Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull KVM updates from Paolo Bonzini:
 "One NULL pointer dereference, and two fixes for regressions introduced
  during the merge window.

  The rest are fixes for MIPS, s390 and nested VMX"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  kvm: x86: Check memopp before dereference (CVE-2016-8630)
  kvm: nVMX: VMCLEAR an active shadow VMCS after last use
  KVM: x86: drop TSC offsetting kvm_x86_ops to fix KVM_GET/SET_CLOCK
  KVM: x86: fix wbinvd_dirty_mask use-after-free
  kvm/x86: Show WRMSR data is in hex
  kvm: nVMX: Fix kernel panics induced by illegal INVEPT/INVVPID types
  KVM: document lock orders
  KVM: fix OOPS on flush_work
  KVM: s390: Fix STHYI buffer alignment for diag224
  KVM: MIPS: Precalculate MMIO load resume PC
  KVM: MIPS: Make ERET handle ERL before EXL
  KVM: MIPS: Fix lazy user ASID regenerate for SMP

2 files changed, 25 insertions, 3 deletions

diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c
index f397e9b20370..a29786dd9522 100644
--- a/virt/kvm/eventfd.c
+++ b/virt/kvm/eventfd.c
@@ -42,6 +42,7 @@
 
 #ifdef CONFIG_HAVE_KVM_IRQFD
 
+static struct workqueue_struct *irqfd_cleanup_wq;
 
 static void
 irqfd_inject(struct work_struct *work)
@@ -167,7 +168,7 @@ irqfd_deactivate(struct kvm_kernel_irqfd *irqfd)
 
         list_del_init(&irqfd->list);
 
-        schedule_work(&irqfd->shutdown);
+        queue_work(irqfd_cleanup_wq, &irqfd->shutdown);
 }
 
 int __attribute__((weak)) kvm_arch_set_irq_inatomic(
@@ -554,7 +555,7 @@ kvm_irqfd_deassign(struct kvm *kvm, struct kvm_irqfd *args)
          * so that we guarantee there will not be any more interrupts on this
          * gsi once this deassign function returns.
          */
-        flush_work(&irqfd->shutdown);
+        flush_workqueue(irqfd_cleanup_wq);
 
         return 0;
 }
@@ -591,7 +592,7 @@ kvm_irqfd_release(struct kvm *kvm)
          * Block until we know all outstanding shutdown jobs have completed
          * since we do not take a kvm* reference.
          */
-        flush_work(&irqfd->shutdown);
+        flush_workqueue(irqfd_cleanup_wq);
 
 }
 
@@ -621,8 +622,23 @@ void kvm_irq_routing_update(struct kvm *kvm)
         spin_unlock_irq(&kvm->irqfds.lock);
 }
 
+/*
+ * create a host-wide workqueue for issuing deferred shutdown requests
+ * aggregated from all vm* instances. We need our own isolated
+ * queue to ease flushing work items when a VM exits.
+ */
+int kvm_irqfd_init(void)
+{
+        irqfd_cleanup_wq = alloc_workqueue("kvm-irqfd-cleanup", 0, 0);
+        if (!irqfd_cleanup_wq)
+                return -ENOMEM;
+
+        return 0;
+}
+
 void kvm_irqfd_exit(void)
 {
+        destroy_workqueue(irqfd_cleanup_wq);
 }
 #endif
 
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 2907b7b78654..5c360347a1e9 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -3844,7 +3844,12 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
          * kvm_arch_init makes sure there's at most one caller
          * for architectures that support multiple implementations,
          * like intel and amd on x86.
+         * kvm_arch_init must be called before kvm_irqfd_init to avoid creating
+         * conflicts in case kvm is already setup for another implementation.
          */
+        r = kvm_irqfd_init();
+        if (r)
+                goto out_irqfd;
 
         if (!zalloc_cpumask_var(&cpus_hardware_enabled, GFP_KERNEL)) {
                 r = -ENOMEM;
@@ -3926,6 +3931,7 @@ out_free_0a:
         free_cpumask_var(cpus_hardware_enabled);
 out_free_0:
         kvm_irqfd_exit();
+out_irqfd:
         kvm_arch_exit();
 out_fail:
         return r;