Merge tag 'kvm-arm-for-v4.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm

KVM/ARM Fixes for v4.12-rc2.

Includes:
 - A fix for a build failure introduced in -rc1 when tracepoints are
   enabled on 32-bit ARM.
 - Disabling use of stack pointer protection in the hyp code which can
   cause panics.
 - A handful of VGIC fixes.
 - A fix to the init of the redistributors on GICv3 systems that
   prevented boot with kvmtool on GICv3 systems introduced in -rc1.
 - A number of race conditions fixed in our MMU handling code.
 - A fix for the guest being able to program the debug extensions for
   the host on the 32-bit side.

14 files changed, 150 insertions, 66 deletions

diff --git a/arch/arm/include/asm/kvm_coproc.h b/arch/arm/include/asm/kvm_coproc.h
index 4917c2f7e459..e74ab0fbab79 100644
--- a/arch/arm/include/asm/kvm_coproc.h
+++ b/arch/arm/include/asm/kvm_coproc.h
@@ -31,7 +31,8 @@ void kvm_register_target_coproc_table(struct kvm_coproc_target_table *table);
 int kvm_handle_cp10_id(struct kvm_vcpu *vcpu, struct kvm_run *run);
 int kvm_handle_cp_0_13_access(struct kvm_vcpu *vcpu, struct kvm_run *run);
 int kvm_handle_cp14_load_store(struct kvm_vcpu *vcpu, struct kvm_run *run);
-int kvm_handle_cp14_access(struct kvm_vcpu *vcpu, struct kvm_run *run);
+int kvm_handle_cp14_32(struct kvm_vcpu *vcpu, struct kvm_run *run);
+int kvm_handle_cp14_64(struct kvm_vcpu *vcpu, struct kvm_run *run);
 int kvm_handle_cp15_32(struct kvm_vcpu *vcpu, struct kvm_run *run);
 int kvm_handle_cp15_64(struct kvm_vcpu *vcpu, struct kvm_run *run);
 
diff --git a/arch/arm/kvm/coproc.c b/arch/arm/kvm/coproc.c
index 2c14b69511e9..6d1d2e26dfe5 100644
--- a/arch/arm/kvm/coproc.c
+++ b/arch/arm/kvm/coproc.c
@@ -32,6 +32,7 @@
 #include <asm/vfp.h>
 #include "../vfp/vfpinstr.h"
 
+#define CREATE_TRACE_POINTS
 #include "trace.h"
 #include "coproc.h"
 
@@ -111,12 +112,6 @@ int kvm_handle_cp14_load_store(struct kvm_vcpu *vcpu, struct kvm_run *run)
         return 1;
 }
 
-int kvm_handle_cp14_access(struct kvm_vcpu *vcpu, struct kvm_run *run)
-{
-        kvm_inject_undefined(vcpu);
-        return 1;
-}
-
 static void reset_mpidr(struct kvm_vcpu *vcpu, const struct coproc_reg *r)
 {
         /*
@@ -284,7 +279,7 @@ static bool access_gic_sre(struct kvm_vcpu *vcpu,
  * must always support PMCCNTR (the cycle counter): we just RAZ/WI for
  * all PM registers, which doesn't crash the guest kernel at least.
  */
-static bool pm_fake(struct kvm_vcpu *vcpu,
+static bool trap_raz_wi(struct kvm_vcpu *vcpu,
                     const struct coproc_params *p,
                     const struct coproc_reg *r)
 {
@@ -294,19 +289,19 @@ static bool pm_fake(struct kvm_vcpu *vcpu,
                 return read_zero(vcpu, p);
 }
 
-#define access_pmcr pm_fake
-#define access_pmcntenset pm_fake
-#define access_pmcntenclr pm_fake
-#define access_pmovsr pm_fake
-#define access_pmselr pm_fake
-#define access_pmceid0 pm_fake
-#define access_pmceid1 pm_fake
-#define access_pmccntr pm_fake
-#define access_pmxevtyper pm_fake
-#define access_pmxevcntr pm_fake
-#define access_pmuserenr pm_fake
-#define access_pmintenset pm_fake
-#define access_pmintenclr pm_fake
+#define access_pmcr trap_raz_wi
+#define access_pmcntenset trap_raz_wi
+#define access_pmcntenclr trap_raz_wi
+#define access_pmovsr trap_raz_wi
+#define access_pmselr trap_raz_wi
+#define access_pmceid0 trap_raz_wi
+#define access_pmceid1 trap_raz_wi
+#define access_pmccntr trap_raz_wi
+#define access_pmxevtyper trap_raz_wi
+#define access_pmxevcntr trap_raz_wi
+#define access_pmuserenr trap_raz_wi
+#define access_pmintenset trap_raz_wi
+#define access_pmintenclr trap_raz_wi
 
 /* Architected CP15 registers.
  * CRn denotes the primary register number, but is copied to the CRm in the
@@ -532,12 +527,7 @@ static int emulate_cp15(struct kvm_vcpu *vcpu,
         return 1;
 }
 
-/**
- * kvm_handle_cp15_64 -- handles a mrrc/mcrr trap on a guest CP15 access
- * @vcpu: The VCPU pointer
- * @run:  The kvm_run struct
- */
-int kvm_handle_cp15_64(struct kvm_vcpu *vcpu, struct kvm_run *run)
+static struct coproc_params decode_64bit_hsr(struct kvm_vcpu *vcpu)
 {
         struct coproc_params params;
 
@@ -551,9 +541,38 @@ int kvm_handle_cp15_64(struct kvm_vcpu *vcpu, struct kvm_run *run)
         params.Rt2 = (kvm_vcpu_get_hsr(vcpu) >> 10) & 0xf;
         params.CRm = 0;
 
+        return params;
+}
+
+/**
+ * kvm_handle_cp15_64 -- handles a mrrc/mcrr trap on a guest CP15 access
+ * @vcpu: The VCPU pointer
+ * @run:  The kvm_run struct
+ */
+int kvm_handle_cp15_64(struct kvm_vcpu *vcpu, struct kvm_run *run)
+{
+        struct coproc_params params = decode_64bit_hsr(vcpu);
+
         return emulate_cp15(vcpu, &params);
 }
 
+/**
+ * kvm_handle_cp14_64 -- handles a mrrc/mcrr trap on a guest CP14 access
+ * @vcpu: The VCPU pointer
+ * @run:  The kvm_run struct
+ */
+int kvm_handle_cp14_64(struct kvm_vcpu *vcpu, struct kvm_run *run)
+{
+        struct coproc_params params = decode_64bit_hsr(vcpu);
+
+        /* raz_wi cp14 */
+        trap_raz_wi(vcpu, &params, NULL);
+
+        /* handled */
+        kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu));
+        return 1;
+}
+
 static void reset_coproc_regs(struct kvm_vcpu *vcpu,
                               const struct coproc_reg *table, size_t num)
 {
@@ -564,12 +583,7 @@ static void reset_coproc_regs(struct kvm_vcpu *vcpu,
                         table[i].reset(vcpu, &table[i]);
 }
 
-/**
- * kvm_handle_cp15_32 -- handles a mrc/mcr trap on a guest CP15 access
- * @vcpu: The VCPU pointer
- * @run:  The kvm_run struct
- */
-int kvm_handle_cp15_32(struct kvm_vcpu *vcpu, struct kvm_run *run)
+static struct coproc_params decode_32bit_hsr(struct kvm_vcpu *vcpu)
 {
         struct coproc_params params;
 
@@ -583,9 +597,37 @@ int kvm_handle_cp15_32(struct kvm_vcpu *vcpu, struct kvm_run *run)
         params.Op2 = (kvm_vcpu_get_hsr(vcpu) >> 17) & 0x7;
         params.Rt2 = 0;
 
+        return params;
+}
+
+/**
+ * kvm_handle_cp15_32 -- handles a mrc/mcr trap on a guest CP15 access
+ * @vcpu: The VCPU pointer
+ * @run:  The kvm_run struct
+ */
+int kvm_handle_cp15_32(struct kvm_vcpu *vcpu, struct kvm_run *run)
+{
+        struct coproc_params params = decode_32bit_hsr(vcpu);
         return emulate_cp15(vcpu, &params);
 }
 
+/**
+ * kvm_handle_cp14_32 -- handles a mrc/mcr trap on a guest CP14 access
+ * @vcpu: The VCPU pointer
+ * @run:  The kvm_run struct
+ */
+int kvm_handle_cp14_32(struct kvm_vcpu *vcpu, struct kvm_run *run)
+{
+        struct coproc_params params = decode_32bit_hsr(vcpu);
+
+        /* raz_wi cp14 */
+        trap_raz_wi(vcpu, &params, NULL);
+
+        /* handled */
+        kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu));
+        return 1;
+}
+
 /******************************************************************************
  * Userspace API
  *****************************************************************************/
diff --git a/arch/arm/kvm/handle_exit.c b/arch/arm/kvm/handle_exit.c
index 5fd7968cdae9..f86a9aaef462 100644
--- a/arch/arm/kvm/handle_exit.c
+++ b/arch/arm/kvm/handle_exit.c
@@ -95,9 +95,9 @@ static exit_handle_fn arm_exit_handlers[] = {
         [HSR_EC_WFI]            = kvm_handle_wfx,
         [HSR_EC_CP15_32]        = kvm_handle_cp15_32,
         [HSR_EC_CP15_64]        = kvm_handle_cp15_64,
-        [HSR_EC_CP14_MR]        = kvm_handle_cp14_access,
+        [HSR_EC_CP14_MR]        = kvm_handle_cp14_32,
         [HSR_EC_CP14_LS]        = kvm_handle_cp14_load_store,
-        [HSR_EC_CP14_64]        = kvm_handle_cp14_access,
+        [HSR_EC_CP14_64]        = kvm_handle_cp14_64,
         [HSR_EC_CP_0_13]        = kvm_handle_cp_0_13_access,
         [HSR_EC_CP10_ID]        = kvm_handle_cp10_id,
         [HSR_EC_HVC]            = handle_hvc,
diff --git a/arch/arm/kvm/hyp/Makefile b/arch/arm/kvm/hyp/Makefile
index 3023bb530edf..8679405b0b2b 100644
--- a/arch/arm/kvm/hyp/Makefile
+++ b/arch/arm/kvm/hyp/Makefile
@@ -2,6 +2,8 @@
 # Makefile for Kernel-based Virtual Machine module, HYP part
 #
 
+ccflags-y += -fno-stack-protector
+
 KVM=../../../../virt/kvm
 
 obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/vgic-v2-sr.o
diff --git a/arch/arm/kvm/hyp/switch.c b/arch/arm/kvm/hyp/switch.c
index 92678b7bd046..624a510d31df 100644
--- a/arch/arm/kvm/hyp/switch.c
+++ b/arch/arm/kvm/hyp/switch.c
@@ -48,7 +48,9 @@ static void __hyp_text __activate_traps(struct kvm_vcpu *vcpu, u32 *fpexc_host)
         write_sysreg(HSTR_T(15), HSTR);
         write_sysreg(HCPTR_TTA | HCPTR_TCP(10) | HCPTR_TCP(11), HCPTR);
         val = read_sysreg(HDCR);
-        write_sysreg(val | HDCR_TPM | HDCR_TPMCR, HDCR);
+        val |= HDCR_TPM | HDCR_TPMCR; /* trap performance monitors */
+        val |= HDCR_TDRA | HDCR_TDOSA | HDCR_TDA; /* trap debug regs */
+        write_sysreg(val, HDCR);
 }
 
 static void __hyp_text __deactivate_traps(struct kvm_vcpu *vcpu)
diff --git a/arch/arm/kvm/trace.h b/arch/arm/kvm/trace.h
index fc0943776db2..b0d10648c486 100644
--- a/arch/arm/kvm/trace.h
+++ b/arch/arm/kvm/trace.h
@@ -1,5 +1,5 @@
-#if !defined(_TRACE_KVM_H) || defined(TRACE_HEADER_MULTI_READ)
-#define _TRACE_KVM_H
+#if !defined(_TRACE_ARM_KVM_H) || defined(TRACE_HEADER_MULTI_READ)
+#define _TRACE_ARM_KVM_H
 
 #include <linux/tracepoint.h>
 
@@ -74,10 +74,10 @@ TRACE_EVENT(kvm_hvc,
                   __entry->vcpu_pc, __entry->r0, __entry->imm)
 );
 
-#endif /* _TRACE_KVM_H */
+#endif /* _TRACE_ARM_KVM_H */
 
 #undef TRACE_INCLUDE_PATH
-#define TRACE_INCLUDE_PATH arch/arm/kvm
+#define TRACE_INCLUDE_PATH .
 #undef TRACE_INCLUDE_FILE
 #define TRACE_INCLUDE_FILE trace
 
diff --git a/arch/arm64/kvm/hyp/Makefile b/arch/arm64/kvm/hyp/Makefile
index aaf42ae8d8c3..14c4e3b14bcb 100644
--- a/arch/arm64/kvm/hyp/Makefile
+++ b/arch/arm64/kvm/hyp/Makefile
@@ -2,6 +2,8 @@
 # Makefile for Kernel-based Virtual Machine module, HYP part
 #
 
+ccflags-y += -fno-stack-protector
+
 KVM=../../../../virt/kvm
 
 obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/vgic-v2-sr.o
diff --git a/include/kvm/arm_vgic.h b/include/kvm/arm_vgic.h
index 97b8d3728b31..ef718586321c 100644
--- a/include/kvm/arm_vgic.h
+++ b/include/kvm/arm_vgic.h
@@ -195,7 +195,10 @@ struct vgic_dist {
                 /* either a GICv2 CPU interface */
                 gpa_t                   vgic_cpu_base;
                 /* or a number of GICv3 redistributor regions */
-                gpa_t                   vgic_redist_base;
+                struct {
+                        gpa_t           vgic_redist_base;
+                        gpa_t           vgic_redist_free_offset;
+                };
         };
 
         /* distributor enabled */
diff --git a/virt/kvm/arm/hyp/vgic-v3-sr.c b/virt/kvm/arm/hyp/vgic-v3-sr.c
index bce6037cf01d..32c3295929b0 100644
--- a/virt/kvm/arm/hyp/vgic-v3-sr.c
+++ b/virt/kvm/arm/hyp/vgic-v3-sr.c
@@ -22,7 +22,7 @@
 #include <asm/kvm_hyp.h>
 
 #define vtr_to_max_lr_idx(v)            ((v) & 0xf)
-#define vtr_to_nr_pri_bits(v)           (((u32)(v) >> 29) + 1)
+#define vtr_to_nr_pre_bits(v)           (((u32)(v) >> 26) + 1)
 
 static u64 __hyp_text __gic_v3_get_lr(unsigned int lr)
 {
@@ -135,13 +135,13 @@ void __hyp_text __vgic_v3_save_state(struct kvm_vcpu *vcpu)
 
         if (used_lrs) {
                 int i;
-                u32 nr_pri_bits;
+                u32 nr_pre_bits;
 
                 cpu_if->vgic_elrsr = read_gicreg(ICH_ELSR_EL2);
 
                 write_gicreg(0, ICH_HCR_EL2);
                 val = read_gicreg(ICH_VTR_EL2);
-                nr_pri_bits = vtr_to_nr_pri_bits(val);
+                nr_pre_bits = vtr_to_nr_pre_bits(val);
 
                 for (i = 0; i < used_lrs; i++) {
                         if (cpu_if->vgic_elrsr & (1 << i))
@@ -152,7 +152,7 @@ void __hyp_text __vgic_v3_save_state(struct kvm_vcpu *vcpu)
                         __gic_v3_set_lr(0, i);
                 }
 
-                switch (nr_pri_bits) {
+                switch (nr_pre_bits) {
                 case 7:
                         cpu_if->vgic_ap0r[3] = read_gicreg(ICH_AP0R3_EL2);
                         cpu_if->vgic_ap0r[2] = read_gicreg(ICH_AP0R2_EL2);
@@ -162,7 +162,7 @@ void __hyp_text __vgic_v3_save_state(struct kvm_vcpu *vcpu)
                         cpu_if->vgic_ap0r[0] = read_gicreg(ICH_AP0R0_EL2);
                 }
 
-                switch (nr_pri_bits) {
+                switch (nr_pre_bits) {
                 case 7:
                         cpu_if->vgic_ap1r[3] = read_gicreg(ICH_AP1R3_EL2);
                         cpu_if->vgic_ap1r[2] = read_gicreg(ICH_AP1R2_EL2);
@@ -198,7 +198,7 @@ void __hyp_text __vgic_v3_restore_state(struct kvm_vcpu *vcpu)
         struct vgic_v3_cpu_if *cpu_if = &vcpu->arch.vgic_cpu.vgic_v3;
         u64 used_lrs = vcpu->arch.vgic_cpu.used_lrs;
         u64 val;
-        u32 nr_pri_bits;
+        u32 nr_pre_bits;
         int i;
 
         /*
@@ -217,12 +217,12 @@ void __hyp_text __vgic_v3_restore_state(struct kvm_vcpu *vcpu)
         }
 
         val = read_gicreg(ICH_VTR_EL2);
-        nr_pri_bits = vtr_to_nr_pri_bits(val);
+        nr_pre_bits = vtr_to_nr_pre_bits(val);
 
         if (used_lrs) {
                 write_gicreg(cpu_if->vgic_hcr, ICH_HCR_EL2);
 
-                switch (nr_pri_bits) {
+                switch (nr_pre_bits) {
                 case 7:
                         write_gicreg(cpu_if->vgic_ap0r[3], ICH_AP0R3_EL2);
                         write_gicreg(cpu_if->vgic_ap0r[2], ICH_AP0R2_EL2);
@@ -232,7 +232,7 @@ void __hyp_text __vgic_v3_restore_state(struct kvm_vcpu *vcpu)
                         write_gicreg(cpu_if->vgic_ap0r[0], ICH_AP0R0_EL2);
                 }
 
-                switch (nr_pri_bits) {
+                switch (nr_pre_bits) {
                 case 7:
                         write_gicreg(cpu_if->vgic_ap1r[3], ICH_AP1R3_EL2);
                         write_gicreg(cpu_if->vgic_ap1r[2], ICH_AP1R2_EL2);
diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c
index 313ee646480f..a2d63247d1bb 100644
--- a/virt/kvm/arm/mmu.c
+++ b/virt/kvm/arm/mmu.c
@@ -295,6 +295,13 @@ static void unmap_stage2_range(struct kvm *kvm, phys_addr_t start, u64 size)
         assert_spin_locked(&kvm->mmu_lock);
         pgd = kvm->arch.pgd + stage2_pgd_index(addr);
         do {
+                /*
+                 * Make sure the page table is still active, as another thread
+                 * could have possibly freed the page table, while we released
+                 * the lock.
+                 */
+                if (!READ_ONCE(kvm->arch.pgd))
+                        break;
                 next = stage2_pgd_addr_end(addr, end);
                 if (!stage2_pgd_none(*pgd))
                         unmap_stage2_puds(kvm, pgd, addr, next);
@@ -829,22 +836,22 @@ void stage2_unmap_vm(struct kvm *kvm)
  * Walks the level-1 page table pointed to by kvm->arch.pgd and frees all
  * underlying level-2 and level-3 tables before freeing the actual level-1 table
  * and setting the struct pointer to NULL.
- *
- * Note we don't need locking here as this is only called when the VM is
- * destroyed, which can only be done once.
  */
 void kvm_free_stage2_pgd(struct kvm *kvm)
 {
-        if (kvm->arch.pgd == NULL)
-                return;
+        void *pgd = NULL;
 
         spin_lock(&kvm->mmu_lock);
-        unmap_stage2_range(kvm, 0, KVM_PHYS_SIZE);
+        if (kvm->arch.pgd) {
+                unmap_stage2_range(kvm, 0, KVM_PHYS_SIZE);
+                pgd = READ_ONCE(kvm->arch.pgd);
+                kvm->arch.pgd = NULL;
+        }
         spin_unlock(&kvm->mmu_lock);
 
         /* Free the HW pgd, one page at a time */
-        free_pages_exact(kvm->arch.pgd, S2_PGD_SIZE);
-        kvm->arch.pgd = NULL;
+        if (pgd)
+                free_pages_exact(pgd, S2_PGD_SIZE);
 }
 
 static pud_t *stage2_get_pud(struct kvm *kvm, struct kvm_mmu_memory_cache *cache,
@@ -1170,11 +1177,13 @@ static void stage2_wp_range(struct kvm *kvm, phys_addr_t addr, phys_addr_t end)
                  * large. Otherwise, we may see kernel panics with
                  * CONFIG_DETECT_HUNG_TASK, CONFIG_LOCKUP_DETECTOR,
                  * CONFIG_LOCKDEP. Additionally, holding the lock too long
-                 * will also starve other vCPUs.
+                 * will also starve other vCPUs. We have to also make sure
+                 * that the page tables are not freed while we released
+                 * the lock.
                  */
-                if (need_resched() || spin_needbreak(&kvm->mmu_lock))
-                        cond_resched_lock(&kvm->mmu_lock);
-
+                cond_resched_lock(&kvm->mmu_lock);
+                if (!READ_ONCE(kvm->arch.pgd))
+                        break;
                 next = stage2_pgd_addr_end(addr, end);
                 if (stage2_pgd_present(*pgd))
                         stage2_wp_puds(pgd, addr, next);
diff --git a/virt/kvm/arm/vgic/vgic-init.c b/virt/kvm/arm/vgic/vgic-init.c
index dc68e2e424ab..3a0b8999f011 100644
--- a/virt/kvm/arm/vgic/vgic-init.c
+++ b/virt/kvm/arm/vgic/vgic-init.c
@@ -242,8 +242,11 @@ int kvm_vgic_vcpu_init(struct kvm_vcpu *vcpu)
          * If we are creating a VCPU with a GICv3 we must also register the
          * KVM io device for the redistributor that belongs to this VCPU.
          */
-        if (dist->vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3)
+        if (dist->vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3) {
+                mutex_lock(&vcpu->kvm->lock);
                 ret = vgic_register_redist_iodev(vcpu);
+                mutex_unlock(&vcpu->kvm->lock);
+        }
         return ret;
 }
 
diff --git a/virt/kvm/arm/vgic/vgic-mmio-v3.c b/virt/kvm/arm/vgic/vgic-mmio-v3.c
index 99da1a207c19..201d5e2e973d 100644
--- a/virt/kvm/arm/vgic/vgic-mmio-v3.c
+++ b/virt/kvm/arm/vgic/vgic-mmio-v3.c
@@ -586,7 +586,7 @@ int vgic_register_redist_iodev(struct kvm_vcpu *vcpu)
         if (!vgic_v3_check_base(kvm))
                 return -EINVAL;
 
-        rd_base = vgic->vgic_redist_base + kvm_vcpu_get_idx(vcpu) * SZ_64K * 2;
+        rd_base = vgic->vgic_redist_base + vgic->vgic_redist_free_offset;
         sgi_base = rd_base + SZ_64K;
 
         kvm_iodevice_init(&rd_dev->dev, &kvm_io_gic_ops);
@@ -614,11 +614,15 @@ int vgic_register_redist_iodev(struct kvm_vcpu *vcpu)
         mutex_lock(&kvm->slots_lock);
         ret = kvm_io_bus_register_dev(kvm, KVM_MMIO_BUS, sgi_base,
                                       SZ_64K, &sgi_dev->dev);
-        mutex_unlock(&kvm->slots_lock);
-        if (ret)
+        if (ret) {
                 kvm_io_bus_unregister_dev(kvm, KVM_MMIO_BUS,
                                           &rd_dev->dev);
+                goto out;
+        }
 
+        vgic->vgic_redist_free_offset += 2 * SZ_64K;
+out:
+        mutex_unlock(&kvm->slots_lock);
         return ret;
 }
 
@@ -644,10 +648,12 @@ static int vgic_register_all_redist_iodevs(struct kvm *kvm)
 
         if (ret) {
                 /* The current c failed, so we start with the previous one. */
+                mutex_lock(&kvm->slots_lock);
                 for (c--; c >= 0; c--) {
                         vcpu = kvm_get_vcpu(kvm, c);
                         vgic_unregister_redist_iodev(vcpu);
                 }
+                mutex_unlock(&kvm->slots_lock);
         }
 
         return ret;
diff --git a/virt/kvm/arm/vgic/vgic-v2.c b/virt/kvm/arm/vgic/vgic-v2.c
index a65757aab6d3..504b4bd0d651 100644
--- a/virt/kvm/arm/vgic/vgic-v2.c
+++ b/virt/kvm/arm/vgic/vgic-v2.c
@@ -149,6 +149,13 @@ void vgic_v2_populate_lr(struct kvm_vcpu *vcpu, struct vgic_irq *irq, int lr)
         if (irq->hw) {
                 val |= GICH_LR_HW;
                 val |= irq->hwintid << GICH_LR_PHYSID_CPUID_SHIFT;
+                /*
+                 * Never set pending+active on a HW interrupt, as the
+                 * pending state is kept at the physical distributor
+                 * level.
+                 */
+                if (irq->active && irq_is_pending(irq))
+                        val &= ~GICH_LR_PENDING_BIT;
         } else {
                 if (irq->config == VGIC_CONFIG_LEVEL)
                         val |= GICH_LR_EOI;
diff --git a/virt/kvm/arm/vgic/vgic-v3.c b/virt/kvm/arm/vgic/vgic-v3.c
index 8fa737edde6f..6fe3f003636a 100644
--- a/virt/kvm/arm/vgic/vgic-v3.c
+++ b/virt/kvm/arm/vgic/vgic-v3.c
@@ -127,6 +127,13 @@ void vgic_v3_populate_lr(struct kvm_vcpu *vcpu, struct vgic_irq *irq, int lr)
         if (irq->hw) {
                 val |= ICH_LR_HW;
                 val |= ((u64)irq->hwintid) << ICH_LR_PHYS_ID_SHIFT;
+                /*
+                 * Never set pending+active on a HW interrupt, as the
+                 * pending state is kept at the physical distributor
+                 * level.
+                 */
+                if (irq->active && irq_is_pending(irq))
+                        val &= ~ICH_LR_PENDING_BIT;
         } else {
                 if (irq->config == VGIC_CONFIG_LEVEL)
                         val |= ICH_LR_EOI;