This bug
On 05/01/2016 18:46, Jiri Slaby wrote:
> From: Paolo Bonzini
>
> 3.12-stable review patch. If anyone has any objections, please let me know.
>
> ===
>
> commit f5f3497cad8c8416a74b9aaceb127908755d020a upstream.
>
> On 32-bit systems, the init
Invoking tracepoints within kvm_guest_enter/kvm_guest_exit causes a
lockdep splat.
Cc: stable@vger.kernel.org
Reported-by: Borislav Petkov
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/svm.c | 4 ++--
arch/x86/kvm/vmx.c | 3 ++-
arch/x86/kvm/x86.c | 4 ++--
3 files changed, 6 insertions(+), 5
On 10/12/2015 19:09, Borislav Petkov wrote:
> On Thu, Dec 10, 2015 at 06:38:57PM +0100, Paolo Bonzini wrote:
>> Invoking tracepoints within kvm_guest_enter/kvm_guest_exit causes a
>> lockdep splat.
>>
>> Cc: stable@vger.kernel.org
>> Reported-by: Borislav Petkov
Invoking tracepoints within kvm_guest_enter/kvm_guest_exit causes a
lockdep splat.
Cc: stable@vger.kernel.org
Reported-by: Borislav Petkov
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/svm.c | 4 ++--
arch/x86/kvm/vmx.c | 3 ++-
arch/x86/kvm/x86.c | 2 +-
3 files changed, 5 insertions(+), 4
On 08/12/2015 00:32, Greg KH wrote:
> On Mon, Dec 07, 2015 at 03:27:20PM -0800, Matt Gingell wrote:
>> These can wait for 4.4.
>
> Then why were they marked for stable?
Even though the bugs were found while testing a new feature in 4.4, the
bug exists in 4.3 as well. The patches don't apply be
On 25/11/2015 18:56, Ben Hutchings wrote:
> On Wed, 2015-11-25 at 12:31 +0100, Paolo Bonzini wrote:
>>
>> On 24/11/2015 23:33, Ben Hutchings wrote:
>>> 3.2.74-rc1 review patch. If anyone has any objections, please let me know.
>>>
>>>
On 24/11/2015 23:33, Ben Hutchings wrote:
> 3.2.74-rc1 review patch. If anyone has any objections, please let me know.
>
> --
>
> From: Paolo Bonzini
>
> commit cbdb967af3d54993f5814f1cee0ed311a055377d upstream.
>
> This is needed to avoid the
> Paolo, under what circumstances (which versions of Windows? Anything
> special running in the guest?) has this failure happened? I'd like to repro
> this, I'm not sure if we've observed it before.
We saw it with migration under Windows 10, nothing special running in the
guest. It's very hard t
Poor #AC was so unimportant until a few days ago that we were
not even tracing its name correctly. But now it's all over
the place.
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/trace.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x8
If we do not do this, it is not properly saved and restored across
migration. Windows notices due to its self-protection mechanisms,
and is very upset about it (blue screen of death).
Cc: Radim Krcmar
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/x86.c | 11
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 11/11/2015 15:57, James Hogan wrote:
> Okay, no problem. As long as they can make v4.4.
>
> For the record do you prefer not to receive patches during merge
> window?
It's okay, at worst I won't process them for a few days or weeks.
Paolo
--
: KVM: Uninit VCPU in vcpu_create error path
>
> arch/mips/kvm/emulate.c | 2 +-
> arch/mips/kvm/locore.S | 16 ++--
> arch/mips/kvm/mips.c| 5 -
> 3 files changed, 15 insertions(+), 8 deletions(-)
>
> Cc: Ralf Baechle
> Cc: Paolo Bonzini
> Cc: Gleb
: Paolo Bonzini
---
arch/x86/kvm/svm.c | 14 +++---
1 file changed, 3 insertions(+), 11 deletions(-)
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 183926483c3a..1cc1ffca0d8c 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -1020,6 +1020,7 @@ static void init_vmcb(struct
fects (CVE-2015-5307).
Signed-off-by: Eric Northup
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini
---
arch/x86/include/uapi/asm/svm.h | 1 +
arch/x86/kvm/svm.c | 8
arch/x86/kvm/vmx.c | 5 -
3 files changed, 13 insertions(+), 1 deletion(-)
diff --
On 03/11/2015 15:02, Laszlo Ersek wrote:
> On 11/03/15 14:46, Paolo Bonzini wrote:
>>
>>
>> On 03/11/2015 14:40, Laszlo Ersek wrote:
>>> On 11/03/15 14:29, Paolo Bonzini wrote:
>>>> The SDM says that exiting system management mode from 64-bit mode
>
On 03/11/2015 14:40, Laszlo Ersek wrote:
> On 11/03/15 14:29, Paolo Bonzini wrote:
>> The SDM says that exiting system management mode from 64-bit mode
>> is invalid, but that would be too good to be true. But actually,
>> most of the code is already there to support exitin
clearing CS.L and CR4.PCIDE.
Cc: stable@vger.kernel.org
Fixes: 660a5d517aaab9187f93854425c4c63f4a09195c
Cc: Laszlo Ersek
Cc: Radim Krčmář
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/emulate.c | 30 +-
1 file changed, 25 insertions(+), 5 deletions(-)
diff --git a/arch
On 02/11/2015 22:20, Radim Krčmář wrote:
> The comment in code had it mostly right, but we enable paging for
> emulated real mode regardless of EPT.
>
> Without EPT (which implies emulated real mode), secondary VCPUs won't
> start unless we disable SM[AE]P when the guest doesn't use paging.
>
>
On 26/10/2015 16:43, Laszlo Ersek wrote:
> > The code would be cleaner if we had a different approach, but this works
> > too and is safer for stable. In case you prefer to leave the rewrite for
> > a future victim,
>
> It's hard to express how much I prefer that.
Radim, if you want to have a t
@vger.kernel.org
Cc: Yang Z Zhang
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/svm.c | 11 +--
arch/x86/kvm/vmx.c | 3 +--
2 files changed, 6 insertions(+), 8 deletions(-)
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index cd8659cfc632..f2c8e4917688 100644
--- a/arch/x86/kvm/svm.c
@vger.kernel.org
Cc: Yang Z Zhang
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/svm.c | 7 +++
arch/x86/kvm/vmx.c | 3 +--
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index cd8659cfc632..1336d68fa965 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch
Commit-ID: f5f3497cad8c8416a74b9aaceb127908755d020a
Gitweb: http://git.kernel.org/tip/f5f3497cad8c8416a74b9aaceb127908755d020a
Author: Paolo Bonzini
AuthorDate: Wed, 14 Oct 2015 13:30:45 +0200
Committer: Matt Fleming
CommitDate: Fri, 16 Oct 2015 10:52:29 +0100
x86/setup: Extend low
On 14/10/2015 15:52, Matt Fleming wrote:
>> > However, for non-PAE kernels there is no guarantee that the identity
>> > mapping in the initial_page_table extends as far as the GDT; in this
>> > case, accesses to the GDT will cause a page fault (which quickly becomes
>> > a triple fault). Fix thi
In order to get into 64-bit protected mode, CS.L must be 0. This
is always the case when executing RSM, so it is enough to load the
segments after CR0 and CR4.
Fixes: 660a5d517aaab9187f93854425c4c63f4a09195c
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/emulate.c
s empty:
(gdb) x/1wx 0x32b7000 + (0x724e000 >> 22) * 4
0x32b7070: 0x
Reported-by: Laszlo Ersek
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini
---
arch/x86/kernel/setup.c | 8
1 file changed, 8 insertions(+)
diff --git a/arch/x86/kernel/setup.c
On 13/10/2015 17:39, Radim Krčmář wrote:
> 2015-10-12 14:09+0200, Paolo Bonzini:
>> Otherwise, two copies (one of them never used and thus bogus) are
>> allocated for the regular and SMM address spaces. This breaks
>> SMM with EPT but without unrestricted guest support, be
An SMI to a halted VCPU must wake it up, hence a VCPU with a pending
SMI must be considered runnable.
Fixes: 64d6067057d9658acb8675afcfba549abdb7fc16
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/x86.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/x86
Split the huge conditional in two functions.
Fixes: 64d6067057d9658acb8675afcfba549abdb7fc16
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/x86.c | 39 +--
1 file changed, 29 insertions(+), 10 deletions(-)
diff --git a/arch/x86/kvm
.org
Fixes: 9da0e4d5ac969909f6b435ce28ea28135a9cbd69
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/x86.c | 62 ++
1 file changed, 30 insertions(+), 32 deletions(-)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index a3a4cf900e0c..ab59eccb9e78 100644
--- a/arch/x86/kvm/x
: 9da0e4d5ac969909f6b435ce28ea28135a9cbd69
Signed-off-by: Paolo Bonzini
---
arch/x86/include/asm/kvm_host.h | 6 ++
arch/x86/kvm/vmx.c | 26 ++
arch/x86/kvm/x86.c | 31 +--
3 files changed, 21 insertions(+), 42 deletions(-)
diff
On 08/10/2015 20:23, Radim Krčmář wrote:
> v2:
> * rewritten [1/2] and
> * refactored [2/2], all thanks to Paolo's comments
>
> This problem is not fixed for split userspace part as I think that it
> would be better to solve that by excluding edge interrupts from
> eoi_exit_bitmap (see the nex
On 06/10/2015 22:33, Radim Krčmář wrote:
> 2015-08-15 02:00+0200, Paolo Bonzini:
>> On 14/08/2015 10:38, Radim Krčmář wrote:
>>>> How do you reproduce the bug?
>>> I run rhel4 (2.6.9) kernel on 2 VCPUs and frequently alternate
>>> smp_affinity of
On 13/08/2015 15:46, Radim Krčmář wrote:
> + if (kvm_x86_ops->sync_pir_to_irr(vcpu))
> + kvm_make_request(KVM_REQ_EVENT, vcpu);
> +
The call to sync_pir_to_irr belongs more in vcpu_scan_ioapic, I think.
More importantly, I think that KVM_REQ_EVENT is a latent bug for
kvm_vcpu_io
On 22/09/2015 21:02, Marcelo Tosatti wrote:
> NACK, please use original patchset.
What do you mean?
Paolo
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On 18/09/2015 15:39, Igor Mammedov wrote:
> When INIT/SIPI sequence is sent to VCPU which before that
> was in use by OS, VMRUN might fail with:
>
> KVM: entry failed, hardware error 0x
> EAX= EBX= ECX= EDX=06d3
> ESI= EDI= EBP= ESP=
On 18/09/2015 11:27, Dominik Dingel wrote:
> Commit 2ee507c47293 ("sched: Add function single_task_running to let a task
> check if it is the only task running on a cpu") referenced the current
> runqueue with the smp_processor_id. When CONFIG_DEBUG_PREEMPT is enabled,
> that is only allowed if
On 14/08/2015 10:38, Radim Krčmář wrote:
>> How do you reproduce the bug?
> I run rhel4 (2.6.9) kernel on 2 VCPUs and frequently alternate
> smp_affinity of "timer". The bug is hit within seconds.
Nice, I'll try to make a unit test for it on the plane. :)
Paolo
--
To unsubscribe from this list
On 13/08/2015 15:46, Radim Krčmář wrote:
> 1) IOAPIC inject a vector from i8254
> 2) guest reconfigures that vector's VCPU and therefore eoi_exit_bitmap
> on original VCPU gets cleared
> 3) guest's handler for the vector does EOI
> 4) KVM's EOI handler doesn't pass that vector to IOAPIC b
On 29/07/2015 06:56, Wang Kai wrote:
> From: Paolo Bonzini
>
> commit ce40cd3fc7fa40a6119e5fe6c0f2bc0eb4541009 upstream.
>
> Malicious (or egregiously buggy) userspace can trigger it, but it
> should never happen in normal operation.
>
> Signed-off-by: Paolo Bonzini
On 07/07/2015 15:50, Radim Krčmář wrote:
>> Andrey reported offlist that the bug went away by reverting 1cde293. So
>> the patch would at least need a new commit message. :)
>
> I think it's a different bug than the one Andrey reproduced
> (https://bugzilla.kernel.org/show_bug.cgi?id=100671).
On 03/07/2015 15:49, Radim Krčmář wrote:
> fpu_activate is called outside of vcpu_load(), which means it should not
> touch VMCS, but fpu_activate needs to. Avoid the call by moving it to a
> point where we know that the guest needs eager FPU and VMCS is loaded.
>
> This will get rid of the fol
On 29/06/2015 16:44, Christian Borntraeger wrote:
> From: Cornelia Huck
>
> Eric noticed problems with vhost-scsi and virtio-ccw: vhost-scsi
> complained about overwriting values in the config space, which
> was triggered by a broken implementation of virtio-ccw's config
> get/set routines. It
On 22/06/2015 13:20, Christian Borntraeger wrote:
> From: Jens Freimann
>
> commit 6d3da24141 ("KVM: s390: deliver floating interrupts in order
> of priority") introduced a regression for the reset handling.
>
> We don't clear the bitmap of pending floating interrupts
> and interrupt parameters.
On 05/06/2015 20:57, Radim Krčmář wrote:
> lapic.timer_mode was not properly initialized after migration, which
> broke few useful things, like login, by making every sleep eternal.
>
> Fix this by calling apic_update_lvtt in kvm_apic_post_state_restore.
>
> There are other slowpaths that updat
On 22/04/2015 15:34, Luis Henriques wrote:
> Thanks Paolo. I was going to apply this backport to the 3.16 kernel
> but it looks like the original commit is a clean cherry-pick. Shall I
> still apply your backport, or do you think the original commit should
> be applied instead?
Indeed you're r
On 21/04/2015 09:52, Paolo Bonzini wrote:
> From: Nadav Amit
>
> [ upstream commit f210f7572bedf3320599e8b2d8e8ec2d96270d0b ]
>
> apic_find_highest_irr assumes irr_pending is set if any vector in APIC_IRR is
> set. If this assumption is broken and apicv is disabled
On 17/04/2015 07:10, Wanpeng Li wrote:
>> >
>> >Before the change, if guest CR4.MCE==0, then the machine check is
>> >escalated to Catastrophic Error (CATERR) and the machine dies.
> Could you point out which section of SDM describes that the machine check
> is escalated to a CATERR if CR4.MCE==
On 17/04/2015 10:55, Greg KH wrote:
> On Thu, Apr 16, 2015 at 11:58:05AM -0700, Ben Serebrin wrote:
>> > The host's decision to enable machine check exceptions should remain
>> > in force during non-root mode. KVM was writing 0 to cr4 on VCPU reset
>> > and passed a slightly-modified 0 to the vm
On 16/04/2015 17:39, Luis Henriques wrote:
> On Fri, Apr 10, 2015 at 03:53:29PM +0200, Paolo Bonzini wrote:
>> From: Igor Mammedov
>>
>> [ upstream commit 744961341d472db6272ed9b42319a90f5a2aa7c4 ]
>>
>
> If I first apply the following commits:
>
On 07/04/2015 14:47, Radim Krčmář wrote:
> I think it was correct. Both are guest only, the revert just missed
> some races. (0a4e6be9ca17 has misleading commit message ...)
Oops. You're right.
Paolo
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a messag
On 02/04/2015 20:44, Radim Krčmář wrote:
> If we were migrated right after __getcpu, but before reading the
> migration_count, we wouldn't notice that we read TSC of a different
> VCPU, nor that KVM's bug made pvti invalid, as only migration_count
> on source VCPU is increased.
>
> Change vdso i
On 06/04/2015 22:07, Andy Lutomirski wrote:
> On 04/02/2015 11:59 AM, Andy Lutomirski wrote:
>> On Thu, Apr 2, 2015 at 11:44 AM, Radim Krčmář wrote:
>>> If we were migrated right after __getcpu, but before reading the
>>> migration_count, we wouldn't notice that we read TSC of a different
>>> VC
On 26/03/2015 21:10, Radim Krčmář wrote:
> 2015-03-26 11:47-0700, Andy Lutomirski:
>> On Wed, Mar 25, 2015 at 4:08 AM, Radim Krčmář wrote:
>>> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
>>> + /* A guest can read other VCPU's kvmclock; specification says that
>>> +* versio
KVM_CAP_IRQFD_RESAMPLE.
Reported-by: Greg Kurz
Cc: stable@vger.kernel.org
Fixes: 297e21053a52f060944e9f0de4c64fad9bcd72fc
Signed-off-by: Paolo Bonzini
---
Marcelo, please apply this for 4.0.
---
arch/s390/kvm/kvm-s390.c | 1 -
arch/x86/kvm/x86.c | 1 -
virt/kvm/kvm_main.c | 1
ot;if (!vcpus_matched && ka->use_master_clock)" is simplified to
"if (ka->use_master_clock)", the corresponding "if (!ka->use_master_clock)"
becomes redundant, so remove the do_request boolean and collapse
everything into a single condition.
Signed-off-by
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/02/2015 23:58, James Hogan wrote:
>> First lets save and disable the FPU (and MSA) state with
>> lose_fpu(1)
>
> Please don't apply this patch yet. lose_fpu() uses function
> symbols which aren't exported for modules to use yet, so that'll
> n
blk_queue_max_hw_sectors(sdkp->disk->queue, max_xfer);
> set_capacity(disk, sdkp->capacity);
> sd_config_write_same(sdkp);
> _
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
> the body of a message to major
On 28/01/2015 00:10, Paul Gortmaker wrote:
> Hi Greg,
>
> Someone working on a 3.10.x based -rt kernel traced a latency increase
> back to the backport of 56cc2406d68c0f0950 ("KVM: nVMX: fix "acknowledge
> interrupt on exit" when APICv is in use").
FWIW, that's fairly impossible. That commit d
Since most virtual machines raise this message once, it is a bit annoying.
Make it KERN_DEBUG severity.
Cc: stable@vger.kernel.org
Fixes: 7a2e8aaf0f6873b47bc2347f216ea5b0e4c258ab
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/mmu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff
gned-off-by: Nadav Har'El
> Signed-off-by: Jun Nakajima
> Signed-off-by: Xinhao Xu
> Signed-off-by: Yang Zhang
> Signed-off-by: Gleb Natapov
> Signed-off-by: Paolo Bonzini
> [bwh: Backported to 3.2:
> - Adjust context, filename
> - Simplify handle_invept(
viewed-by: Xiao Guangrong
> Signed-off-by: Nadav Har'El
> Signed-off-by: Jun Nakajima
> Signed-off-by: Xinhao Xu
> Signed-off-by: Yang Zhang
> Signed-off-by: Gleb Natapov
> Signed-off-by: Paolo Bonzini
>
>
> Cheers,
> Vinson
>
--
> In the interest of reduced future confusion, would it make sense to
> drop the duplicate initialization for 3.20?
Yup. It would be great if possible to even unify the two init
functions, but I haven't checked what happens in the middle.
Paolo
--
To unsubscribe from this list: send the line "un
On 06/12/2014 04:03, Andy Lutomirski wrote:
> paravirt_enabled has the following effects:
>
> - Disables the F00F bug workaround warning. There is no F00F bug
>workaround any more because Linux's standard IDT handling already
>works around the F00F bug, but the warning still exists. T
On 04/12/2014 17:34, Greg KH wrote:
> On Thu, Dec 04, 2014 at 04:57:06PM +0100, Paolo Bonzini wrote:
>> > get_xsave_addr is the API to access XSAVE states, and KVM would
>> > like to use it. Export it.
> Use it in what way?
As in patch 2/9, to avoid that upgrading to
get_xsave_addr is the API to access XSAVE states, and KVM would
like to use it. Export it.
Cc: stable@vger.kernel.org
Cc: x...@kernel.org
Cc: H. Peter Anvin
Acked-by: Thomas Gleixner
Signed-off-by: Paolo Bonzini
---
arch/x86/kernel/xsave.c | 1 +
1 file changed, 1 insertion(+)
diff --git a
convert back.
Fixes: f31a9f7c71691569359fa7fb8b0acaa44bce0324
Cc: Fenghua Yu
Cc: stable@vger.kernel.org
Cc: H. Peter Anvin
Reported-by: Nadav Amit
Tested-by: Nadav Amit
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/x86.c | 90 +-
1 file changed
> CC-ing the KVM folks since they use the paravirt interface too.
We also do not want to load microcode. :) Thanks for the heads-up.
Acked-by: Paolo Bonzini
Paolo
>> In fact, under certain circumstances initializing this logic may cause
>> the guest to crash. Specifically, 32-
On 24/11/2014 03:10, Wanpeng Li wrote:
> Hi Paolo,
> On Fri, Nov 21, 2014 at 07:31:18PM +0100, Paolo Bonzini wrote:
> [...]
>> +u64 feature = valid & -valid;
>> +int index = fls64(feature) - 1;
>> +void *src
On 21/11/2014 21:06, Andy Lutomirski wrote:
>> > + cpuid_count(XSTATE_CPUID, index,
>> > + &size, &offset, &ecx, &edx);
>> > + memcpy(dest + offset, src, size);
> Is this really the best way to do this? cpuid is serializing, so this
This feature is not supported inside KVM guests yet, because we do not emulate
MSR_IA32_XSS. Mask it out.
Cc: stable@vger.kernel.org
Cc: Nadav Amit
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/cpuid.c | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/arch/x86
Userspace is expecting non-compacted format for KVM_GET_XSAVE, but
struct xsave_struct might be using the compacted format. Convert
in order to preserve userspace ABI.
Fixes: f31a9f7c71691569359fa7fb8b0acaa44bce0324
Cc: Fenghua Yu
Cc: stable@vger.kernel.org
Cc: Nadav Amit
Signed-off-by: Paolo
On 03/11/2014 14:44, Ben Hutchings wrote:
>> You can just use the same scheme as your patch 88/102:
> Why is that? Why should I not use the upstream version?
Because it makes no sense to invalidate nested EPT page tables, if the
kernel cannot make nested EPT page tables in the first place.
I th
-off-by: Jun Nakajima
> Signed-off-by: Xinhao Xu
> Signed-off-by: Yang Zhang
> Signed-off-by: Gleb Natapov
> Signed-off-by: Paolo Bonzini
> [bwh: Backported to 3.2:
> - Adjust context, filename
> - Add definition of nested_ept_get_cr3(), added upstream by commit
>155
a8b200
Reported-by: Borislav Petkov
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/emulate.c | 43 +--
1 file changed, 33 insertions(+), 10 deletions(-)
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 8aa66068712f..69af43a896c6 100644
--- a/ar
On 10/24/2014 07:57 PM, Andy Lutomirski wrote:
> > KVM_EXIT_UNKNOWN is a kvm bug, we don't really know whether it was
> > triggered by a priveledged application. Let's not kill the guest: WARN
> > and inject #UD instead.
>
> This scares me a bit. For guest CPL3, it's probably okay. For guest
> C
GS_BASE (SWAPGS): "The address stored in the KernelGSbase MSR must
be in canonical form."
This patch fixes CVE-2014-3610.
Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit
Signed-off-by: Paolo Bonzini
---
arch/x86/include/asm/kvm_host.h | 14 ++
arch/x86/
x27;s patch. - Paolo]
Signed-off-by: Paolo Bonzini
---
arch/x86/include/asm/kvm_host.h | 2 +-
arch/x86/kvm/vmx.c | 7 +--
arch/x86/kvm/x86.c | 11 ---
3 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/arch/x86/include/asm/kvm_host.h b/arc
From: Nadav Amit
Relative jumps and calls do the masking according to the operand size, and not
according to the address size as the KVM emulator does today.
This patch fixes KVM behavior.
Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm
-off-by: Nadav Amit
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/emulate.c | 78 ++
1 file changed, 54 insertions(+), 24 deletions(-)
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 047698974799..a1b9139169f6 100644
--- a/arch/x86
RIP, we are left in
unconsistent state. Therefore, this patch saves on 64-bit the old CS
descriptor and restores it if loading RIP failed.
This fixes CVE-2014-3647.
Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/emulate.c | 118
l.org
Signed-off-by: Andrew Honig
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/i8254.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
index 518d86471b76..298781d4cfb4 100644
--- a/arch/x86/kvm/i8254.c
+++ b/arch/x86/kvm/i8254.c
@@ -262,8 +2
handler.
This is CVE-2014-3646.
Cc: stable@vger.kernel.org
Signed-off-by: Petr Matousek
Signed-off-by: Paolo Bonzini
---
arch/x86/include/uapi/asm/vmx.h | 2 ++
arch/x86/kvm/vmx.c | 9 -
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/arch/x86/include/uapi/asm
From: "Michael S. Tsirkin"
KVM_EXIT_UNKNOWN is a kvm bug, we don't really know whether it was
triggered by a priveledged application. Let's not kill the guest: WARN
and inject #UD instead.
Cc: stable@vger.kernel.org
Signed-off-by: Michael S. Tsirkin
Signed-off-by: Paolo Bo
to help me in
understanding this code.
Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)")
Cc: stable@vger.kernel.org
Signed-off-by: Quentin Casasnovas
Signed-off-by: Vegard Nossum
Signed-off-by: Jamie Iles
Reviewed-by: Sasha Levin
Signed-off-by: Paolo Bo
different group for each prefix.
This has been the case forever, but the next patch needs the cflush group
in order to fix a bug introduced in 3.17.
Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5
Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/emulate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 02c8ea804aaf..eb3b1c46f995 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -4580,10 +4580,10 @@ don
prefetch and hint-nop and SrcMem for clflush.
This fixes CVE-2014-8480.
Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5
Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/emulate.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff
@vger.kernel.org
Fixes: 5cfc7e0f5e5e1adf998df94f8e36edaf5d30d38e
Signed-off-by: Nadav Amit
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/emulate.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index c0deaff8d9f0..02c8ea804aaf 100644
Il 02/09/2014 18:44, David Matlack ha scritto:
> >
> > -#define MMIO_GEN_SHIFT 19
> > -#define MMIO_GEN_LOW_SHIFT 9
> > -#define MMIO_GEN_LOW_MASK ((1 << MMIO_GEN_LOW_SHIFT) - 1)
> > +#define MMIO_GEN_SHIFT 20
> > +#define MMIO_GEN_LOW_SHIFT
imply punt if we observe the low bit to be 1.
Cc: stable@vger.kernel.org
Cc: Xiao Guangrong
Signed-off-by: David Matlack
Signed-off-by: Paolo Bonzini
---
Documentation/virtual/kvm/mmu.txt | 14 ++
arch/x86/kvm/mmu.c| 20
virt/kvm/kvm_m
.
[ xiaoguangrong: adjust the code to make it simpler for stable-tree fix. ]
Cc: stable@vger.kernel.org
Signed-off-by: David Matlack
Signed-off-by: Xiao Guangrong
Signed-off-by: Paolo Bonzini
---
arch/x86/include/asm/kvm_host.h | 1 +
arch/x86/kvm/mmu.c | 2 +-
arch/x86/kvm/x86.h
The next patch will give a meaning (a la seqcount) to the low bit of the
generation number. Ensure that it matches between kvm->memslots->generation
and kvm_current_mmio_generation().
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini
---
arch/x86/kvm/mmu.c | 7 +--
vi
Il 28/08/2014 23:10, David Matlack ha scritto:
> Paolo,
> It seems like this patch ("[PATCH 2/2] kvm: x86: fix stale mmio cache")
> is ready to go. Is there anything blocking it from being merged?
>
> (It should be fine to merge this on its own, independent of the fix
> discussed in "[PATCH 1/2] K
Il 27/08/2014 09:13, Christian Borntraeger ha scritto:
> On 27/08/14 05:06, Ben Hutchings wrote:
>> On Mon, 2014-08-25 at 15:10 +0200, Christian Borntraeger wrote:
>>> The PFMF instruction handler blindly wrote the storage key even if
>>> the page was mapped R/O in the host. Lets try a COW before
Il 26/08/2014 11:08, Pekka Enberg ha scritto:
> On Sun, Aug 17, 2014 at 11:54 AM, Paolo Bonzini wrote:
>> Il 15/08/2014 18:54, Marcelo Tosatti ha scritto:
>>>
>>> Ping on integration.
>>
>> It's been in kvm/next for a while, and is now in Linus'
Il 20/08/2014 03:03, David Matlack ha scritto:
> On Tue, Aug 19, 2014 at 5:29 PM, Xiao Guangrong
> wrote:
>> On 08/19/2014 05:03 PM, Paolo Bonzini wrote:
>>> Il 19/08/2014 10:50, Xiao Guangrong ha scritto:
>>>> Okay, what confused me it that it seems that the si
Il 19/08/2014 10:50, Xiao Guangrong ha scritto:
> Okay, what confused me it that it seems that the single line patch
> is ok to you. :)
No, it was late and I was confused. :)
> Now, do we really need to care the case 2? like David said:
> "Sorry I didn't explain myself very well: Since we can get
Il 19/08/2014 05:50, Xiao Guangrong ha scritto:
>
> Note in the step *, my approach detects the invalid generation-number which
> will invalidate the mmio spte properly .
You are right, in fact my mail included another part: "Another
alternative could be to use the low bit to mark an in-progress
Il 14/08/2014 09:01, Xiao Guangrong ha scritto:
> * Clear the mmio cache info for the given gva,
> - * specially, if gva is ~0ul, we clear all mmio cache info.
> + * specially, if gva is ~MMIO_GVA_ANY, we clear all mmio cache info.
Extra ~.
> */
> +#define MMIO_GVA_ANY ~((gva_t)0)
> +
Better
Il 18/08/2014 23:15, David Matlack ha scritto:
> I just realized how simple Paolo's idea is. I think it can be a one line
> patch (without comments):
>
> [...]
> update_memslots(slots, new, kvm->memslots->generation);
> rcu_assign_pointer(kvm->memslots, slots);
> synchroniz
1 - 100 of 190 matches
Mail list logo
