1. 06 Apr, 2022 1 commit
    • Paolo Bonzini's avatar
      KVM: avoid NULL pointer dereference in kvm_dirty_ring_push · 5593473a
      Paolo Bonzini authored
      kvm_vcpu_release() will call kvm_dirty_ring_free(), freeing
      ring->dirty_gfns and setting it to NULL.  Afterwards, it calls
      kvm_arch_vcpu_destroy().
      
      However, if closing the file descriptor races with KVM_RUN in such away
      that vcpu->arch.st.preempted == 0, the following call stack leads to a
      NULL pointer dereference in kvm_dirty_run_push():
      
       mark_page_dirty_in_slot+0x192/0x270 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3171
       kvm_steal_time_set_preempted arch/x86/kvm/x86.c:4600 [inline]
       kvm_arch_vcpu_put+0x34e/0x5b0 arch/x86/kvm/x86.c:4618
       vcpu_put+0x1b/0x70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:211
       vmx_free_vcpu+0xcb/0x130 arch/x86/kvm/vmx/vmx.c:6985
       kvm_arch_vcpu_destroy+0x76/0x290 arch/x86/kvm/x86.c:11219
       kvm_vcpu_destroy arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 [inline]
      
      The fix is to release the dirty page ring after kvm_arch_vcpu_destroy
      has run.
      Reported-by: default avatarQiuhao Li <qiuhao@sysec.org>
      Reported-by: default avatarGaoning Pan <pgn@zju.edu.cn>
      Reported-by: default avatarYongkang Jia <kangel@zju.edu.cn>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      5593473a
  2. 05 Apr, 2022 4 commits
    • Bagas Sanjaya's avatar
      Documentation: kvm: Add missing line break in api.rst · c1be1ef1
      Bagas Sanjaya authored
      Add missing line break separator between literal block and description
      of KVM_EXIT_RISCV_SBI.
      
      This fixes:
      </path/to/linux>/Documentation/virt/kvm/api.rst:6118: WARNING: Literal block ends without a blank line; unexpected unindent.
      
      Fixes: da40d858 (RISC-V: KVM: Document RISC-V specific parts of KVM API, 2021-09-27)
      Cc: Anup Patel <anup.patel@wdc.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Jonathan Corbet <corbet@lwn.net>
      Cc: Paul Walmsley <paul.walmsley@sifive.com>
      Cc: Palmer Dabbelt <palmer@dabbelt.com>
      Cc: Albert Ou <aou@eecs.berkeley.edu>
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Cc: linux-riscv@lists.infradead.org
      Signed-off-by: default avatarBagas Sanjaya <bagasdotme@gmail.com>
      Message-Id: <20220403065735.23859-1-bagasdotme@gmail.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      c1be1ef1
    • Lv Ruyi's avatar
      KVM: x86/mmu: remove unnecessary flush_workqueue() · 3203a56a
      Lv Ruyi authored
      All work currently pending will be done first by calling destroy_workqueue,
      so there is unnecessary to flush it explicitly.
      Reported-by: default avatarZeal Robot <zealci@zte.com.cn>
      Signed-off-by: default avatarLv Ruyi <lv.ruyi@zte.com.cn>
      Reviewed-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20220401083530.2407703-1-lv.ruyi@zte.com.cn>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      3203a56a
    • Sean Christopherson's avatar
      KVM: x86/mmu: Resolve nx_huge_pages when kvm.ko is loaded · 1d0e8480
      Sean Christopherson authored
      Resolve nx_huge_pages to true/false when kvm.ko is loaded, leaving it as
      -1 is technically undefined behavior when its value is read out by
      param_get_bool(), as boolean values are supposed to be '0' or '1'.
      
      Alternatively, KVM could define a custom getter for the param, but the
      auto value doesn't depend on the vendor module in any way, and printing
      "auto" would be unnecessarily unfriendly to the user.
      
      In addition to fixing the undefined behavior, resolving the auto value
      also fixes the scenario where the auto value resolves to N and no vendor
      module is loaded.  Previously, -1 would result in Y being printed even
      though KVM would ultimately disable the mitigation.
      
      Rename the existing MMU module init/exit helpers to clarify that they're
      invoked with respect to the vendor module, and add comments to document
      why KVM has two separate "module init" flows.
      
        =========================================================================
        UBSAN: invalid-load in kernel/params.c:320:33
        load of value 255 is not a valid value for type '_Bool'
        CPU: 6 PID: 892 Comm: tail Not tainted 5.17.0-rc3+ #799
        Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
        Call Trace:
         <TASK>
         dump_stack_lvl+0x34/0x44
         ubsan_epilogue+0x5/0x40
         __ubsan_handle_load_invalid_value.cold+0x43/0x48
         param_get_bool.cold+0xf/0x14
         param_attr_show+0x55/0x80
         module_attr_show+0x1c/0x30
         sysfs_kf_seq_show+0x93/0xc0
         seq_read_iter+0x11c/0x450
         new_sync_read+0x11b/0x1a0
         vfs_read+0xf0/0x190
         ksys_read+0x5f/0xe0
         do_syscall_64+0x3b/0xc0
         entry_SYSCALL_64_after_hwframe+0x44/0xae
         </TASK>
        =========================================================================
      
      Fixes: b8e8c830 ("kvm: mmu: ITLB_MULTIHIT mitigation")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarBruno Goncalves <bgoncalv@redhat.com>
      Reported-by: default avatarJan Stancek <jstancek@redhat.com>
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20220331221359.3912754-1-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      1d0e8480
    • Peter Gonda's avatar
      KVM: SEV: Add cond_resched() to loop in sev_clflush_pages() · 00c22013
      Peter Gonda authored
      Add resched to avoid warning from sev_clflush_pages() with large number
      of pages.
      Signed-off-by: default avatarPeter Gonda <pgonda@google.com>
      Cc: Sean Christopherson <seanjc@google.com>
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      
      Message-Id: <20220330164306.2376085-1-pgonda@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      00c22013
  3. 03 Apr, 2022 8 commits
  4. 02 Apr, 2022 27 commits