user/sven/linux.git/virt, branch v3.17Linux Kernel
https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v3.172014-09-23T13:18:02ZMerge tag 'kvm-arm-for-v3.17-rc7-or-final' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into kvm-master2014-09-23T13:18:02ZPaolo Bonzinipbonzini@redhat.com2014-09-23T13:18:02Zurn:sha1:954263938706bf62d36e81b6b49f313390f2ed35
Fixes unaligned access to the gicv2 virtual cpu status.
arm/arm64: KVM: Fix unaligned access bug on gicv2 access2014-09-22T21:05:56ZChristoffer Dallchristoffer.dall@linaro.org2014-09-22T20:10:36Zurn:sha1:1f2bb4acc125edc2c06db3ad3e8c699bc075ad52
We were using an atomic bitop on the vgic_v2.vgic_elrsr field which was
not aligned to the natural size on 64-bit platforms. This bug showed up
after QEMU correctly identifies the pl011 line as being level-triggered,
and not edge-triggered.
These data structures are protected by a spinlock so simply use a
non-atomic version of the accessor instead.
Tested-by: Joel Schopp <joel.schopp@amd.com>
Reported-by: Riku Voipio <riku.voipio@linaro.org>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
KVM: correct null pid check in kvm_vcpu_yield_to()2014-09-22T11:21:29ZSam Bobroffsam.bobroff@au1.ibm.com2014-09-18T23:40:41Zurn:sha1:27fbe64bfa63cfb9da025975b59d96568caa2d53
Correct a simple mistake of checking the wrong variable
before a dereference, resulting in the dereference not being
properly protected by rcu_dereference().
Signed-off-by: Sam Bobroff <sam.bobroff@au1.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
KVM: check for !is_zero_pfn() in kvm_is_mmio_pfn()2014-09-14T14:26:05ZArd Biesheuvelard.biesheuvel@linaro.org2014-09-12T13:16:00Zurn:sha1:85c8555ff07ef09261bd50d603cd4290cff5a8cc
Read-only memory ranges may be backed by the zero page, so avoid
misidentifying it a a MMIO pfn.
This fixes another issue I identified when testing QEMU+KVM_UEFI, where
a read to an uninitialized emulated NOR flash brought in the zero page,
but mapped as a read-write device region, because kvm_is_mmio_pfn()
misidentifies it as a MMIO pfn due to its PG_reserved bit being set.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Fixes: b88657674d39 ("ARM: KVM: user_mem_abort: support stage 2 MMIO page mapping")
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
virt/kvm/assigned-dev.c: Set 'dev->irq_source_id' to '-1' after free it2014-08-19T13:12:28ZChen Ganggang.chen.5i5j@gmail.com2014-08-08T15:37:59Zurn:sha1:30d1e0e806e5b2fadc297ba78f2d7afd6ba309cf
As a generic function, deassign_guest_irq() assumes it can be called
even if assign_guest_irq() is not be called successfully (which can be
triggered by ioctl from user mode, indirectly).
So for assign_guest_irq() failure process, need set 'dev->irq_source_id'
to -1 after free 'dev->irq_source_id', or deassign_guest_irq() may free
it again.
Signed-off-by: Chen Gang <gang.chen.5i5j@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
kvm: iommu: fix the third parameter of kvm_iommu_put_pages (CVE-2014-3601)2014-08-19T13:04:45ZMichael S. Tsirkinmst@redhat.com2014-08-19T11:14:50Zurn:sha1:350b8bdd689cd2ab2c67c8a86a0be86cfa0751a7
The third parameter of kvm_iommu_put_pages is wrong,
It should be 'gfn - slot->base_gfn'.
By making gfn very large, malicious guest or userspace can cause kvm to
go to this error path, and subsequently to pass a huge value as size.
Alternatively if gfn is small, then pages would be pinned but never
unpinned, causing host memory leak and local DOS.
Passing a reasonable but large value could be the most dangerous case,
because it would unpin a page that should have stayed pinned, and thus
allow the device to DMA into arbitrary memory. However, this cannot
happen because of the condition that can trigger the error:
- out of memory (where you can't allocate even a single page)
should not be possible for the attacker to trigger
- when exceeding the iommu's address space, guest pages after gfn
will also exceed the iommu's address space, and inside
kvm_iommu_put_pages() the iommu_iova_to_phys() will fail. The
page thus would not be unpinned at all.
Reported-by: Jack Morgenstein <jackm@mellanox.com>
Cc: stable@vger.kernel.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
KVM: Move more code under CONFIG_HAVE_KVM_IRQFD2014-08-06T12:24:47ZPaolo Bonzinipbonzini@redhat.com2014-08-06T12:24:45Zurn:sha1:c77dcacb397519b6ade8f08201a4a90a7f4f751e
Commits e4d57e1ee1ab (KVM: Move irq notifier implementation into
eventfd.c, 2014-06-30) included the irq notifier code unconditionally
in eventfd.c, while it was under CONFIG_HAVE_KVM_IRQCHIP before.
Similarly, commit 297e21053a52 (KVM: Give IRQFD its own separate enabling
Kconfig option, 2014-06-30) moved code from CONFIG_HAVE_IRQ_ROUTING
to CONFIG_HAVE_KVM_IRQFD but forgot to move the pieces that used to be
under CONFIG_HAVE_KVM_IRQCHIP.
Together, this broke compilation without CONFIG_KVM_XICS. Fix by adding
or changing the #ifdefs so that they point at CONFIG_HAVE_KVM_IRQFD.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
KVM: Give IRQFD its own separate enabling Kconfig option2014-08-05T12:26:28ZPaul Mackerraspaulus@samba.org2014-06-30T10:51:13Zurn:sha1:297e21053a52f060944e9f0de4c64fad9bcd72fc
Currently, the IRQFD code is conditional on CONFIG_HAVE_KVM_IRQ_ROUTING.
So that we can have the IRQFD code compiled in without having the
IRQ routing code, this creates a new CONFIG_HAVE_KVM_IRQFD, makes
the IRQFD code conditional on it instead of CONFIG_HAVE_KVM_IRQ_ROUTING,
and makes all the platforms that currently select HAVE_KVM_IRQ_ROUTING
also select HAVE_KVM_IRQFD.
Signed-off-by: Paul Mackerras <paulus@samba.org>
Tested-by: Eric Auger <eric.auger@linaro.org>
Tested-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
KVM: Move irq notifier implementation into eventfd.c2014-08-05T12:26:24ZPaul Mackerraspaulus@samba.org2014-06-30T10:51:12Zurn:sha1:e4d57e1ee1ab59f0cef0272800ac6c52e0ec814a
This moves the functions kvm_irq_has_notifier(), kvm_notify_acked_irq(),
kvm_register_irq_ack_notifier() and kvm_unregister_irq_ack_notifier()
from irqchip.c to eventfd.c. The reason for doing this is that those
functions are used in connection with IRQFDs, which are implemented in
eventfd.c. In future we will want to use IRQFDs on platforms that
don't implement the GSI routing implemented in irqchip.c, so we won't
be compiling in irqchip.c, but we still need the irq notifiers. The
implementation is unchanged.
Signed-off-by: Paul Mackerras <paulus@samba.org>
Tested-by: Eric Auger <eric.auger@linaro.org>
Tested-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
KVM: Move all accesses to kvm::irq_routing into irqchip.c2014-08-05T12:26:20ZPaul Mackerraspaulus@samba.org2014-06-30T10:51:11Zurn:sha1:9957c86d659a4d5a2bed25ccbd3bfc9c3f25e658
Now that struct _irqfd does not keep a reference to storage pointed
to by the irq_routing field of struct kvm, we can move the statement
that updates it out from under the irqfds.lock and put it in
kvm_set_irq_routing() instead. That means we then have to take a
srcu_read_lock on kvm->irq_srcu around the irqfd_update call in
kvm_irqfd_assign(), since holding the kvm->irqfds.lock no longer
ensures that that the routing can't change.
Combined with changing kvm_irq_map_gsi() and kvm_irq_map_chip_pin()
to take a struct kvm * argument instead of the pointer to the routing
table, this allows us to to move all references to kvm->irq_routing
into irqchip.c. That in turn allows us to move the definition of the
kvm_irq_routing_table struct into irqchip.c as well.
Signed-off-by: Paul Mackerras <paulus@samba.org>
Tested-by: Eric Auger <eric.auger@linaro.org>
Tested-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>