tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull KVM fixes from Paolo Bonzini:

- fix for module unload vs deferred jump labels (note: there might be
other buggy modules!)

- two NULL pointer dereferences from syzkaller

- also syzkaller: fix emulation of fxsave/fxrstor/sgdt/sidt, problem
made worse during this merge window, "just" kernel memory leak on
releases

- fix emulation of "mov ss" - somewhat serious on AMD, less so on Intel

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: x86: fix emulation of "MOV SS, null selector"
KVM: x86: fix NULL deref in vcpu_scan_ioapic
KVM: eventfd: fix NULL deref irqbypass consumer
KVM: x86: Introduce segmented_write_std
KVM: x86: flush pending lapic jump label updates on module unload
jump_labels: API for flushing deferred jump label updates

Linus Torvalds 406732c9 a65c9259

+80 -16
+56 -14
arch/x86/kvm/emulate.c
··· 818 818 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception); 819 819 } 820 820 821 + static int segmented_write_std(struct x86_emulate_ctxt *ctxt, 822 + struct segmented_address addr, 823 + void *data, 824 + unsigned int size) 825 + { 826 + int rc; 827 + ulong linear; 828 + 829 + rc = linearize(ctxt, addr, size, true, &linear); 830 + if (rc != X86EMUL_CONTINUE) 831 + return rc; 832 + return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception); 833 + } 834 + 821 835 /* 822 836 * Prefetch the remaining bytes of the instruction without crossing page 823 837 * boundary if they are not in fetch_cache yet. ··· 1585 1571 &ctxt->exception); 1586 1572 } 1587 1573 1588 - /* Does not support long mode */ 1589 1574 static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, 1590 1575 u16 selector, int seg, u8 cpl, 1591 1576 enum x86_transfer_type transfer, ··· 1621 1608 1622 1609 rpl = selector & 3; 1623 1610 1624 - /* NULL selector is not valid for TR, CS and SS (except for long mode) */ 1625 - if ((seg == VCPU_SREG_CS 1626 - || (seg == VCPU_SREG_SS 1627 - && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)) 1628 - || seg == VCPU_SREG_TR) 1629 - && null_selector) 1630 - goto exception; 1631 - 1632 1611 /* TR should be in GDT only */ 1633 1612 if (seg == VCPU_SREG_TR && (selector & (1 << 2))) 1634 1613 goto exception; 1635 1614 1636 - if (null_selector) /* for NULL selector skip all following checks */ 1615 + /* NULL selector is not valid for TR, CS and (except for long mode) SS */ 1616 + if (null_selector) { 1617 + if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR) 1618 + goto exception; 1619 + 1620 + if (seg == VCPU_SREG_SS) { 1621 + if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl) 1622 + goto exception; 1623 + 1624 + /* 1625 + * ctxt->ops->set_segment expects the CPL to be in 1626 + * SS.DPL, so fake an expand-up 32-bit data segment. 1627 + */ 1628 + seg_desc.type = 3; 1629 + seg_desc.p = 1; 1630 + seg_desc.s = 1; 1631 + seg_desc.dpl = cpl; 1632 + seg_desc.d = 1; 1633 + seg_desc.g = 1; 1634 + } 1635 + 1636 + /* Skip all following checks */ 1637 1637 goto load; 1638 + } 1638 1639 1639 1640 ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr); 1640 1641 if (ret != X86EMUL_CONTINUE) ··· 1764 1737 u16 selector, int seg) 1765 1738 { 1766 1739 u8 cpl = ctxt->ops->cpl(ctxt); 1740 + 1741 + /* 1742 + * None of MOV, POP and LSS can load a NULL selector in CPL=3, but 1743 + * they can load it at CPL<3 (Intel's manual says only LSS can, 1744 + * but it's wrong). 1745 + * 1746 + * However, the Intel manual says that putting IST=1/DPL=3 in 1747 + * an interrupt gate will result in SS=3 (the AMD manual instead 1748 + * says it doesn't), so allow SS=3 in __load_segment_descriptor 1749 + * and only forbid it here. 1750 + */ 1751 + if (seg == VCPU_SREG_SS && selector == 3 && 1752 + ctxt->mode == X86EMUL_MODE_PROT64) 1753 + return emulate_exception(ctxt, GP_VECTOR, 0, true); 1754 + 1767 1755 return __load_segment_descriptor(ctxt, selector, seg, cpl, 1768 1756 X86_TRANSFER_NONE, NULL); 1769 1757 } ··· 3727 3685 } 3728 3686 /* Disable writeback. */ 3729 3687 ctxt->dst.type = OP_NONE; 3730 - return segmented_write(ctxt, ctxt->dst.addr.mem, 3731 - &desc_ptr, 2 + ctxt->op_bytes); 3688 + return segmented_write_std(ctxt, ctxt->dst.addr.mem, 3689 + &desc_ptr, 2 + ctxt->op_bytes); 3732 3690 } 3733 3691 3734 3692 static int em_sgdt(struct x86_emulate_ctxt *ctxt) ··· 3974 3932 else 3975 3933 size = offsetof(struct fxregs_state, xmm_space[0]); 3976 3934 3977 - return segmented_write(ctxt, ctxt->memop.addr.mem, &fx_state, size); 3935 + return segmented_write_std(ctxt, ctxt->memop.addr.mem, &fx_state, size); 3978 3936 } 3979 3937 3980 3938 static int fxrstor_fixup(struct x86_emulate_ctxt *ctxt, ··· 4016 3974 if (rc != X86EMUL_CONTINUE) 4017 3975 return rc; 4018 3976 4019 - rc = segmented_read(ctxt, ctxt->memop.addr.mem, &fx_state, 512); 3977 + rc = segmented_read_std(ctxt, ctxt->memop.addr.mem, &fx_state, 512); 4020 3978 if (rc != X86EMUL_CONTINUE) 4021 3979 return rc; 4022 3980
+6
arch/x86/kvm/lapic.c
··· 2426 2426 jump_label_rate_limit(&apic_hw_disabled, HZ); 2427 2427 jump_label_rate_limit(&apic_sw_disabled, HZ); 2428 2428 } 2429 + 2430 + void kvm_lapic_exit(void) 2431 + { 2432 + static_key_deferred_flush(&apic_hw_disabled); 2433 + static_key_deferred_flush(&apic_sw_disabled); 2434 + }
+1
arch/x86/kvm/lapic.h
··· 110 110 111 111 int kvm_lapic_enable_pv_eoi(struct kvm_vcpu *vcpu, u64 data); 112 112 void kvm_lapic_init(void); 113 + void kvm_lapic_exit(void); 113 114 114 115 #define VEC_POS(v) ((v) & (32 - 1)) 115 116 #define REG_POS(v) (((v) >> 5) << 4)
+3
arch/x86/kvm/x86.c
··· 3342 3342 3343 3343 switch (cap->cap) { 3344 3344 case KVM_CAP_HYPERV_SYNIC: 3345 + if (!irqchip_in_kernel(vcpu->kvm)) 3346 + return -EINVAL; 3345 3347 return kvm_hv_activate_synic(vcpu); 3346 3348 default: 3347 3349 return -EINVAL; ··· 6047 6045 6048 6046 void kvm_arch_exit(void) 6049 6047 { 6048 + kvm_lapic_exit(); 6050 6049 perf_unregister_guest_info_callbacks(&kvm_guest_cbs); 6051 6050 6052 6051 if (!boot_cpu_has(X86_FEATURE_CONSTANT_TSC))
+5
include/linux/jump_label_ratelimit.h
··· 14 14 15 15 #ifdef HAVE_JUMP_LABEL 16 16 extern void static_key_slow_dec_deferred(struct static_key_deferred *key); 17 + extern void static_key_deferred_flush(struct static_key_deferred *key); 17 18 extern void 18 19 jump_label_rate_limit(struct static_key_deferred *key, unsigned long rl); 19 20 ··· 26 25 { 27 26 STATIC_KEY_CHECK_USE(); 28 27 static_key_slow_dec(&key->key); 28 + } 29 + static inline void static_key_deferred_flush(struct static_key_deferred *key) 30 + { 31 + STATIC_KEY_CHECK_USE(); 29 32 } 30 33 static inline void 31 34 jump_label_rate_limit(struct static_key_deferred *key,
+7
kernel/jump_label.c
··· 182 182 } 183 183 EXPORT_SYMBOL_GPL(static_key_slow_dec_deferred); 184 184 185 + void static_key_deferred_flush(struct static_key_deferred *key) 186 + { 187 + STATIC_KEY_CHECK_USE(); 188 + flush_delayed_work(&key->work); 189 + } 190 + EXPORT_SYMBOL_GPL(static_key_deferred_flush); 191 + 185 192 void jump_label_rate_limit(struct static_key_deferred *key, 186 193 unsigned long rl) 187 194 {
+2 -2
virt/lib/irqbypass.c
··· 195 195 mutex_lock(&lock); 196 196 197 197 list_for_each_entry(tmp, &consumers, node) { 198 - if (tmp->token == consumer->token) { 198 + if (tmp->token == consumer->token || tmp == consumer) { 199 199 mutex_unlock(&lock); 200 200 module_put(THIS_MODULE); 201 201 return -EBUSY; ··· 245 245 mutex_lock(&lock); 246 246 247 247 list_for_each_entry(tmp, &consumers, node) { 248 - if (tmp->token != consumer->token) 248 + if (tmp != consumer) 249 249 continue; 250 250 251 251 list_for_each_entry(producer, &producers, node) {