Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull KVM fixes from Paolo Bonzini:
 "Reverting a 3.16 patch, fixing two bugs in device assignment (one has
  a CVE), and fixing some problems introduced during the merge window
  (the CMA bug came in via Andrew, the x86 ones via yours truly)"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  virt/kvm/assigned-dev.c: Set 'dev->irq_source_id' to '-1' after free it
  Revert "KVM: x86: Increase the number of fixed MTRR regs to 10"
  KVM: x86: do not check CS.DPL against RPL during task switch
  KVM: x86: Avoid emulating instructions on #UD mistakenly
  PC, KVM, CMA: Fix regression caused by wrong get_order() use
  kvm: iommu: fix the third parameter of kvm_iommu_put_pages (CVE-2014-3601)

3 files changed, 8 insertions, 11 deletions

diff --git a/arch/powerpc/kvm/book3s_hv_builtin.c b/arch/powerpc/kvm/book3s_hv_builtin.c
index 329d7fdd0a6a..b9615ba5b083 100644
--- a/arch/powerpc/kvm/book3s_hv_builtin.c
+++ b/arch/powerpc/kvm/book3s_hv_builtin.c
@@ -101,7 +101,7 @@ struct kvm_rma_info *kvm_alloc_rma()
         ri = kmalloc(sizeof(struct kvm_rma_info), GFP_KERNEL);
         if (!ri)
                 return NULL;
-        page = cma_alloc(kvm_cma, kvm_rma_pages, get_order(kvm_rma_pages));
+        page = cma_alloc(kvm_cma, kvm_rma_pages, order_base_2(kvm_rma_pages));
         if (!page)
                 goto err_out;
         atomic_set(&ri->use_count, 1);
@@ -135,12 +135,12 @@ struct page *kvm_alloc_hpt(unsigned long nr_pages)
 {
         unsigned long align_pages = HPT_ALIGN_PAGES;
 
-        VM_BUG_ON(get_order(nr_pages) < KVM_CMA_CHUNK_ORDER - PAGE_SHIFT);
+        VM_BUG_ON(order_base_2(nr_pages) < KVM_CMA_CHUNK_ORDER - PAGE_SHIFT);
 
         /* Old CPUs require HPT aligned on a multiple of its size */
         if (!cpu_has_feature(CPU_FTR_ARCH_206))
                 align_pages = nr_pages;
-        return cma_alloc(kvm_cma, nr_pages, get_order(align_pages));
+        return cma_alloc(kvm_cma, nr_pages, order_base_2(align_pages));
 }
 EXPORT_SYMBOL_GPL(kvm_alloc_hpt);
 
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 572460175ba5..7c492ed9087b 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -95,7 +95,7 @@ static inline gfn_t gfn_to_index(gfn_t gfn, gfn_t base_gfn, int level)
 #define KVM_REFILL_PAGES 25
 #define KVM_MAX_CPUID_ENTRIES 80
 #define KVM_NR_FIXED_MTRR_REGION 88
-#define KVM_NR_VAR_MTRR 10
+#define KVM_NR_VAR_MTRR 8
 
 #define ASYNC_PF_PER_VCPU 64
 
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 56657b0bb3bb..03954f7900f5 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1491,9 +1491,6 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
                         goto exception;
                 break;
         case VCPU_SREG_CS:
-                if (in_task_switch && rpl != dpl)
-                        goto exception;
-
                 if (!(seg_desc.type & 8))
                         goto exception;
 
@@ -4394,8 +4391,11 @@ done_prefixes:
 
         ctxt->execute = opcode.u.execute;
 
+        if (unlikely(ctxt->ud) && likely(!(ctxt->d & EmulateOnUD)))
+                return EMULATION_FAILED;
+
         if (unlikely(ctxt->d &
-                     (NotImpl|EmulateOnUD|Stack|Op3264|Sse|Mmx|Intercept|CheckPerm))) {
+                     (NotImpl|Stack|Op3264|Sse|Mmx|Intercept|CheckPerm))) {
                 /*
                  * These are copied unconditionally here, and checked unconditionally
                  * in x86_emulate_insn.
@@ -4406,9 +4406,6 @@ done_prefixes:
                 if (ctxt->d & NotImpl)
                         return EMULATION_FAILED;
 
-                if (!(ctxt->d & EmulateOnUD) && ctxt->ud)
-                        return EMULATION_FAILED;
-
                 if (mode == X86EMUL_MODE_PROT64 && (ctxt->d & Stack))
                         ctxt->op_bytes = 8;