Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Pull KVM fixes from Radim Krčmář:
"KVM:
- lock kvm_device list to prevent corruption on device creation.
PPC:
- split debugfs initialization from creation of the xics device to
unlock the newly taken kvm lock earlier.
s390:
- prevent userspace from triggering two WARN_ON_ONCE.
MIPS:
- fix several issues in the management of TLB faults (Cc: stable)"
* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
MIPS: KVM: Propagate kseg0/mapped tlb fault errors
MIPS: KVM: Fix gfn range check in kseg0 tlb faults
MIPS: KVM: Add missing gfn range check
MIPS: KVM: Fix mapped fault broken commpage handling
KVM: Protect device ops->create and list_add with kvm->lock
KVM: PPC: Move xics_debugfs_init out of create
KVM: s390: reset KVM_REQ_MMU_RELOAD if mapping the prefix failed
KVM: s390: set the prefix initially properly
+116
-51
+5
-1
arch/arm/kvm/arm.c
+5
-1
arch/arm/kvm/arm.c
···
1009
1009
1010
1010
switch (ioctl) {
1011
1011
case KVM_CREATE_IRQCHIP: {
1012
+
int ret;
1012
1013
if (!vgic_present)
1013
1014
return -ENXIO;
1014
-
return kvm_vgic_create(kvm, KVM_DEV_TYPE_ARM_VGIC_V2);
1015
+
mutex_lock(&kvm->lock);
1016
+
ret = kvm_vgic_create(kvm, KVM_DEV_TYPE_ARM_VGIC_V2);
1017
+
mutex_unlock(&kvm->lock);
1018
+
return ret;
1015
1019
}
1016
1020
case KVM_ARM_SET_DEVICE_ADDR: {
1017
1021
struct kvm_arm_device_addr dev_addr;
+26
-9
arch/mips/kvm/emulate.c
+26
-9
arch/mips/kvm/emulate.c
···
1642
1642
1643
1643
preempt_disable();
1644
1644
if (KVM_GUEST_KSEGX(va) == KVM_GUEST_KSEG0) {
1645
-
if (kvm_mips_host_tlb_lookup(vcpu, va) < 0)
1646
-
kvm_mips_handle_kseg0_tlb_fault(va, vcpu);
1645
+
if (kvm_mips_host_tlb_lookup(vcpu, va) < 0 &&
1646
+
kvm_mips_handle_kseg0_tlb_fault(va, vcpu)) {
1647
+
kvm_err("%s: handling mapped kseg0 tlb fault for %lx, vcpu: %p, ASID: %#lx\n",
1648
+
__func__, va, vcpu, read_c0_entryhi());
1649
+
er = EMULATE_FAIL;
1650
+
preempt_enable();
1651
+
goto done;
1652
+
}
1647
1653
} else if ((KVM_GUEST_KSEGX(va) < KVM_GUEST_KSEG0) ||
1648
1654
KVM_GUEST_KSEGX(va) == KVM_GUEST_KSEG23) {
1649
1655
int index;
···
1686
1680
run, vcpu);
1687
1681
preempt_enable();
1688
1682
goto dont_update_pc;
1689
-
} else {
1690
-
/*
1691
-
* We fault an entry from the guest tlb to the
1692
-
* shadow host TLB
1693
-
*/
1694
-
kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb);
1683
+
}
1684
+
/*
1685
+
* We fault an entry from the guest tlb to the
1686
+
* shadow host TLB
1687
+
*/
1688
+
if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb)) {
1689
+
kvm_err("%s: handling mapped seg tlb fault for %lx, index: %u, vcpu: %p, ASID: %#lx\n",
1690
+
__func__, va, index, vcpu,
1691
+
read_c0_entryhi());
1692
+
er = EMULATE_FAIL;
1693
+
preempt_enable();
1694
+
goto done;
1695
1695
}
1696
1696
}
1697
1697
} else {
···
2671
2659
* OK we have a Guest TLB entry, now inject it into the
2672
2660
* shadow host TLB
2673
2661
*/
2674
-
kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb);
2662
+
if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb)) {
2663
+
kvm_err("%s: handling mapped seg tlb fault for %lx, index: %u, vcpu: %p, ASID: %#lx\n",
2664
+
__func__, va, index, vcpu,
2665
+
read_c0_entryhi());
2666
+
er = EMULATE_FAIL;
2667
+
}
2675
2668
}
2676
2669
}
2677
2670
+42
-22
arch/mips/kvm/mmu.c
+42
-22
arch/mips/kvm/mmu.c
···
99
99
}
100
100
101
101
gfn = (KVM_GUEST_CPHYSADDR(badvaddr) >> PAGE_SHIFT);
102
-
if (gfn >= kvm->arch.guest_pmap_npages) {
102
+
if ((gfn | 1) >= kvm->arch.guest_pmap_npages) {
103
103
kvm_err("%s: Invalid gfn: %#llx, BadVaddr: %#lx\n", __func__,
104
104
gfn, badvaddr);
105
105
kvm_mips_dump_host_tlbs();
···
138
138
unsigned long entryhi = 0, entrylo0 = 0, entrylo1 = 0;
139
139
struct kvm *kvm = vcpu->kvm;
140
140
kvm_pfn_t pfn0, pfn1;
141
+
gfn_t gfn0, gfn1;
142
+
long tlb_lo[2];
141
143
int ret;
142
144
143
-
if ((tlb->tlb_hi & VPN2_MASK) == 0) {
144
-
pfn0 = 0;
145
-
pfn1 = 0;
146
-
} else {
147
-
if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb->tlb_lo[0])
148
-
>> PAGE_SHIFT) < 0)
149
-
return -1;
145
+
tlb_lo[0] = tlb->tlb_lo[0];
146
+
tlb_lo[1] = tlb->tlb_lo[1];
150
147
151
-
if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb->tlb_lo[1])
152
-
>> PAGE_SHIFT) < 0)
153
-
return -1;
148
+
/*
149
+
* The commpage address must not be mapped to anything else if the guest
150
+
* TLB contains entries nearby, or commpage accesses will break.
151
+
*/
152
+
if (!((tlb->tlb_hi ^ KVM_GUEST_COMMPAGE_ADDR) &
153
+
VPN2_MASK & (PAGE_MASK << 1)))
154
+
tlb_lo[(KVM_GUEST_COMMPAGE_ADDR >> PAGE_SHIFT) & 1] = 0;
154
155
155
-
pfn0 = kvm->arch.guest_pmap[
156
-
mips3_tlbpfn_to_paddr(tlb->tlb_lo[0]) >> PAGE_SHIFT];
157
-
pfn1 = kvm->arch.guest_pmap[
158
-
mips3_tlbpfn_to_paddr(tlb->tlb_lo[1]) >> PAGE_SHIFT];
156
+
gfn0 = mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT;
157
+
gfn1 = mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT;
158
+
if (gfn0 >= kvm->arch.guest_pmap_npages ||
159
+
gfn1 >= kvm->arch.guest_pmap_npages) {
160
+
kvm_err("%s: Invalid gfn: [%#llx, %#llx], EHi: %#lx\n",
161
+
__func__, gfn0, gfn1, tlb->tlb_hi);
162
+
kvm_mips_dump_guest_tlbs(vcpu);
163
+
return -1;
159
164
}
165
+
166
+
if (kvm_mips_map_page(kvm, gfn0) < 0)
167
+
return -1;
168
+
169
+
if (kvm_mips_map_page(kvm, gfn1) < 0)
170
+
return -1;
171
+
172
+
pfn0 = kvm->arch.guest_pmap[gfn0];
173
+
pfn1 = kvm->arch.guest_pmap[gfn1];
160
174
161
175
/* Get attributes from the Guest TLB */
162
176
entrylo0 = mips3_paddr_to_tlbpfn(pfn0 << PAGE_SHIFT) |
163
177
((_page_cachable_default >> _CACHE_SHIFT) << ENTRYLO_C_SHIFT) |
164
-
(tlb->tlb_lo[0] & ENTRYLO_D) |
165
-
(tlb->tlb_lo[0] & ENTRYLO_V);
178
+
(tlb_lo[0] & ENTRYLO_D) |
179
+
(tlb_lo[0] & ENTRYLO_V);
166
180
entrylo1 = mips3_paddr_to_tlbpfn(pfn1 << PAGE_SHIFT) |
167
181
((_page_cachable_default >> _CACHE_SHIFT) << ENTRYLO_C_SHIFT) |
168
-
(tlb->tlb_lo[1] & ENTRYLO_D) |
169
-
(tlb->tlb_lo[1] & ENTRYLO_V);
182
+
(tlb_lo[1] & ENTRYLO_D) |
183
+
(tlb_lo[1] & ENTRYLO_V);
170
184
171
185
kvm_debug("@ %#lx tlb_lo0: 0x%08lx tlb_lo1: 0x%08lx\n", vcpu->arch.pc,
172
186
tlb->tlb_lo[0], tlb->tlb_lo[1]);
···
368
354
local_irq_restore(flags);
369
355
return KVM_INVALID_INST;
370
356
}
371
-
kvm_mips_handle_mapped_seg_tlb_fault(vcpu,
372
-
&vcpu->arch.
373
-
guest_tlb[index]);
357
+
if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu,
358
+
&vcpu->arch.guest_tlb[index])) {
359
+
kvm_err("%s: handling mapped seg tlb fault failed for %p, index: %u, vcpu: %p, ASID: %#lx\n",
360
+
__func__, opc, index, vcpu,
361
+
read_c0_entryhi());
362
+
kvm_mips_dump_guest_tlbs(vcpu);
363
+
local_irq_restore(flags);
364
+
return KVM_INVALID_INST;
365
+
}
374
366
inst = *(opc);
375
367
}
376
368
local_irq_restore(flags);
+8
-4
arch/powerpc/kvm/book3s_xics.c
+8
-4
arch/powerpc/kvm/book3s_xics.c
···
1329
1329
xics->kvm = kvm;
1330
1330
1331
1331
/* Already there ? */
1332
-
mutex_lock(&kvm->lock);
1333
1332
if (kvm->arch.xics)
1334
1333
ret = -EEXIST;
1335
1334
else
1336
1335
kvm->arch.xics = xics;
1337
-
mutex_unlock(&kvm->lock);
1338
1336
1339
1337
if (ret) {
1340
1338
kfree(xics);
1341
1339
return ret;
1342
1340
}
1343
-
1344
-
xics_debugfs_init(xics);
1345
1341
1346
1342
#ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE
1347
1343
if (cpu_has_feature(CPU_FTR_ARCH_206)) {
···
1350
1354
return 0;
1351
1355
}
1352
1356
1357
+
static void kvmppc_xics_init(struct kvm_device *dev)
1358
+
{
1359
+
struct kvmppc_xics *xics = (struct kvmppc_xics *)dev->private;
1360
+
1361
+
xics_debugfs_init(xics);
1362
+
}
1363
+
1353
1364
struct kvm_device_ops kvm_xics_ops = {
1354
1365
.name = "kvm-xics",
1355
1366
.create = kvmppc_xics_create,
1367
+
.init = kvmppc_xics_init,
1356
1368
.destroy = kvmppc_xics_free,
1357
1369
.set_attr = xics_set_attr,
1358
1370
.get_attr = xics_get_attr,
+4
-1
arch/s390/kvm/kvm-s390.c
+4
-1
arch/s390/kvm/kvm-s390.c
···
1672
1672
KVM_SYNC_CRS |
1673
1673
KVM_SYNC_ARCH0 |
1674
1674
KVM_SYNC_PFAULT;
1675
+
kvm_s390_set_prefix(vcpu, 0);
1675
1676
if (test_kvm_facility(vcpu->kvm, 64))
1676
1677
vcpu->run->kvm_valid_regs |= KVM_SYNC_RICCB;
1677
1678
/* fprs can be synchronized via vrs, even if the guest has no vx. With
···
2362
2361
rc = gmap_mprotect_notify(vcpu->arch.gmap,
2363
2362
kvm_s390_get_prefix(vcpu),
2364
2363
PAGE_SIZE * 2, PROT_WRITE);
2365
-
if (rc)
2364
+
if (rc) {
2365
+
kvm_make_request(KVM_REQ_MMU_RELOAD, vcpu);
2366
2366
return rc;
2367
+
}
2367
2368
goto retry;
2368
2369
}
2369
2370
+12
include/linux/kvm_host.h
+12
include/linux/kvm_host.h
···
1113
1113
/* create, destroy, and name are mandatory */
1114
1114
struct kvm_device_ops {
1115
1115
const char *name;
1116
+
1117
+
/*
1118
+
* create is called holding kvm->lock and any operations not suitable
1119
+
* to do while holding the lock should be deferred to init (see
1120
+
* below).
1121
+
*/
1116
1122
int (*create)(struct kvm_device *dev, u32 type);
1123
+
1124
+
/*
1125
+
* init is called after create if create is successful and is called
1126
+
* outside of holding kvm->lock.
1127
+
*/
1128
+
void (*init)(struct kvm_device *dev);
1117
1129
1118
1130
/*
1119
1131
* Destroy is responsible for freeing dev.
+4
-13
virt/kvm/arm/vgic/vgic-init.c
+4
-13
virt/kvm/arm/vgic/vgic-init.c
···
73
73
int i, vcpu_lock_idx = -1, ret;
74
74
struct kvm_vcpu *vcpu;
75
75
76
-
mutex_lock(&kvm->lock);
77
-
78
-
if (irqchip_in_kernel(kvm)) {
79
-
ret = -EEXIST;
80
-
goto out;
81
-
}
76
+
if (irqchip_in_kernel(kvm))
77
+
return -EEXIST;
82
78
83
79
/*
84
80
* This function is also called by the KVM_CREATE_IRQCHIP handler,
···
83
87
* the proper checks already.
84
88
*/
85
89
if (type == KVM_DEV_TYPE_ARM_VGIC_V2 &&
86
-
!kvm_vgic_global_state.can_emulate_gicv2) {
87
-
ret = -ENODEV;
88
-
goto out;
89
-
}
90
+
!kvm_vgic_global_state.can_emulate_gicv2)
91
+
return -ENODEV;
90
92
91
93
/*
92
94
* Any time a vcpu is run, vcpu_load is called which tries to grab the
···
132
138
vcpu = kvm_get_vcpu(kvm, vcpu_lock_idx);
133
139
mutex_unlock(&vcpu->mutex);
134
140
}
135
-
136
-
out:
137
-
mutex_unlock(&kvm->lock);
138
141
return ret;
139
142
}
140
143
+15
-1
virt/kvm/kvm_main.c
+15
-1
virt/kvm/kvm_main.c
···
696
696
{
697
697
struct kvm_device *dev, *tmp;
698
698
699
+
/*
700
+
* We do not need to take the kvm->lock here, because nobody else
701
+
* has a reference to the struct kvm at this point and therefore
702
+
* cannot access the devices list anyhow.
703
+
*/
699
704
list_for_each_entry_safe(dev, tmp, &kvm->devices, vm_node) {
700
705
list_del(&dev->vm_node);
701
706
dev->ops->destroy(dev);
···
2837
2832
dev->ops = ops;
2838
2833
dev->kvm = kvm;
2839
2834
2835
+
mutex_lock(&kvm->lock);
2840
2836
ret = ops->create(dev, cd->type);
2841
2837
if (ret < 0) {
2838
+
mutex_unlock(&kvm->lock);
2842
2839
kfree(dev);
2843
2840
return ret;
2844
2841
}
2842
+
list_add(&dev->vm_node, &kvm->devices);
2843
+
mutex_unlock(&kvm->lock);
2844
+
2845
+
if (ops->init)
2846
+
ops->init(dev);
2845
2847
2846
2848
ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
2847
2849
if (ret < 0) {
2848
2850
ops->destroy(dev);
2851
+
mutex_lock(&kvm->lock);
2852
+
list_del(&dev->vm_node);
2853
+
mutex_unlock(&kvm->lock);
2849
2854
return ret;
2850
2855
}
2851
2856
2852
-
list_add(&dev->vm_node, &kvm->devices);
2853
2857
kvm_get_kvm(kvm);
2854
2858
cd->fd = ret;
2855
2859
return 0;