--- /dev/null
+From 0fea6d7628ed6e25a9ee1b67edf7c859718d39e8 Mon Sep 17 00:00:00 2001
+From: Christoffer Dall <christoffer.dall@linaro.org>
+Date: Thu, 25 Sep 2014 18:41:07 +0200
+Subject: arm/arm64: KVM: Fix set_clear_sgi_pend_reg offset
+
+From: Christoffer Dall <christoffer.dall@linaro.org>
+
+commit 0fea6d7628ed6e25a9ee1b67edf7c859718d39e8 upstream.
+
+The sgi values calculated in read_set_clear_sgi_pend_reg() and
+write_set_clear_sgi_pend_reg() were horribly incorrectly multiplied by 4
+with catastrophic results in that subfunctions ended up overwriting
+memory not allocated for the expected purpose.
+
+This showed up as bugs in kfree() and the kernel complaining a lot of
+you turn on memory debugging.
+
+This addresses: http://marc.info/?l=kvm&m=141164910007868&w=2
+
+Reported-by: Shannon Zhao <zhaoshenglong@huawei.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/vgic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/virt/kvm/arm/vgic.c
++++ b/virt/kvm/arm/vgic.c
+@@ -674,7 +674,7 @@ static bool read_set_clear_sgi_pend_reg(
+ {
+ struct vgic_dist *dist = &vcpu->kvm->arch.vgic;
+ int sgi;
+- int min_sgi = (offset & ~0x3) * 4;
++ int min_sgi = (offset & ~0x3);
+ int max_sgi = min_sgi + 3;
+ int vcpu_id = vcpu->vcpu_id;
+ u32 reg = 0;
+@@ -695,7 +695,7 @@ static bool write_set_clear_sgi_pend_reg
+ {
+ struct vgic_dist *dist = &vcpu->kvm->arch.vgic;
+ int sgi;
+- int min_sgi = (offset & ~0x3) * 4;
++ int min_sgi = (offset & ~0x3);
+ int max_sgi = min_sgi + 3;
+ int vcpu_id = vcpu->vcpu_id;
+ u32 reg;
--- /dev/null
+From a7d079cea2dffb112e26da2566dd84c0ef1fce97 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Tue, 9 Sep 2014 11:27:09 +0100
+Subject: ARM/arm64: KVM: fix use of WnR bit in kvm_is_write_fault()
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+commit a7d079cea2dffb112e26da2566dd84c0ef1fce97 upstream.
+
+[Since we don't backport commit 9804788 (arm/arm64: KVM: Support
+KVM_CAP_READONLY_MEM), ingore the changes in kvm_handle_guest_abort
+introduced by this patch.]
+
+The ISS encoding for an exception from a Data Abort has a WnR
+bit[6] that indicates whether the Data Abort was caused by a
+read or a write instruction. While there are several fields
+in the encoding that are only valid if the ISV bit[24] is set,
+WnR is not one of them, so we can read it unconditionally.
+
+Instead of fixing both implementations of kvm_is_write_fault()
+in place, reimplement it just once using kvm_vcpu_dabt_iswrite(),
+which already does the right thing with respect to the WnR bit.
+Also fix up the callers to pass 'vcpu'
+
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/include/asm/kvm_mmu.h | 11 -----------
+ arch/arm/kvm/mmu.c | 10 +++++++++-
+ arch/arm64/include/asm/kvm_mmu.h | 13 -------------
+ 3 files changed, 9 insertions(+), 25 deletions(-)
+
+--- a/arch/arm/include/asm/kvm_mmu.h
++++ b/arch/arm/include/asm/kvm_mmu.h
+@@ -78,17 +78,6 @@ static inline void kvm_set_pte(pte_t *pt
+ flush_pmd_entry(pte);
+ }
+
+-static inline bool kvm_is_write_fault(unsigned long hsr)
+-{
+- unsigned long hsr_ec = hsr >> HSR_EC_SHIFT;
+- if (hsr_ec == HSR_EC_IABT)
+- return false;
+- else if ((hsr & HSR_ISV) && !(hsr & HSR_WNR))
+- return false;
+- else
+- return true;
+-}
+-
+ static inline void kvm_clean_pgd(pgd_t *pgd)
+ {
+ clean_dcache_area(pgd, PTRS_PER_S2_PGD * sizeof(pgd_t));
+--- a/arch/arm/kvm/mmu.c
++++ b/arch/arm/kvm/mmu.c
+@@ -746,6 +746,14 @@ static bool transparent_hugepage_adjust(
+ return false;
+ }
+
++static bool kvm_is_write_fault(struct kvm_vcpu *vcpu)
++{
++ if (kvm_vcpu_trap_is_iabt(vcpu))
++ return false;
++
++ return kvm_vcpu_dabt_iswrite(vcpu);
++}
++
+ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
+ struct kvm_memory_slot *memslot,
+ unsigned long fault_status)
+@@ -761,7 +769,7 @@ static int user_mem_abort(struct kvm_vcp
+ pfn_t pfn;
+ pgprot_t mem_type = PAGE_S2;
+
+- write_fault = kvm_is_write_fault(kvm_vcpu_get_hsr(vcpu));
++ write_fault = kvm_is_write_fault(vcpu);
+ if (fault_status == FSC_PERM && !write_fault) {
+ kvm_err("Unexpected L2 read permission error\n");
+ return -EFAULT;
+--- a/arch/arm64/include/asm/kvm_mmu.h
++++ b/arch/arm64/include/asm/kvm_mmu.h
+@@ -93,19 +93,6 @@ void kvm_clear_hyp_idmap(void);
+ #define kvm_set_pte(ptep, pte) set_pte(ptep, pte)
+ #define kvm_set_pmd(pmdp, pmd) set_pmd(pmdp, pmd)
+
+-static inline bool kvm_is_write_fault(unsigned long esr)
+-{
+- unsigned long esr_ec = esr >> ESR_EL2_EC_SHIFT;
+-
+- if (esr_ec == ESR_EL2_EC_IABT)
+- return false;
+-
+- if ((esr & ESR_EL2_ISV) && !(esr & ESR_EL2_WNR))
+- return false;
+-
+- return true;
+-}
+-
+ static inline void kvm_clean_pgd(pgd_t *pgd) {}
+ static inline void kvm_clean_pmd_entry(pmd_t *pmd) {}
+ static inline void kvm_clean_pte(pte_t *pte) {}
--- /dev/null
+From 71afaba4a2e98bb7bdeba5078370ab43d46e67a1 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Tue, 8 Jul 2014 12:09:00 +0100
+Subject: KVM: ARM: vgic: plug irq injection race
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 71afaba4a2e98bb7bdeba5078370ab43d46e67a1 upstream.
+
+[Since we don't backport commit 227844f (arm/arm64: KVM: Rename irq_state
+to irq_pending) for linux-3.14.y, here we still use vgic_update_irq_state
+instead of vgic_update_irq_pending.]
+
+As it stands, nothing prevents userspace from injecting an interrupt
+before the guest's GIC is actually initialized.
+
+This goes unnoticed so far (as everything is pretty much statically
+allocated), but ends up exploding in a spectacular way once we switch
+to a more dynamic allocation (the GIC data structure isn't there yet).
+
+The fix is to test for the "ready" flag in the VGIC distributor before
+trying to inject the interrupt. Note that in order to avoid breaking
+userspace, we have to ignore what is essentially an error.
+
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/arm/vgic.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/virt/kvm/arm/vgic.c
++++ b/virt/kvm/arm/vgic.c
+@@ -1387,7 +1387,8 @@ out:
+ int kvm_vgic_inject_irq(struct kvm *kvm, int cpuid, unsigned int irq_num,
+ bool level)
+ {
+- if (vgic_update_irq_state(kvm, cpuid, irq_num, level))
++ if (likely(vgic_initialized(kvm)) &&
++ vgic_update_irq_state(kvm, cpuid, irq_num, level))
+ vgic_kick_vcpus(kvm);
+
+ return 0;
arm-clk-imx6q-refine-sata-s-parent.patch
kvm-nsvm-check-for-nrips-support-before-updating-control-field.patch
bus-mvebu-pass-the-coherency-availability-information-at-init-time.patch
+arm-arm64-kvm-fix-use-of-wnr-bit-in-kvm_is_write_fault.patch
+kvm-arm-vgic-plug-irq-injection-race.patch
+arm-arm64-kvm-fix-set_clear_sgi_pend_reg-offset.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
