1. 18 May, 2017 2 commits
    • Christoffer Dall's avatar
      KVM: arm/arm64: Hold slots_lock when unregistering kvm io bus devices · fa472fa9
      Christoffer Dall authored
      We were not holding the kvm->slots_lock as required when calling
      kvm_io_bus_unregister_dev() as required.
      
      This only affects the error path, but still, let's do our due
      diligence.
      
      Reported by: Eric Auger <eric.auger@redhat.com>
      Signed-off-by: default avatarChristoffer Dall <cdall@linaro.org>
      Reviewed-by: default avatarEric Auger <eric.auger@redhat.com>
      fa472fa9
    • Christoffer Dall's avatar
      KVM: arm/arm64: Fix bug when registering redist iodevs · 552c9f47
      Christoffer Dall authored
      If userspace creates the VCPUs after initializing the VGIC, then we end
      up in a situation where we trigger a bug in kvm_vcpu_get_idx(), because
      it is called prior to adding the VCPU into the vcpus array on the VM.
      
      There is no tight coupling between the VCPU index and the area of the
      redistributor region used for the VCPU, so we can simply ensure that all
      creations of redistributors are serialized per VM, and increment an
      offset when we successfully add a redistributor.
      
      The vgic_register_redist_iodev() function can be called from two paths:
      vgic_redister_all_redist_iodev() which is called via the kvm_vgic_addr()
      device attribute handler.  This patch already holds the kvm->lock mutex.
      
      The other path is via kvm_vgic_vcpu_init, which is called through a
      longer chain from kvm_vm_ioctl_create_vcpu(), which releases the
      kvm->lock mutex just before calling kvm_arch_vcpu_create(), so we can
      simply take this mutex again later for our purposes.
      
      Fixes: ab6f468c10 ("KVM: arm/arm64: Register iodevs when setting redist base and creating VCPUs")
      Signed-off-by: default avatarChristoffer Dall <cdall@linaro.org>
      Tested-by: default avatarJean-Philippe Brucker <jean-philippe.brucker@arm.com>
      Reviewed-by: default avatarEric Auger <eric.auger@redhat.com>
      552c9f47
  2. 16 May, 2017 2 commits
  3. 15 May, 2017 4 commits
    • Suzuki K Poulose's avatar
      kvm: arm/arm64: Fix race in resetting stage2 PGD · 6c0d706b
      Suzuki K Poulose authored
      In kvm_free_stage2_pgd() we check the stage2 PGD before holding
      the lock and proceed to take the lock if it is valid. And we unmap
      the page tables, followed by releasing the lock. We reset the PGD
      only after dropping this lock, which could cause a race condition
      where another thread waiting on or even holding the lock, could
      potentially see that the PGD is still valid and proceed to perform
      a stage2 operation and later encounter a NULL PGD.
      
      [223090.242280] Unable to handle kernel NULL pointer dereference at
      virtual address 00000040
      [223090.262330] PC is at unmap_stage2_range+0x8c/0x428
      [223090.262332] LR is at kvm_unmap_hva_handler+0x2c/0x3c
      [223090.262531] Call trace:
      [223090.262533] [<ffff0000080adb78>] unmap_stage2_range+0x8c/0x428
      [223090.262535] [<ffff0000080adf40>] kvm_unmap_hva_handler+0x2c/0x3c
      [223090.262537] [<ffff0000080ace2c>] handle_hva_to_gpa+0xb0/0x104
      [223090.262539] [<ffff0000080af988>] kvm_unmap_hva+0x5c/0xbc
      [223090.262543] [<ffff0000080a2478>]
      kvm_mmu_notifier_invalidate_page+0x50/0x8c
      [223090.262547] [<ffff0000082274f8>]
      __mmu_notifier_invalidate_page+0x5c/0x84
      [223090.262551] [<ffff00000820b700>] try_to_unmap_one+0x1d0/0x4a0
      [223090.262553] [<ffff00000820c5c8>] rmap_walk+0x1cc/0x2e0
      [223090.262555] [<ffff00000820c90c>] try_to_unmap+0x74/0xa4
      [223090.262557] [<ffff000008230ce4>] migrate_pages+0x31c/0x5ac
      [223090.262561] [<ffff0000081f869c>] compact_zone+0x3fc/0x7ac
      [223090.262563] [<ffff0000081f8ae0>] compact_zone_order+0x94/0xb0
      [223090.262564] [<ffff0000081f91c0>] try_to_compact_pages+0x108/0x290
      [223090.262569] [<ffff0000081d5108>] __alloc_pages_direct_compact+0x70/0x1ac
      [223090.262571] [<ffff0000081d64a0>] __alloc_pages_nodemask+0x434/0x9f4
      [223090.262572] [<ffff0000082256f0>] alloc_pages_vma+0x230/0x254
      [223090.262574] [<ffff000008235e5c>] do_huge_pmd_anonymous_page+0x114/0x538
      [223090.262576] [<ffff000008201bec>] handle_mm_fault+0xd40/0x17a4
      [223090.262577] [<ffff0000081fb324>] __get_user_pages+0x12c/0x36c
      [223090.262578] [<ffff0000081fb804>] get_user_pages_unlocked+0xa4/0x1b8
      [223090.262579] [<ffff0000080a3ce8>] __gfn_to_pfn_memslot+0x280/0x31c
      [223090.262580] [<ffff0000080a3dd0>] gfn_to_pfn_prot+0x4c/0x5c
      [223090.262582] [<ffff0000080af3f8>] kvm_handle_guest_abort+0x240/0x774
      [223090.262584] [<ffff0000080b2bac>] handle_exit+0x11c/0x1ac
      [223090.262586] [<ffff0000080ab99c>] kvm_arch_vcpu_ioctl_run+0x31c/0x648
      [223090.262587] [<ffff0000080a1d78>] kvm_vcpu_ioctl+0x378/0x768
      [223090.262590] [<ffff00000825df5c>] do_vfs_ioctl+0x324/0x5a4
      [223090.262591] [<ffff00000825e26c>] SyS_ioctl+0x90/0xa4
      [223090.262595] [<ffff000008085d84>] el0_svc_naked+0x38/0x3c
      
      This patch moves the stage2 PGD manipulation under the lock.
      Reported-by: default avatarAlexander Graf <agraf@suse.de>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Reviewed-by: default avatarChristoffer Dall <cdall@linaro.org>
      Reviewed-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarSuzuki K Poulose <suzuki.poulose@arm.com>
      Signed-off-by: default avatarChristoffer Dall <cdall@linaro.org>
      6c0d706b
    • Marc Zyngier's avatar
      KVM: arm/arm64: vgic-v3: Use PREbits to infer the number of ICH_APxRn_EL2 registers · 15d2bffd
      Marc Zyngier authored
      The GICv3 documentation is extremely confusing, as it talks about
      the number of priorities represented by the ICH_APxRn_EL2 registers,
      while it should really talk about the number of preemption levels.
      
      This leads to a bug where we may access undefined ICH_APxRn_EL2
      registers, since PREbits is allowed to be smaller than PRIbits.
      Thankfully, nobody seem to have taken this path so far...
      
      The fix is to use ICH_VTR_EL2.PREbits instead.
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Reviewed-by: default avatarChristoffer Dall <cdall@linaro.org>
      Signed-off-by: default avatarChristoffer Dall <cdall@linaro.org>
      15d2bffd
    • Marc Zyngier's avatar
      KVM: arm/arm64: vgic-v3: Do not use Active+Pending state for a HW interrupt · 3d6e77ad
      Marc Zyngier authored
      When an interrupt is injected with the HW bit set (indicating that
      deactivation should be propagated to the physical distributor),
      special care must be taken so that we never mark the corresponding
      LR with the Active+Pending state (as the pending state is kept in
      the physycal distributor).
      
      Cc: stable@vger.kernel.org
      Fixes: 59529f69 ("KVM: arm/arm64: vgic-new: Add GICv3 world switch backend")
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Reviewed-by: default avatarChristoffer Dall <cdall@linaro.org>
      Signed-off-by: default avatarChristoffer Dall <cdall@linaro.org>
      3d6e77ad
    • Marc Zyngier's avatar
      KVM: arm/arm64: vgic-v2: Do not use Active+Pending state for a HW interrupt · ddf42d06
      Marc Zyngier authored
      When an interrupt is injected with the HW bit set (indicating that
      deactivation should be propagated to the physical distributor),
      special care must be taken so that we never mark the corresponding
      LR with the Active+Pending state (as the pending state is kept in
      the physycal distributor).
      
      Cc: stable@vger.kernel.org
      Fixes: 140b086d ("KVM: arm/arm64: vgic-new: Add GICv2 world switch backend")
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Reviewed-by: default avatarChristoffer Dall <cdall@linaro.org>
      Signed-off-by: default avatarChristoffer Dall <cdall@linaro.org>
      ddf42d06
  4. 09 May, 2017 11 commits
  5. 08 May, 2017 21 commits