6 files changed, 59 insertions, 8 deletions

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 2bc1e81045b0..ddc3f3d2afdb 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -2025,6 +2025,17 @@ static int em_ret_far(struct x86_emulate_ctxt *ctxt)
         return rc;
 }
 
+static int em_ret_far_imm(struct x86_emulate_ctxt *ctxt)
+{
+        int rc;
+
+        rc = em_ret_far(ctxt);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        rsp_increment(ctxt, ctxt->src.val);
+        return X86EMUL_CONTINUE;
+}
+
 static int em_cmpxchg(struct x86_emulate_ctxt *ctxt)
 {
         /* Save real source value, then compare EAX against destination. */
@@ -3763,7 +3774,8 @@ static const struct opcode opcode_table[256] = {
         G(ByteOp, group11), G(0, group11),
         /* 0xC8 - 0xCF */
         I(Stack | SrcImmU16 | Src2ImmByte, em_enter), I(Stack, em_leave),
-        N, I(ImplicitOps | Stack, em_ret_far),
+        I(ImplicitOps | Stack | SrcImmU16, em_ret_far_imm),
+        I(ImplicitOps | Stack, em_ret_far),
         D(ImplicitOps), DI(SrcImmByte, intn),
         D(ImplicitOps | No64), II(ImplicitOps, em_iret, iret),
         /* 0xD0 - 0xD7 */
diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
index 043330159179..ad75d77999d0 100644
--- a/arch/x86/kvm/paging_tmpl.h
+++ b/arch/x86/kvm/paging_tmpl.h
@@ -99,6 +99,7 @@ struct guest_walker {
         pt_element_t prefetch_ptes[PTE_PREFETCH_NUM];
         gpa_t pte_gpa[PT_MAX_FULL_LEVELS];
         pt_element_t __user *ptep_user[PT_MAX_FULL_LEVELS];
+        bool pte_writable[PT_MAX_FULL_LEVELS];
         unsigned pt_access;
         unsigned pte_access;
         gfn_t gfn;
@@ -235,6 +236,22 @@ static int FNAME(update_accessed_dirty_bits)(struct kvm_vcpu *vcpu,
                 if (pte == orig_pte)
                         continue;
 
+                /*
+                 * If the slot is read-only, simply do not process the accessed
+                 * and dirty bits.  This is the correct thing to do if the slot
+                 * is ROM, and page tables in read-as-ROM/write-as-MMIO slots
+                 * are only supported if the accessed and dirty bits are already
+                 * set in the ROM (so that MMIO writes are never needed).
+                 *
+                 * Note that NPT does not allow this at all and faults, since
+                 * it always wants nested page table entries for the guest
+                 * page tables to be writable.  And EPT works but will simply
+                 * overwrite the read-only memory to set the accessed and dirty
+                 * bits.
+                 */
+                if (unlikely(!walker->pte_writable[level - 1]))
+                        continue;
+
                 ret = FNAME(cmpxchg_gpte)(vcpu, mmu, ptep_user, index, orig_pte, pte);
                 if (ret)
                         return ret;
@@ -309,7 +326,8 @@ retry_walk:
                         goto error;
                 real_gfn = gpa_to_gfn(real_gfn);
 
-                host_addr = gfn_to_hva(vcpu->kvm, real_gfn);
+                host_addr = gfn_to_hva_prot(vcpu->kvm, real_gfn,
+                                            &walker->pte_writable[walker->level - 1]);
                 if (unlikely(kvm_is_error_hva(host_addr)))
                         goto error;
 
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 1f1da43ff2a2..a1216de9ffda 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -5339,6 +5339,15 @@ static int handle_ept_violation(struct kvm_vcpu *vcpu)
                 return 0;
         }
 
+        /*
+         * EPT violation happened while executing iret from NMI,
+         * "blocked by NMI" bit has to be set before next VM entry.
+         * There are errata that may cause this bit to not be set:
+         * AAK134, BY25.
+         */
+        if (exit_qualification & INTR_INFO_UNBLOCK_NMI)
+                vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO, GUEST_INTR_STATE_NMI);
+
         gpa = vmcs_read64(GUEST_PHYSICAL_ADDRESS);
         trace_kvm_page_fault(gpa, exit_qualification);
 
@@ -7766,6 +7775,10 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
                 vmcs_write64(GUEST_PDPTR1, vmcs12->guest_pdptr1);
                 vmcs_write64(GUEST_PDPTR2, vmcs12->guest_pdptr2);
                 vmcs_write64(GUEST_PDPTR3, vmcs12->guest_pdptr3);
+                __clear_bit(VCPU_EXREG_PDPTR,
+                                (unsigned long *)&vcpu->arch.regs_avail);
+                __clear_bit(VCPU_EXREG_PDPTR,
+                                (unsigned long *)&vcpu->arch.regs_dirty);
         }
 
         kvm_register_write(vcpu, VCPU_REGS_RSP, vmcs12->guest_rsp);
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
index ca645a01d37a..0fbbc7aa02cb 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -533,6 +533,7 @@ int gfn_to_page_many_atomic(struct kvm *kvm, gfn_t gfn, struct page **pages,
 
 struct page *gfn_to_page(struct kvm *kvm, gfn_t gfn);
 unsigned long gfn_to_hva(struct kvm *kvm, gfn_t gfn);
+unsigned long gfn_to_hva_prot(struct kvm *kvm, gfn_t gfn, bool *writable);
 unsigned long gfn_to_hva_memslot(struct kvm_memory_slot *slot, gfn_t gfn);
 void kvm_release_page_clean(struct page *page);
 void kvm_release_page_dirty(struct page *page);
diff --git a/virt/kvm/async_pf.c b/virt/kvm/async_pf.c
index ea475cd03511..8a39dda7a325 100644
--- a/virt/kvm/async_pf.c
+++ b/virt/kvm/async_pf.c
@@ -101,8 +101,11 @@ void kvm_clear_async_pf_completion_queue(struct kvm_vcpu *vcpu)
                                    typeof(*work), queue);
                 cancel_work_sync(&work->work);
                 list_del(&work->queue);
-                if (!work->done) /* work was canceled */
+                if (!work->done) { /* work was canceled */
+                        mmdrop(work->mm);
+                        kvm_put_kvm(vcpu->kvm); /* == work->vcpu->kvm */
                         kmem_cache_free(async_pf_cache, work);
+                }
         }
 
         spin_lock(&vcpu->async_pf.lock);
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index bf040c4e02b3..979bff485fb0 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -1058,11 +1058,15 @@ unsigned long gfn_to_hva(struct kvm *kvm, gfn_t gfn)
 EXPORT_SYMBOL_GPL(gfn_to_hva);
 
 /*
- * The hva returned by this function is only allowed to be read.
- * It should pair with kvm_read_hva() or kvm_read_hva_atomic().
+ * If writable is set to false, the hva returned by this function is only
+ * allowed to be read.
  */
-static unsigned long gfn_to_hva_read(struct kvm *kvm, gfn_t gfn)
+unsigned long gfn_to_hva_prot(struct kvm *kvm, gfn_t gfn, bool *writable)
 {
+        struct kvm_memory_slot *slot = gfn_to_memslot(kvm, gfn);
+        if (writable)
+                *writable = !memslot_is_readonly(slot);
+
         return __gfn_to_hva_many(gfn_to_memslot(kvm, gfn), gfn, NULL, false);
 }
 
@@ -1430,7 +1434,7 @@ int kvm_read_guest_page(struct kvm *kvm, gfn_t gfn, void *data, int offset,
         int r;
         unsigned long addr;
 
-        addr = gfn_to_hva_read(kvm, gfn);
+        addr = gfn_to_hva_prot(kvm, gfn, NULL);
         if (kvm_is_error_hva(addr))
                 return -EFAULT;
         r = kvm_read_hva(data, (void __user *)addr + offset, len);
@@ -1468,7 +1472,7 @@ int kvm_read_guest_atomic(struct kvm *kvm, gpa_t gpa, void *data,
         gfn_t gfn = gpa >> PAGE_SHIFT;
         int offset = offset_in_page(gpa);
 
-        addr = gfn_to_hva_read(kvm, gfn);
+        addr = gfn_to_hva_prot(kvm, gfn, NULL);
         if (kvm_is_error_hva(addr))
                 return -EFAULT;
         pagefault_disable();