Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

+45 -16

2 changed files

expand all

arch

x86

kvm

emulate.c

vmx.c

+40 -15

arch/x86/kvm/emulate.c

··· 574 574 case 4: 575 575 ctxt->_eip = (u32)dst; 576 576 break; 577 + #ifdef CONFIG_X86_64 577 578 case 8: 578 579 if ((cs_l && is_noncanonical_address(dst)) || 579 - (!cs_l && (dst & ~(u32)-1))) 580 + (!cs_l && (dst >> 32) != 0)) 580 581 return emulate_gp(ctxt, 0); 581 582 ctxt->_eip = dst; 582 583 break; 584 + #endif 583 585 default: 584 586 WARN(1, "unsupported eip assignment size\n"); 585 587 } ··· 643 641 644 642 static int __linearize(struct x86_emulate_ctxt *ctxt, 645 643 struct segmented_address addr, 646 - unsigned size, bool write, bool fetch, 644 + unsigned *max_size, unsigned size, 645 + bool write, bool fetch, 647 646 ulong *linear) 648 647 { 649 648 struct desc_struct desc; ··· 655 652 unsigned cpl; 656 653 657 654 la = seg_base(ctxt, addr.seg) + addr.ea; 655 + *max_size = 0; 658 656 switch (ctxt->mode) { 659 657 case X86EMUL_MODE_PROT64: 660 658 if (((signed long)la << 16) >> 16 != la) 661 659 return emulate_gp(ctxt, 0); 660 + 661 + *max_size = min_t(u64, ~0u, (1ull << 48) - la); 662 + if (size > *max_size) 663 + goto bad; 662 664 break; 663 665 default: 664 666 usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL, ··· 681 673 if ((ctxt->mode == X86EMUL_MODE_REAL) && !fetch && 682 674 (ctxt->d & NoBigReal)) { 683 675 /* la is between zero and 0xffff */ 684 - if (la > 0xffff || (u32)(la + size - 1) > 0xffff) 676 + if (la > 0xffff) 685 677 goto bad; 678 + *max_size = 0x10000 - la; 686 679 } else if ((desc.type & 8) || !(desc.type & 4)) { 687 680 /* expand-up segment */ 688 - if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim) 681 + if (addr.ea > lim) 689 682 goto bad; 683 + *max_size = min_t(u64, ~0u, (u64)lim + 1 - addr.ea); 690 684 } else { 691 685 /* expand-down segment */ 692 - if (addr.ea <= lim || (u32)(addr.ea + size - 1) <= lim) 686 + if (addr.ea <= lim) 693 687 goto bad; 694 688 lim = desc.d ? 0xffffffff : 0xffff; 695 - if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim) 689 + if (addr.ea > lim) 696 690 goto bad; 691 + *max_size = min_t(u64, ~0u, (u64)lim + 1 - addr.ea); 697 692 } 693 + if (size > *max_size) 694 + goto bad; 698 695 cpl = ctxt->ops->cpl(ctxt); 699 696 if (!(desc.type & 8)) { 700 697 /* data segment */ ··· 724 711 return X86EMUL_CONTINUE; 725 712 bad: 726 713 if (addr.seg == VCPU_SREG_SS) 727 - return emulate_ss(ctxt, sel); 714 + return emulate_ss(ctxt, 0); 728 715 else 729 - return emulate_gp(ctxt, sel); 716 + return emulate_gp(ctxt, 0); 730 717 } 731 718 732 719 static int linearize(struct x86_emulate_ctxt *ctxt, ··· 734 721 unsigned size, bool write, 735 722 ulong *linear) 736 723 { 737 - return __linearize(ctxt, addr, size, write, false, linear); 724 + unsigned max_size; 725 + return __linearize(ctxt, addr, &max_size, size, write, false, linear); 738 726 } 739 727 740 728 ··· 760 746 static int __do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt, int op_size) 761 747 { 762 748 int rc; 763 - unsigned size; 749 + unsigned size, max_size; 764 750 unsigned long linear; 765 751 int cur_size = ctxt->fetch.end - ctxt->fetch.data; 766 752 struct segmented_address addr = { .seg = VCPU_SREG_CS, 767 753 .ea = ctxt->eip + cur_size }; 768 754 769 - size = 15UL ^ cur_size; 770 - rc = __linearize(ctxt, addr, size, false, true, &linear); 755 + /* 756 + * We do not know exactly how many bytes will be needed, and 757 + * __linearize is expensive, so fetch as much as possible. We 758 + * just have to avoid going beyond the 15 byte limit, the end 759 + * of the segment, or the end of the page. 760 + * 761 + * __linearize is called with size 0 so that it does not do any 762 + * boundary check itself. Instead, we use max_size to check 763 + * against op_size. 764 + */ 765 + rc = __linearize(ctxt, addr, &max_size, 0, false, true, &linear); 771 766 if (unlikely(rc != X86EMUL_CONTINUE)) 772 767 return rc; 773 768 769 + size = min_t(unsigned, 15UL ^ cur_size, max_size); 774 770 size = min_t(unsigned, size, PAGE_SIZE - offset_in_page(linear)); 775 771 776 772 /* ··· 790 766 * still, we must have hit the 15-byte boundary. 791 767 */ 792 768 if (unlikely(size < op_size)) 793 - return X86EMUL_UNHANDLEABLE; 769 + return emulate_gp(ctxt, 0); 770 + 794 771 rc = ctxt->ops->fetch(ctxt, linear, ctxt->fetch.end, 795 772 size, &ctxt->exception); 796 773 if (unlikely(rc != X86EMUL_CONTINUE)) ··· 2037 2012 2038 2013 rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l); 2039 2014 if (rc != X86EMUL_CONTINUE) { 2040 - WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64); 2015 + WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64); 2041 2016 /* assigning eip failed; restore the old cs */ 2042 2017 ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS); 2043 2018 return rc; ··· 2134 2109 return rc; 2135 2110 rc = assign_eip_far(ctxt, eip, new_desc.l); 2136 2111 if (rc != X86EMUL_CONTINUE) { 2137 - WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64); 2112 + WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64); 2138 2113 ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS); 2139 2114 } 2140 2115 return rc;

+5 -1

arch/x86/kvm/vmx.c

··· 4579 4579 vmcs_write32(TPR_THRESHOLD, 0); 4580 4580 } 4581 4581 4582 - kvm_vcpu_reload_apic_access_page(vcpu); 4582 + kvm_make_request(KVM_REQ_APIC_PAGE_RELOAD, vcpu); 4583 4583 4584 4584 if (vmx_vm_has_apicv(vcpu->kvm)) 4585 4585 memset(&vmx->pi_desc, 0, sizeof(struct pi_desc)); ··· 6426 6426 const unsigned long *fields = shadow_read_write_fields; 6427 6427 const int num_fields = max_shadow_read_write_fields; 6428 6428 6429 + preempt_disable(); 6430 + 6429 6431 vmcs_load(shadow_vmcs); 6430 6432 6431 6433 for (i = 0; i < num_fields; i++) { ··· 6451 6449 6452 6450 vmcs_clear(shadow_vmcs); 6453 6451 vmcs_load(vmx->loaded_vmcs->vmcs); 6452 + 6453 + preempt_enable(); 6454 6454 } 6455 6455 6456 6456 static void copy_vmcs12_to_shadow(struct vcpu_vmx *vmx)

Configure Feed

Configure Feed