diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-02-28 14:45:03 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-02-28 14:45:03 -0500 |
| commit | d8efcf38b13df3e9e889cf7cc214cb85dc53600c (patch) | |
| tree | b47d0f6217a2fb70d77338f2f5f2f231ee47ce62 | |
| parent | 78d9e93440dd6a31d6175fbecb2f2b446d821f7c (diff) | |
| parent | 1b385cbdd74aa803e966e01e5fe49490d6044e30 (diff) | |
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Pull KVM fixes from Paolo Bonzini:
"Three x86 fixes and one for ARM/ARM64.
In particular, nested virtualization on Intel is broken in 3.13 and
fixed by this pull request"
* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
kvm, vmx: Really fix lazy FPU on nested guest
kvm: x86: fix emulator buffer overflow (CVE-2014-0049)
arm/arm64: KVM: detect CPU reset on CPU_PM_EXIT
KVM: MMU: drop read-only large sptes when creating lower level sptes
| -rw-r--r-- | arch/arm/kvm/arm.c | 3 | ||||
| -rw-r--r-- | arch/arm/kvm/interrupts.S | 11 | ||||
| -rw-r--r-- | arch/arm64/kvm/hyp.S | 27 | ||||
| -rw-r--r-- | arch/x86/kvm/mmu.c | 1 | ||||
| -rw-r--r-- | arch/x86/kvm/vmx.c | 2 | ||||
| -rw-r--r-- | arch/x86/kvm/x86.c | 2 |
6 files changed, 40 insertions, 6 deletions
diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c index 1d8248ea5669..bd18bb8b2770 100644 --- a/arch/arm/kvm/arm.c +++ b/arch/arm/kvm/arm.c | |||
| @@ -878,7 +878,8 @@ static int hyp_init_cpu_pm_notifier(struct notifier_block *self, | |||
| 878 | unsigned long cmd, | 878 | unsigned long cmd, |
| 879 | void *v) | 879 | void *v) |
| 880 | { | 880 | { |
| 881 | if (cmd == CPU_PM_EXIT) { | 881 | if (cmd == CPU_PM_EXIT && |
| 882 | __hyp_get_vectors() == hyp_default_vectors) { | ||
| 882 | cpu_init_hyp_mode(NULL); | 883 | cpu_init_hyp_mode(NULL); |
| 883 | return NOTIFY_OK; | 884 | return NOTIFY_OK; |
| 884 | } | 885 | } |
diff --git a/arch/arm/kvm/interrupts.S b/arch/arm/kvm/interrupts.S index ddc15539bad2..0d68d4073068 100644 --- a/arch/arm/kvm/interrupts.S +++ b/arch/arm/kvm/interrupts.S | |||
| @@ -220,6 +220,10 @@ after_vfp_restore: | |||
| 220 | * in Hyp mode (see init_hyp_mode in arch/arm/kvm/arm.c). Return values are | 220 | * in Hyp mode (see init_hyp_mode in arch/arm/kvm/arm.c). Return values are |
| 221 | * passed in r0 and r1. | 221 | * passed in r0 and r1. |
| 222 | * | 222 | * |
| 223 | * A function pointer with a value of 0xffffffff has a special meaning, | ||
| 224 | * and is used to implement __hyp_get_vectors in the same way as in | ||
| 225 | * arch/arm/kernel/hyp_stub.S. | ||
| 226 | * | ||
| 223 | * The calling convention follows the standard AAPCS: | 227 | * The calling convention follows the standard AAPCS: |
| 224 | * r0 - r3: caller save | 228 | * r0 - r3: caller save |
| 225 | * r12: caller save | 229 | * r12: caller save |
| @@ -363,6 +367,11 @@ hyp_hvc: | |||
| 363 | host_switch_to_hyp: | 367 | host_switch_to_hyp: |
| 364 | pop {r0, r1, r2} | 368 | pop {r0, r1, r2} |
| 365 | 369 | ||
| 370 | /* Check for __hyp_get_vectors */ | ||
| 371 | cmp r0, #-1 | ||
| 372 | mrceq p15, 4, r0, c12, c0, 0 @ get HVBAR | ||
| 373 | beq 1f | ||
| 374 | |||
| 366 | push {lr} | 375 | push {lr} |
| 367 | mrs lr, SPSR | 376 | mrs lr, SPSR |
| 368 | push {lr} | 377 | push {lr} |
| @@ -378,7 +387,7 @@ THUMB( orr lr, #1) | |||
| 378 | pop {lr} | 387 | pop {lr} |
| 379 | msr SPSR_csxf, lr | 388 | msr SPSR_csxf, lr |
| 380 | pop {lr} | 389 | pop {lr} |
| 381 | eret | 390 | 1: eret |
| 382 | 391 | ||
| 383 | guest_trap: | 392 | guest_trap: |
| 384 | load_vcpu @ Load VCPU pointer to r0 | 393 | load_vcpu @ Load VCPU pointer to r0 |
diff --git a/arch/arm64/kvm/hyp.S b/arch/arm64/kvm/hyp.S index 3b47c36e10ff..2c56012cb2d2 100644 --- a/arch/arm64/kvm/hyp.S +++ b/arch/arm64/kvm/hyp.S | |||
| @@ -694,6 +694,24 @@ __hyp_panic_str: | |||
| 694 | 694 | ||
| 695 | .align 2 | 695 | .align 2 |
| 696 | 696 | ||
| 697 | /* | ||
| 698 | * u64 kvm_call_hyp(void *hypfn, ...); | ||
| 699 | * | ||
| 700 | * This is not really a variadic function in the classic C-way and care must | ||
| 701 | * be taken when calling this to ensure parameters are passed in registers | ||
| 702 | * only, since the stack will change between the caller and the callee. | ||
| 703 | * | ||
| 704 | * Call the function with the first argument containing a pointer to the | ||
| 705 | * function you wish to call in Hyp mode, and subsequent arguments will be | ||
| 706 | * passed as x0, x1, and x2 (a maximum of 3 arguments in addition to the | ||
| 707 | * function pointer can be passed). The function being called must be mapped | ||
| 708 | * in Hyp mode (see init_hyp_mode in arch/arm/kvm/arm.c). Return values are | ||
| 709 | * passed in r0 and r1. | ||
| 710 | * | ||
| 711 | * A function pointer with a value of 0 has a special meaning, and is | ||
| 712 | * used to implement __hyp_get_vectors in the same way as in | ||
| 713 | * arch/arm64/kernel/hyp_stub.S. | ||
| 714 | */ | ||
| 697 | ENTRY(kvm_call_hyp) | 715 | ENTRY(kvm_call_hyp) |
| 698 | hvc #0 | 716 | hvc #0 |
| 699 | ret | 717 | ret |
| @@ -737,7 +755,12 @@ el1_sync: // Guest trapped into EL2 | |||
| 737 | pop x2, x3 | 755 | pop x2, x3 |
| 738 | pop x0, x1 | 756 | pop x0, x1 |
| 739 | 757 | ||
| 740 | push lr, xzr | 758 | /* Check for __hyp_get_vectors */ |
| 759 | cbnz x0, 1f | ||
| 760 | mrs x0, vbar_el2 | ||
| 761 | b 2f | ||
| 762 | |||
| 763 | 1: push lr, xzr | ||
| 741 | 764 | ||
| 742 | /* | 765 | /* |
| 743 | * Compute the function address in EL2, and shuffle the parameters. | 766 | * Compute the function address in EL2, and shuffle the parameters. |
| @@ -750,7 +773,7 @@ el1_sync: // Guest trapped into EL2 | |||
| 750 | blr lr | 773 | blr lr |
| 751 | 774 | ||
| 752 | pop lr, xzr | 775 | pop lr, xzr |
| 753 | eret | 776 | 2: eret |
| 754 | 777 | ||
| 755 | el1_trap: | 778 | el1_trap: |
| 756 | /* | 779 | /* |
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c index e50425d0f5f7..9b531351a587 100644 --- a/arch/x86/kvm/mmu.c +++ b/arch/x86/kvm/mmu.c | |||
| @@ -2672,6 +2672,7 @@ static int __direct_map(struct kvm_vcpu *vcpu, gpa_t v, int write, | |||
| 2672 | break; | 2672 | break; |
| 2673 | } | 2673 | } |
| 2674 | 2674 | ||
| 2675 | drop_large_spte(vcpu, iterator.sptep); | ||
| 2675 | if (!is_shadow_present_pte(*iterator.sptep)) { | 2676 | if (!is_shadow_present_pte(*iterator.sptep)) { |
| 2676 | u64 base_addr = iterator.addr; | 2677 | u64 base_addr = iterator.addr; |
| 2677 | 2678 | ||
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index a06f101ef64b..392752834751 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c | |||
| @@ -6688,7 +6688,7 @@ static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu) | |||
| 6688 | else if (is_page_fault(intr_info)) | 6688 | else if (is_page_fault(intr_info)) |
| 6689 | return enable_ept; | 6689 | return enable_ept; |
| 6690 | else if (is_no_device(intr_info) && | 6690 | else if (is_no_device(intr_info) && |
| 6691 | !(nested_read_cr0(vmcs12) & X86_CR0_TS)) | 6691 | !(vmcs12->guest_cr0 & X86_CR0_TS)) |
| 6692 | return 0; | 6692 | return 0; |
| 6693 | return vmcs12->exception_bitmap & | 6693 | return vmcs12->exception_bitmap & |
| 6694 | (1u << (intr_info & INTR_INFO_VECTOR_MASK)); | 6694 | (1u << (intr_info & INTR_INFO_VECTOR_MASK)); |
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 39c28f09dfd5..2b8578432d5b 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c | |||
| @@ -6186,7 +6186,7 @@ static int complete_emulated_mmio(struct kvm_vcpu *vcpu) | |||
| 6186 | frag->len -= len; | 6186 | frag->len -= len; |
| 6187 | } | 6187 | } |
| 6188 | 6188 | ||
| 6189 | if (vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments) { | 6189 | if (vcpu->mmio_cur_fragment >= vcpu->mmio_nr_fragments) { |
| 6190 | vcpu->mmio_needed = 0; | 6190 | vcpu->mmio_needed = 0; |
| 6191 | 6191 | ||
| 6192 | /* FIXME: return into emulator if single-stepping. */ | 6192 | /* FIXME: return into emulator if single-stepping. */ |