b/queue-4.2/kvm-ppc-book3s-take-the-kvm-srcu-lock-in-kvmppc_h_logical_ci_load-store.patch new file mode 100644 index 00000000000..9c2908ea005 --- /dev/null +++ b/queue-4.2/kvm-ppc-book3s-take-the-kvm-srcu-lock-in-kvmppc_h_logical_ci_load-store.patch @@ -0,0 +1,61 @@ +From 3eb4ee68254235e4f47bc0410538fcdaede39589 Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Fri, 18 Sep 2015 08:57:28 +0200 +Subject: KVM: PPC: Book3S: Take the kvm->srcu lock in kvmppc_h_logical_ci_load/store() + +From: Thomas Huth + +commit 3eb4ee68254235e4f47bc0410538fcdaede39589 upstream. + +Access to the kvm->buses (like with the kvm_io_bus_read() and -write() +functions) has to be protected via the kvm->srcu lock. +The kvmppc_h_logical_ci_load() and -store() functions are missing +this lock so far, so let's add it there, too. +This fixes the problem that the kernel reports "suspicious RCU usage" +when lock debugging is enabled. + +Fixes: 99342cf8044420eebdf9297ca03a14cb6a7085a1 +Signed-off-by: Thomas Huth +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/powerpc/kvm/book3s.c ++++ b/arch/powerpc/kvm/book3s.c +@@ -827,12 +827,15 @@ int kvmppc_h_logical_ci_load(struct kvm_ + unsigned long size = kvmppc_get_gpr(vcpu, 4); + unsigned long addr = kvmppc_get_gpr(vcpu, 5); + u64 buf; ++ int srcu_idx; + int ret; + + if (!is_power_of_2(size) || (size > sizeof(buf))) + return H_TOO_HARD; + ++ srcu_idx = srcu_read_lock(&vcpu->kvm->srcu); + ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, size, &buf); ++ srcu_read_unlock(&vcpu->kvm->srcu, srcu_idx); + if (ret != 0) + return H_TOO_HARD; + +@@ -867,6 +870,7 @@ int kvmppc_h_logical_ci_store(struct kvm + unsigned long addr = kvmppc_get_gpr(vcpu, 5); + unsigned long val = kvmppc_get_gpr(vcpu, 6); + u64 buf; ++ int srcu_idx; + int ret; + + switch (size) { +@@ -890,7 +894,9 @@ int kvmppc_h_logical_ci_store(struct kvm + return H_TOO_HARD; + } + ++ srcu_idx = srcu_read_lock(&vcpu->kvm->srcu); + ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, addr, size, &buf); ++ srcu_read_unlock(&vcpu->kvm->srcu, srcu_idx); + if (ret != 0) + return H_TOO_HARD; + diff --git a/queue-4.2/kvm-svm-reset-mmu-on-vcpu-reset.patch b/queue-4.2/kvm-svm-reset-mmu-on-vcpu-reset.patch new file mode 100644 index 00000000000..9b66b6ee0e6 --- /dev/null +++ b/queue-4.2/kvm-svm-reset-mmu-on-vcpu-reset.patch @@ -0,0 +1,87 @@ +From ebae871a509d3c24b32ff67af2671dadffc58770 Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Fri, 18 Sep 2015 15:39:05 +0200 +Subject: kvm: svm: reset mmu on VCPU reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Igor Mammedov + +commit ebae871a509d3c24b32ff67af2671dadffc58770 upstream. + +When INIT/SIPI sequence is sent to VCPU which before that +was in use by OS, VMRUN might fail with: + + KVM: entry failed, hardware error 0xffffffff + EAX=00000000 EBX=00000000 ECX=00000000 EDX=000006d3 + ESI=00000000 EDI=00000000 EBP=00000000 ESP=00000000 + EIP=00000000 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0 + ES =0000 00000000 0000ffff 00009300 + CS =9a00 0009a000 0000ffff 00009a00 + [...] + CR0=60000010 CR2=b6f3e000 CR3=01942000 CR4=000007e0 + [...] + EFER=0000000000000000 + +with corresponding SVM error: + KVM: FAILED VMRUN WITH VMCB: + [...] + cpl: 0 efer: 0000000000001000 + cr0: 0000000080010010 cr2: 00007fd7fe85bf90 + cr3: 0000000187d0c000 cr4: 0000000000000020 + [...] + +What happens is that VCPU state right after offlinig: +CR0: 0x80050033 EFER: 0xd01 CR4: 0x7e0 + -> long mode with CR3 pointing to longmode page tables + +and when VCPU gets INIT/SIPI following transition happens +CR0: 0 -> 0x60000010 EFER: 0x0 CR4: 0x7e0 + -> paging disabled with stale CR3 + +However SVM under the hood puts VCPU in Paged Real Mode* +which effectively translates CR0 0x60000010 -> 80010010 after + + svm_vcpu_reset() + -> init_vmcb() + -> kvm_set_cr0() + -> svm_set_cr0() + +but from kvm_set_cr0() perspective CR0: 0 -> 0x60000010 +only caching bits are changed and +commit d81135a57aa6 + ("KVM: x86: do not reset mmu if CR0.CD and CR0.NW are changed")' +regressed svm_vcpu_reset() which relied on MMU being reset. + +As result VMRUN after svm_vcpu_reset() tries to run +VCPU in Paged Real Mode with stale MMU context (longmode page tables), +which causes some AMD CPUs** to bail out with VMEXIT_INVALID. + +Fix issue by unconditionally resetting MMU context +at init_vmcb() time. + + * AMD64 Architecture Programmer’s Manual, + Volume 2: System Programming, rev: 3.25 + 15.19 Paged Real Mode + ** Opteron 1216 + +Signed-off-by: Igor Mammedov +Fixes: d81135a57aa6 +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1260,6 +1260,7 @@ static void init_vmcb(struct vcpu_svm *s + * It also updates the guest-visible cr0 value. + */ + (void)kvm_set_cr0(&svm->vcpu, X86_CR0_NW | X86_CR0_CD | X86_CR0_ET); ++ kvm_mmu_reset_context(&svm->vcpu); + + save->cr4 = X86_CR4_PAE; + /* rdx = ?? */ diff --git a/queue-4.2/kvm-vmx-fix-vpid-is-0000h-in-non-root-operation.patch b/queue-4.2/kvm-vmx-fix-vpid-is-0000h-in-non-root-operation.patch new file mode 100644 index 00000000000..5608db1a675 --- /dev/null +++ b/queue-4.2/kvm-vmx-fix-vpid-is-0000h-in-non-root-operation.patch @@ -0,0 +1,50 @@ +From 04bb92e4b4cf06a66889d37b892b78f926faa9d4 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Wed, 16 Sep 2015 19:31:11 +0800 +Subject: KVM: vmx: fix VPID is 0000H in non-root operation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit 04bb92e4b4cf06a66889d37b892b78f926faa9d4 upstream. + +Reference SDM 28.1: + +The current VPID is 0000H in the following situations: +- Outside VMX operation. (This includes operation in system-management + mode under the default treatment of SMIs and SMM with VMX operation; + see Section 34.14.) +- In VMX root operation. +- In VMX non-root operation when the “enable VPID” VM-execution control + is 0. + +The VPID should never be 0000H in non-root operation when "enable VPID" +VM-execution control is 1. However, commit 34a1cd60 ("kvm: x86: vmx: +move some vmx setting from vmx_init() to hardware_setup()") remove the +codes which reserve 0000H for VMX root operation. + +This patch fix it by again reserving 0000H for VMX root operation. + +Fixes: 34a1cd60d17f62c1f077c1478a6c2ca8c3d17af4 +Reported-by: Wincy Van +Signed-off-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6134,6 +6134,8 @@ static __init int hardware_setup(void) + memcpy(vmx_msr_bitmap_longmode_x2apic, + vmx_msr_bitmap_longmode, PAGE_SIZE); + ++ set_bit(0, vmx_vpid_bitmap); /* 0 is reserved for host */ ++ + if (enable_apicv) { + for (msr = 0x800; msr <= 0x8ff; msr++) + vmx_disable_intercept_msr_read_x2apic(msr); diff --git a/queue-4.2/kvm-x86-trap-amd-msrs-for-the-tseg-base-and-mask.patch b/queue-4.2/kvm-x86-trap-amd-msrs-for-the-tseg-base-and-mask.patch new file mode 100644 index 00000000000..4adbb08dab6 --- /dev/null +++ b/queue-4.2/kvm-x86-trap-amd-msrs-for-the-tseg-base-and-mask.patch @@ -0,0 +1,46 @@ +From 3afb1121800128aae9f5722e50097fcf1a9d4d88 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 18 Sep 2015 17:33:04 +0200 +Subject: KVM: x86: trap AMD MSRs for the TSeg base and mask + +From: Paolo Bonzini + +commit 3afb1121800128aae9f5722e50097fcf1a9d4d88 upstream. + +These have roughly the same purpose as the SMRR, which we do not need +to implement in KVM. However, Linux accesses MSR_K8_TSEG_ADDR at +boot, which causes problems when running a Xen dom0 under KVM. +Just return 0, meaning that processor protection of SMRAM is not +in effect. + +Reported-by: M A Young +Acked-by: Borislav Petkov +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/msr-index.h | 1 + + arch/x86/kvm/x86.c | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -311,6 +311,7 @@ + /* C1E active bits in int pending message */ + #define K8_INTP_C1E_ACTIVE_MASK 0x18000000 + #define MSR_K8_TSEG_ADDR 0xc0010112 ++#define MSR_K8_TSEG_MASK 0xc0010113 + #define K8_MTRRFIXRANGE_DRAM_ENABLE 0x00040000 /* MtrrFixDramEn bit */ + #define K8_MTRRFIXRANGE_DRAM_MODIFY 0x00080000 /* MtrrFixDramModEn bit */ + #define K8_MTRR_RDMEM_WRMEM_MASK 0x18181818 /* Mask: RdMem|WrMem */ +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2388,6 +2388,8 @@ int kvm_get_msr_common(struct kvm_vcpu * + case MSR_IA32_LASTINTFROMIP: + case MSR_IA32_LASTINTTOIP: + case MSR_K8_SYSCFG: ++ case MSR_K8_TSEG_ADDR: ++ case MSR_K8_TSEG_MASK: + case MSR_K7_HWCR: + case MSR_VM_HSAVE_PA: + case MSR_K8_INT_PENDING_MSG: diff --git a/queue-4.2/revert-kvm-svm-sync-g_pat-with-guest-written-pat-value.patch b/queue-4.2/revert-kvm-svm-sync-g_pat-with-guest-written-pat-value.patch new file mode 100644 index 00000000000..c3ddf0e6181 --- /dev/null +++ b/queue-4.2/revert-kvm-svm-sync-g_pat-with-guest-written-pat-value.patch @@ -0,0 +1,38 @@ +From 625422f60c55bbc368b8568ff925770b36bfc189 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Thu, 1 Oct 2015 13:28:15 +0200 +Subject: Revert "KVM: SVM: Sync g_pat with guest-written PAT value" + +From: Paolo Bonzini + +commit 625422f60c55bbc368b8568ff925770b36bfc189 upstream. + +This reverts commit e098223b789b4a618dacd79e5e0dad4a9d5018d1, +which has a dependency on other commits being reverted. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 10 ---------- + 1 file changed, 10 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3255,16 +3255,6 @@ static int svm_set_msr(struct kvm_vcpu * + case MSR_VM_IGNNE: + vcpu_unimpl(vcpu, "unimplemented wrmsr: 0x%x data 0x%llx\n", ecx, data); + break; +- case MSR_IA32_CR_PAT: +- if (npt_enabled) { +- if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data)) +- return 1; +- vcpu->arch.pat = data; +- svm_set_guest_pat(svm, &svm->vmcb->save.g_pat); +- mark_dirty(svm->vmcb, VMCB_NPT); +- break; +- } +- /* fall through */ + default: + return kvm_set_msr_common(vcpu, msr); + } diff --git a/queue-4.2/revert-kvm-svm-use-npt-page-attributes.patch b/queue-4.2/revert-kvm-svm-use-npt-page-attributes.patch new file mode 100644 index 00000000000..05eab5010c8 --- /dev/null +++ b/queue-4.2/revert-kvm-svm-use-npt-page-attributes.patch @@ -0,0 +1,161 @@ +From fc07e76ac7ffa3afd621a1c3858a503386a14281 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Thu, 1 Oct 2015 13:20:22 +0200 +Subject: Revert "KVM: SVM: use NPT page attributes" + +From: Paolo Bonzini + +commit fc07e76ac7ffa3afd621a1c3858a503386a14281 upstream. + +This reverts commit 3c2e7f7de3240216042b61073803b61b9b3cfb22. +Initializing the mapping from MTRR to PAT values was reported to +fail nondeterministically, and it also caused extremely slow boot +(due to caching getting disabled---bug 103321) with assigned devices. + +Reported-by: Markus Trippelsdorf +Reported-by: Sebastian Schuette +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 101 ++--------------------------------------------------- + 1 file changed, 5 insertions(+), 96 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -865,64 +865,6 @@ static void svm_disable_lbrv(struct vcpu + set_msr_interception(msrpm, MSR_IA32_LASTINTTOIP, 0, 0); + } + +-#define MTRR_TYPE_UC_MINUS 7 +-#define MTRR2PROTVAL_INVALID 0xff +- +-static u8 mtrr2protval[8]; +- +-static u8 fallback_mtrr_type(int mtrr) +-{ +- /* +- * WT and WP aren't always available in the host PAT. Treat +- * them as UC and UC- respectively. Everything else should be +- * there. +- */ +- switch (mtrr) +- { +- case MTRR_TYPE_WRTHROUGH: +- return MTRR_TYPE_UNCACHABLE; +- case MTRR_TYPE_WRPROT: +- return MTRR_TYPE_UC_MINUS; +- default: +- BUG(); +- } +-} +- +-static void build_mtrr2protval(void) +-{ +- int i; +- u64 pat; +- +- for (i = 0; i < 8; i++) +- mtrr2protval[i] = MTRR2PROTVAL_INVALID; +- +- /* Ignore the invalid MTRR types. */ +- mtrr2protval[2] = 0; +- mtrr2protval[3] = 0; +- +- /* +- * Use host PAT value to figure out the mapping from guest MTRR +- * values to nested page table PAT/PCD/PWT values. We do not +- * want to change the host PAT value every time we enter the +- * guest. +- */ +- rdmsrl(MSR_IA32_CR_PAT, pat); +- for (i = 0; i < 8; i++) { +- u8 mtrr = pat >> (8 * i); +- +- if (mtrr2protval[mtrr] == MTRR2PROTVAL_INVALID) +- mtrr2protval[mtrr] = __cm_idx2pte(i); +- } +- +- for (i = 0; i < 8; i++) { +- if (mtrr2protval[i] == MTRR2PROTVAL_INVALID) { +- u8 fallback = fallback_mtrr_type(i); +- mtrr2protval[i] = mtrr2protval[fallback]; +- BUG_ON(mtrr2protval[i] == MTRR2PROTVAL_INVALID); +- } +- } +-} +- + static __init int svm_hardware_setup(void) + { + int cpu; +@@ -989,7 +931,6 @@ static __init int svm_hardware_setup(voi + } else + kvm_disable_tdp(); + +- build_mtrr2protval(); + return 0; + + err: +@@ -1144,42 +1085,6 @@ static u64 svm_compute_tsc_offset(struct + return target_tsc - tsc; + } + +-static void svm_set_guest_pat(struct vcpu_svm *svm, u64 *g_pat) +-{ +- struct kvm_vcpu *vcpu = &svm->vcpu; +- +- /* Unlike Intel, AMD takes the guest's CR0.CD into account. +- * +- * AMD does not have IPAT. To emulate it for the case of guests +- * with no assigned devices, just set everything to WB. If guests +- * have assigned devices, however, we cannot force WB for RAM +- * pages only, so use the guest PAT directly. +- */ +- if (!kvm_arch_has_assigned_device(vcpu->kvm)) +- *g_pat = 0x0606060606060606; +- else +- *g_pat = vcpu->arch.pat; +-} +- +-static u64 svm_get_mt_mask(struct kvm_vcpu *vcpu, gfn_t gfn, bool is_mmio) +-{ +- u8 mtrr; +- +- /* +- * 1. MMIO: always map as UC +- * 2. No passthrough: always map as WB, and force guest PAT to WB as well +- * 3. Passthrough: can't guarantee the result, try to trust guest. +- */ +- if (is_mmio) +- return _PAGE_NOCACHE; +- +- if (!kvm_arch_has_assigned_device(vcpu->kvm)) +- return 0; +- +- mtrr = kvm_mtrr_get_guest_memory_type(vcpu, gfn); +- return mtrr2protval[mtrr]; +-} +- + static void init_vmcb(struct vcpu_svm *svm, bool init_event) + { + struct vmcb_control_area *control = &svm->vmcb->control; +@@ -1276,7 +1181,6 @@ static void init_vmcb(struct vcpu_svm *s + clr_cr_intercept(svm, INTERCEPT_CR3_READ); + clr_cr_intercept(svm, INTERCEPT_CR3_WRITE); + save->g_pat = svm->vcpu.arch.pat; +- svm_set_guest_pat(svm, &save->g_pat); + save->cr3 = 0; + save->cr4 = 0; + } +@@ -4195,6 +4099,11 @@ static bool svm_has_high_real_mode_segba + return true; + } + ++static u64 svm_get_mt_mask(struct kvm_vcpu *vcpu, gfn_t gfn, bool is_mmio) ++{ ++ return 0; ++} ++ + static void svm_cpuid_update(struct kvm_vcpu *vcpu) + { + } diff --git a/queue-4.2/revert-kvm-x86-apply-guest-mtrr-virtualization-on-host-reserved-pages.patch b/queue-4.2/revert-kvm-x86-apply-guest-mtrr-virtualization-on-host-reserved-pages.patch new file mode 100644 index 00000000000..6e010b67d44 --- /dev/null +++ b/queue-4.2/revert-kvm-x86-apply-guest-mtrr-virtualization-on-host-reserved-pages.patch @@ -0,0 +1,68 @@ +From 606decd67049217684e3cb5a54104d51ddd4ef35 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Thu, 1 Oct 2015 13:12:47 +0200 +Subject: Revert "KVM: x86: apply guest MTRR virtualization on host reserved pages" + +From: Paolo Bonzini + +commit 606decd67049217684e3cb5a54104d51ddd4ef35 upstream. + +This reverts commit fd717f11015f673487ffc826e59b2bad69d20fe5. +It was reported to cause Machine Check Exceptions (bug 104091). + +Reported-by: harn-solo@gmx.de +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 7 +++++-- + arch/x86/kvm/vmx.c | 11 ++++++++--- + 2 files changed, 13 insertions(+), 5 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1166,11 +1166,14 @@ static u64 svm_get_mt_mask(struct kvm_vc + u8 mtrr; + + /* +- * 1. MMIO: trust guest MTRR, so same as item 3. ++ * 1. MMIO: always map as UC + * 2. No passthrough: always map as WB, and force guest PAT to WB as well + * 3. Passthrough: can't guarantee the result, try to trust guest. + */ +- if (!is_mmio && !kvm_arch_has_assigned_device(vcpu->kvm)) ++ if (is_mmio) ++ return _PAGE_NOCACHE; ++ ++ if (!kvm_arch_has_assigned_device(vcpu->kvm)) + return 0; + + mtrr = kvm_mtrr_get_guest_memory_type(vcpu, gfn); +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -8634,17 +8634,22 @@ static u64 vmx_get_mt_mask(struct kvm_vc + u64 ipat = 0; + + /* For VT-d and EPT combination +- * 1. MMIO: guest may want to apply WC, trust it. ++ * 1. MMIO: always map as UC + * 2. EPT with VT-d: + * a. VT-d without snooping control feature: can't guarantee the +- * result, try to trust guest. So the same as item 1. ++ * result, try to trust guest. + * b. VT-d with snooping control feature: snooping control feature of + * VT-d engine can guarantee the cache correctness. Just set it + * to WB to keep consistent with host. So the same as item 3. + * 3. EPT without VT-d: always map as WB and set IPAT=1 to keep + * consistent with host MTRR + */ +- if (!is_mmio && !kvm_arch_has_noncoherent_dma(vcpu->kvm)) { ++ if (is_mmio) { ++ cache = MTRR_TYPE_UNCACHABLE; ++ goto exit; ++ } ++ ++ if (!kvm_arch_has_noncoherent_dma(vcpu->kvm)) { + ipat = VMX_EPT_IPAT_BIT; + cache = MTRR_TYPE_WRBACK; + goto exit; diff --git a/queue-4.2/time-fix-timekeeping_freqadjust-s-incorrect-use-of-abs-instead-of-abs64.patch b/queue-4.2/time-fix-timekeeping_freqadjust-s-incorrect-use-of-abs-instead-of-abs64.patch new file mode 100644 index 00000000000..8c93f47a48f --- /dev/null +++ b/queue-4.2/time-fix-timekeeping_freqadjust-s-incorrect-use-of-abs-instead-of-abs64.patch @@ -0,0 +1,66 @@ +From 2619d7e9c92d524cb155ec89fd72875321512e5b Mon Sep 17 00:00:00 2001 +From: John Stultz +Date: Wed, 9 Sep 2015 16:07:30 -0700 +Subject: time: Fix timekeeping_freqadjust()'s incorrect use of abs() instead of abs64() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: John Stultz + +commit 2619d7e9c92d524cb155ec89fd72875321512e5b upstream. + +The internal clocksteering done for fine-grained error +correction uses a logarithmic approximation, so any time +adjtimex() adjusts the clock steering, timekeeping_freqadjust() +quickly approximates the correct clock frequency over a series +of ticks. + +Unfortunately, the logic in timekeeping_freqadjust(), introduced +in commit: + + dc491596f639 ("timekeeping: Rework frequency adjustments to work better w/ nohz") + +used the abs() function with a s64 error value to calculate the +size of the approximated adjustment to be made. + +Per include/linux/kernel.h: + + "abs() should not be used for 64-bit types (s64, u64, long long) - use abs64()". + +Thus on 32-bit platforms, this resulted in the clocksteering to +take a quite dampended random walk trying to converge on the +proper frequency, which caused the adjustments to be made much +slower then intended (most easily observed when large +adjustments are made). + +This patch fixes the issue by using abs64() instead. + +Reported-by: Nuno Gonçalves +Tested-by: Nuno Goncalves +Signed-off-by: John Stultz +Cc: Linus Torvalds +Cc: Miroslav Lichvar +Cc: Peter Zijlstra +Cc: Prarit Bhargava +Cc: Richard Cochran +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/1441840051-20244-1-git-send-email-john.stultz@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/timekeeping.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -1607,7 +1607,7 @@ static __always_inline void timekeeping_ + negative = (tick_error < 0); + + /* Sort out the magnitude of the correction */ +- tick_error = abs(tick_error); ++ tick_error = abs64(tick_error); + for (adj = 0; tick_error > interval; adj++) + tick_error >>= 1; + -- 2.47.3