Commit bf82d38c authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm 

Pull kvm fixes from Paolo Bonzini:
 "x86:

   - Fixes for Xen emulation. While nobody should be enabling it in the
     kernel (the only public users of the feature are the selftests),
     the bug effectively allows userspace to read arbitrary memory.

   - Correctness fixes for nested hypervisors that do not intercept INIT
     or SHUTDOWN on AMD; the subsequent CPU reset can cause a
     use-after-free when it disables virtualization extensions. While
     downgrading the panic to a WARN is quite easy, the full fix is a
     bit more laborious; there are also tests. This is the bulk of the
     pull request.

   - Fix race condition due to incorrect mmu_lock use around
     make_mmu_pages_available().

  Generic:

   - Obey changes to the kvm.halt_poll_ns module parameter in VMs not
     using KVM_CAP_HALT_POLL, restoring behavior from before the
     introduction of the capability"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  KVM: Update gfn_to_pfn_cache khva when it moves within the same page
  KVM: x86/xen: Only do in-kernel acceleration of hypercalls for guest CPL0
  KVM: x86/xen: Validate port number in SCHEDOP_poll
  KVM: x86/mmu: Fix race condition in direct_page_fault
  KVM: x86: remove exit_int_info warning in svm_handle_exit
  KVM: selftests: add svm part to triple_fault_test
  KVM: x86: allow L1 to not intercept triple fault
  kvm: selftests: add svm nested shutdown test
  KVM: selftests: move idt_entry to header
  KVM: x86: forcibly leave nested mode on vCPU reset
  KVM: x86: add kvm_leave_nested
  KVM: x86: nSVM: harden svm_free_nested against freeing vmcb02 while still in use
  KVM: x86: nSVM: leave nested mode on vCPU free
  KVM: Obey kvm.halt_poll_ns in VMs not using KVM_CAP_HALT_POLL
  KVM: Avoid re-reading kvm->max_halt_poll_ns during halt-polling
  KVM: Cap vcpu->halt_poll_ns before halting rather than after
parents 30a853c1 fe08e36b

arch/x86/kvm/mmu/mmu.c

+7 −6
Original line number Diff line number Diff line
@@ -2443,6 +2443,7 @@ static bool __kvm_mmu_prepare_zap_page(struct kvm *kvm, 
{

	bool list_unstable, zapped_root = false;



	lockdep_assert_held_write(&kvm->mmu_lock);

	trace_kvm_mmu_prepare_zap_page(sp);

	++kvm->stat.mmu_shadow_zapped;

	*nr_zapped = mmu_zap_unsync_children(kvm, sp, invalid_list);
@@ -4262,14 +4263,14 @@ static int direct_page_fault(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault 
	if (is_page_fault_stale(vcpu, fault, mmu_seq))

		goto out_unlock;



	if (is_tdp_mmu_fault) {

		r = kvm_tdp_mmu_map(vcpu, fault);

	} else {

		r = make_mmu_pages_available(vcpu);

		if (r)

			goto out_unlock;



	if (is_tdp_mmu_fault)

		r = kvm_tdp_mmu_map(vcpu, fault);

	else

		r = __direct_map(vcpu, fault);

	}



out_unlock:

	if (is_tdp_mmu_fault)

arch/x86/kvm/svm/nested.c

+9 −3
Original line number Diff line number Diff line
@@ -1091,6 +1091,12 @@ int nested_svm_vmexit(struct vcpu_svm *svm) 


static void nested_svm_triple_fault(struct kvm_vcpu *vcpu)

{

	struct vcpu_svm *svm = to_svm(vcpu);



	if (!vmcb12_is_intercept(&svm->nested.ctl, INTERCEPT_SHUTDOWN))

		return;



	kvm_clear_request(KVM_REQ_TRIPLE_FAULT, vcpu);

	nested_svm_simple_vmexit(to_svm(vcpu), SVM_EXIT_SHUTDOWN);

}
@@ -1125,6 +1131,9 @@ void svm_free_nested(struct vcpu_svm *svm) 
	if (!svm->nested.initialized)

		return;



	if (WARN_ON_ONCE(svm->vmcb != svm->vmcb01.ptr))

		svm_switch_vmcb(svm, &svm->vmcb01);



	svm_vcpu_free_msrpm(svm->nested.msrpm);

	svm->nested.msrpm = NULL;
@@ -1143,9 +1152,6 @@ void svm_free_nested(struct vcpu_svm *svm) 
	svm->nested.initialized = false;

}



/*

 * Forcibly leave nested mode in order to be able to reset the VCPU later on.

 */

void svm_leave_nested(struct kvm_vcpu *vcpu)

{

	struct vcpu_svm *svm = to_svm(vcpu);

arch/x86/kvm/svm/svm.c

+1 −15
Original line number Diff line number Diff line
@@ -346,12 +346,6 @@ int svm_set_efer(struct kvm_vcpu *vcpu, u64 efer) 
	return 0;

}



static int is_external_interrupt(u32 info)

{

	info &= SVM_EVTINJ_TYPE_MASK | SVM_EVTINJ_VALID;

	return info == (SVM_EVTINJ_VALID | SVM_EVTINJ_TYPE_INTR);

}



static u32 svm_get_interrupt_shadow(struct kvm_vcpu *vcpu)

{

	struct vcpu_svm *svm = to_svm(vcpu);
@@ -1438,6 +1432,7 @@ static void svm_vcpu_free(struct kvm_vcpu *vcpu) 
	 */

	svm_clear_current_vmcb(svm->vmcb);



	svm_leave_nested(vcpu);

	svm_free_nested(svm);



	sev_free_vcpu(vcpu);
@@ -3425,15 +3420,6 @@ static int svm_handle_exit(struct kvm_vcpu *vcpu, fastpath_t exit_fastpath) 
		return 0;

	}



	if (is_external_interrupt(svm->vmcb->control.exit_int_info) &&

	    exit_code != SVM_EXIT_EXCP_BASE + PF_VECTOR &&

	    exit_code != SVM_EXIT_NPF && exit_code != SVM_EXIT_TASK_SWITCH &&

	    exit_code != SVM_EXIT_INTR && exit_code != SVM_EXIT_NMI)

		printk(KERN_ERR "%s: unexpected exit_int_info 0x%x "

		       "exit_code 0x%x\n",

		       __func__, svm->vmcb->control.exit_int_info,

		       exit_code);



	if (exit_fastpath != EXIT_FASTPATH_NONE)

		return 1;

arch/x86/kvm/vmx/nested.c

+1 −3
Original line number Diff line number Diff line
@@ -4854,6 +4854,7 @@ void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 vm_exit_reason, 


static void nested_vmx_triple_fault(struct kvm_vcpu *vcpu)

{

	kvm_clear_request(KVM_REQ_TRIPLE_FAULT, vcpu);

	nested_vmx_vmexit(vcpu, EXIT_REASON_TRIPLE_FAULT, 0, 0);

}
@@ -6440,9 +6441,6 @@ static int vmx_get_nested_state(struct kvm_vcpu *vcpu, 
	return kvm_state.size;

}



/*

 * Forcibly leave nested mode in order to be able to reset the VCPU later on.

 */

void vmx_leave_nested(struct kvm_vcpu *vcpu)

{

	if (is_guest_mode(vcpu)) {

arch/x86/kvm/x86.c

+23 −6
Original line number Diff line number Diff line
@@ -628,6 +628,12 @@ static void kvm_queue_exception_vmexit(struct kvm_vcpu *vcpu, unsigned int vecto 
	ex->payload = payload;

}



/* Forcibly leave the nested mode in cases like a vCPU reset */

static void kvm_leave_nested(struct kvm_vcpu *vcpu)

{

	kvm_x86_ops.nested_ops->leave_nested(vcpu);

}



static void kvm_multiple_exception(struct kvm_vcpu *vcpu,

		unsigned nr, bool has_error, u32 error_code,

	        bool has_payload, unsigned long payload, bool reinject)
@@ -5195,7 +5201,7 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu, 


	if (events->flags & KVM_VCPUEVENT_VALID_SMM) {

		if (!!(vcpu->arch.hflags & HF_SMM_MASK) != events->smi.smm) {

			kvm_x86_ops.nested_ops->leave_nested(vcpu);

			kvm_leave_nested(vcpu);

			kvm_smm_changed(vcpu, events->smi.smm);

		}
@@ -9805,7 +9811,7 @@ static void update_cr8_intercept(struct kvm_vcpu *vcpu) 


int kvm_check_nested_events(struct kvm_vcpu *vcpu)

{

	if (kvm_check_request(KVM_REQ_TRIPLE_FAULT, vcpu)) {

	if (kvm_test_request(KVM_REQ_TRIPLE_FAULT, vcpu)) {

		kvm_x86_ops.nested_ops->triple_fault(vcpu);

		return 1;

	}
@@ -10560,15 +10566,16 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) 
			r = 0;

			goto out;

		}

		if (kvm_check_request(KVM_REQ_TRIPLE_FAULT, vcpu)) {

			if (is_guest_mode(vcpu)) {

		if (kvm_test_request(KVM_REQ_TRIPLE_FAULT, vcpu)) {

			if (is_guest_mode(vcpu))

				kvm_x86_ops.nested_ops->triple_fault(vcpu);

			} else {



			if (kvm_check_request(KVM_REQ_TRIPLE_FAULT, vcpu)) {

				vcpu->run->exit_reason = KVM_EXIT_SHUTDOWN;

				vcpu->mmio_needed = 0;

				r = 0;

				goto out;

			}

			goto out;

		}

		if (kvm_check_request(KVM_REQ_APF_HALT, vcpu)) {

			/* Page is swapped out. Do synthetic halt */
@@ -11997,8 +12004,18 @@ void kvm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) 
	WARN_ON_ONCE(!init_event &&

		     (old_cr0 || kvm_read_cr3(vcpu) || kvm_read_cr4(vcpu)));



	/*

	 * SVM doesn't unconditionally VM-Exit on INIT and SHUTDOWN, thus it's

	 * possible to INIT the vCPU while L2 is active.  Force the vCPU back

	 * into L1 as EFER.SVME is cleared on INIT (along with all other EFER

	 * bits), i.e. virtualization is disabled.

	 */

	if (is_guest_mode(vcpu))

		kvm_leave_nested(vcpu);



	kvm_lapic_reset(vcpu, init_event);



	WARN_ON_ONCE(is_guest_mode(vcpu) || is_smm(vcpu));

	vcpu->arch.hflags = 0;



	vcpu->arch.smi_pending = 0;