- 27 Feb, 2020 26 commits
-
-
Janosch Frank authored
A lot of the registers are controlled by the Ultravisor and never visible to KVM. Also some registers are overlayed, like gbea is with sidad, which might leak data to userspace. Hence we sync a minimal set of registers for both SIE formats and then check and sync format 2 registers if necessary. Signed-off-by:
Janosch Frank <frankja@linux.ibm.com> Reviewed-by:
Cornelia Huck <cohuck@redhat.com> Reviewed-by:
David Hildenbrand <david@redhat.com> [borntraeger@de.ibm.com: patch merging, splitting, fixing] Signed-off-by:
Christian Borntraeger <borntraeger@de.ibm.com>
-
Janosch Frank authored
For protected VMs the hypervisor can not access guest breaking event address, program parameter, bpbc and todpr. Do not reset those fields as the control block does not provide access to these fields. Signed-off-by:
-
Janosch Frank authored
A lot of the registers are controlled by the Ultravisor and never visible to KVM. Some fields in the sie control block are overlayed, like gbea. As no known userspace uses the ONE_REG interface on s390 if sync regs are available, no functionality is lost if it is disabled for protected guests. Signed-off-by:
Thomas Huth <thuth@redhat.com> Reviewed-by:
-
Janosch Frank authored
Save response to sidad and disable address checking for protected guests. Signed-off-by:
-
Janosch Frank authored
STHYI data has to go through the bounce buffer. Signed-off-by:
-
Claudio Imbrenda authored
The current code tries to first pin shared pages, if that fails (e.g. because the page is not shared) it will export them. For shared pages this means that we get a new intercept telling us that the guest is unsharing that page. We will unpin the page at that point in time, following the same rules as for making a page secure (i.e. waiting for writeback, no elevated page references, etc.) Signed-off-by:
Claudio Imbrenda <imbrenda@linux.ibm.com> Acked-by:
-
Janosch Frank authored
The SPX instruction is handled by the ultravisor. We do get a notification intercept, though. Let us update our internal view. In addition to that, when the guest prefix page is not secure, an intercept 112 (0x70) is indicated. Let us make the prefix pages secure again. Signed-off-by:
-
Janosch Frank authored
Now that we can't access guest memory anymore, we have a dedicated satellite block that's a bounce buffer for instruction data. We re-use the memop interface to copy the instruction data to / from userspace. This lets us re-use a lot of QEMU code which used that interface to make logical guest memory accesses which are not possible anymore in protected mode anyway. Signed-off-by:
-
Janosch Frank authored
Guest registers for protected guests are stored at offset 0x380. We will copy those to the usual places. Long term we could refactor this or use register access functions. Signed-off-by:
-
Janosch Frank authored
SIE intercept code 8 is used only on exception loops for protected guests. That means we need to stop the guest when we see it. This is done by userspace. Signed-off-by:
-
Christian Borntraeger authored
The sclp interrupt is kind of special. The ultravisor polices that we do not inject an sclp interrupt with payload if no sccb is outstanding. On the other hand we have "asynchronous" event interrupts, e.g. for console input. We separate both variants into sclp interrupt and sclp event interrupt. The sclp interrupt is masked until a previous servc instruction has finished (sie exit 108). [frankja@linux.ibm.com: factoring out write_sclp] Signed-off-by:
-
Michael Mueller authored
This defines the necessary data structures in the SIE control block to inject machine checks,external and I/O interrupts. We first define the the interrupt injection control, which defines the next interrupt to inject. Then we define the fields that contain the payload for machine checks,external and I/O interrupts. This is then used to implement interruption injection for the following list of interruption types: - I/O (uses inject io interruption) __deliver_io - External (uses inject external interruption) __deliver_cpu_timer __deliver_ckc __deliver_emergency_signal __deliver_external_call - cpu restart (uses inject restart interruption) __deliver_restart - machine checks (uses mcic, failing address and external damage) __write_machine_check Please note that posted interrupts (GISA) are not used for protected guests as of today. The service interrupt is handled in a followup patch. Signed-off-by:Michael Mueller <mimu@linux.ibm.com> Reviewed-by:
-
Janosch Frank authored
We have two new SIE exit codes dealing with instructions. 104 (0x68) for a secure instruction interception, on which the SIE needs hypervisor action to complete the instruction. We can piggy-back on the existing instruction handlers. 108 which is merely a notification and provides data for tracking and management. For example this is used to tell the host about a new value for the prefix register. As there will be several special case handlers in later patches, we handle this in a separate function. Signed-off-by:
-
Janosch Frank authored
Since there is no interception for load control and load psw instruction in the protected mode, we need a new way to get notified whenever we can inject an IRQ right after the guest has just enabled the possibility for receiving them. The new interception codes solve that problem by providing a notification for changes to IRQ enablement relevant bits in CRs 0, 6 and 14, as well a the machine check mask bit in the PSW. No special handling is needed for these interception codes, the KVM pre-run code will consult all necessary CRs and PSW bits and inject IRQs the guest is enabled for. Signed-off-by:
-
Christian Borntraeger authored
Before we destroy the secure configuration, we better make all pages accessible again. This also happens during reboot, where we reboot into a non-secure guest that then can go again into secure mode. As this "new" secure guest will have a new ID we cannot reuse the old page state. Signed-off-by:
-
Janosch Frank authored
KSM will not work on secure pages, because when the kernel reads a secure page, it will be encrypted and hence no two pages will look the same. Let's mark the guest pages as unmergeable when we transition to secure mode. Signed-off-by:
-
Janosch Frank authored
This contains 3 main changes: 1. changes in SIE control block handling for secure guests 2. helper functions for create/destroy/unpack secure guests 3. KVM_S390_PV_COMMAND ioctl to allow userspace dealing with secure machines Signed-off-by:
-
Janosch Frank authored
This adds two new helper functions for doing UV CALLs. The first variant handles UV CALLs that might have longer busy conditions or just need longer when doing partial completion. We should schedule when necessary. The second variant handles UV CALLs that only need the handle but have no payload (e.g. destroying a VM). We can provide a simple wrapper for those. Signed-off-by:
-
Janosch Frank authored
Let's have some debug traces which stay around for longer than the guest. Signed-off-by:
-
Ulrich Weigand authored
The adapter interrupt page containing the indicator bits is currently pinned. That means that a guest with many devices can pin a lot of memory pages in the host. This also complicates the reference tracking which is needed for memory management handling of protected virtual machines. It might also have some strange side effects for madvise MADV_DONTNEED and other things. We can simply try to get the userspace page set the bits and free the page. By storing the userspace address in the irq routing entry instead of the guest address we can actually avoid many lookups and list walks so that this variant is very likely not slower. If userspace messes around with the memory slots the worst thing that can happen is that we write to some other memory within that process. As we get the the page with FOLL_WRITE this can also not be used to write to shared read-only pages. Signed-off-by:
Ulrich Weigand <Ulrich.Weigand@de.ibm.com> Acked-by:
-
git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linuxChristian Borntraeger authored
s390 base parts (non kvm) for protvirt
-
Janosch Frank authored
That information, e.g. the maximum number of guests or installed Ultravisor facilities, is interesting for QEMU, Libvirt and administrators. Let's provide an easily parsable API to get that information. Signed-off-by:
-
Vasily Gorbik authored
Add exceptions handlers performing transparent transition of non-secure pages to secure (import) upon guest access and secure pages to non-secure (export) upon hypervisor access. Signed-off-by:
Vasily Gorbik <gor@linux.ibm.com> [frankja@linux.ibm.com: adding checks for failures] Signed-off-by:
-
Claudio Imbrenda authored
This provides the basic ultravisor calls and page table handling to cope with secure guests: - provide arch_make_page_accessible - make pages accessible after unmapping of secure guests - provide the ultravisor commands convert to/from secure - provide the ultravisor commands pin/unpin shared - provide callbacks to make pages secure (inacccessible) - we check for the expected pin count to only make pages secure if the host is not accessing them - we fence hugetlbfs for secure pages - add missing radix-tree include into gmap.h The basic idea is that a page can have 3 states: secure, normal or shared. The hypervisor can call into a firmware function called ultravisor that allows to change the state of a page: convert from/to secure. The convert from secure will encrypt the page and make it available to the host and host I/O. The convert to secure will remove the host capability to access this page. The design is that on convert to secure we will wait until writeback and page refs are indicating no host usage. At the same time the convert from secure (export to host) will be called in common code when the refcount or the writeback bit is already set. This avoids races between convert from and to secure. Then there is also the concept of shared pages. Those are kind of secure where the host can still access those pages. We need to be notified when the guest "unshares" such a page, basically doing a convert to secure by then. There is a call "pin shared page" that we use instead of convert from secure when possible. We do use PG_arch_1 as an optimization to minimize the convert from secure/pin shared. Several comments have been added in the code to explain the logic in the relevant places. Co-developed-by:
-
Vasily Gorbik authored
Before being able to host protected virtual machines, donate some of the memory to the ultravisor. Besides that the ultravisor might impose addressing limitations for memory used to back protected VM storage. Treat that limit as protected virtualization host's virtual memory limit. Signed-off-by:
-
Vasily Gorbik authored
Add "prot_virt" command line option which controls if the kernel protected VMs support is enabled at early boot time. This has to be done early, because it needs large amounts of memory and will disable some features like STP time sync for the lpar. Extend ultravisor info definitions and expose it via uv_info struct filled in during startup. Signed-off-by:
-
- 16 Feb, 2020 10 commits
-
-
Linus Torvalds authored
-
https://github.com/cminyard/linux-ipmiLinus Torvalds authored
Pull IPMI update from Corey Minyard: "Minor bug fixes for IPMI I know this is late; I've been travelling and, well, I've been distracted. This is just a few bug fixes and adding i2c support to the IPMB driver, which is something I wanted from the beginning for it" * tag 'for-linus-5.6-1' of https://github.com/cminyard/linux-ipmi: drivers: ipmi: fix off-by-one bounds check that leads to a out-of-bounds write ipmi:ssif: Handle a possible NULL pointer reference drivers: ipmi: Modify max length of IPMB packet drivers: ipmi: Support raw i2c packet in IPMB
-
git://git.kernel.org/pub/scm/virt/kvm/kvmLinus Torvalds authored
Pull KVM fixes from Paolo Bonzini: "Bugfixes and improvements to selftests. On top of this, Mauro converted the KVM documentation to rst format, which was very welcome" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (44 commits) docs: virt: guest-halt-polling.txt convert to ReST docs: kvm: review-checklist.txt: rename to ReST docs: kvm: Convert timekeeping.txt to ReST format docs: kvm: Convert s390-diag.txt to ReST format docs: kvm: Convert ppc-pv.txt to ReST format docs: kvm: Convert nested-vmx.txt to ReST format docs: kvm: Convert mmu.txt to ReST format docs: kvm: Convert locking.txt to ReST format docs: kvm: Convert hypercalls.txt to ReST format docs: kvm: arm/psci.txt: convert to ReST docs: kvm: convert arm/hyp-abi.txt to ReST docs: kvm: Convert api.txt to ReST format docs: kvm: convert devices/xive.txt to ReST docs: kvm: convert devices/xics.txt to ReST docs: kvm: convert devices/vm.txt to ReST docs: kvm: convert devices/vfio.txt to ReST docs: kvm: convert devices/vcpu.txt to ReST docs: kvm: convert devices/s390_flic.txt to ReST docs: kvm: convert devices/mpic.txt to ReST docs: kvm: convert devices/arm-vgit.txt to ReST ...
-
git://git.kernel.org/pub/scm/linux/kernel/git/ras/rasLinus Torvalds authored
Pull EDAC fixes from Borislav Petkov: "Two fixes for use-after-free and memory leaking in the EDAC core, by Robert Richter. Debug options like DEBUG_TEST_DRIVER_REMOVE, KASAN and DEBUG_KMEMLEAK unearthed issues with the lifespan of memory allocated by the EDAC memory controller descriptor due to misdesigned memory freeing, done partially by the EDAC core *and* the driver core, which is problematic to say the least. These two are minimal fixes to take care of stable - a proper rework is following which cleans up that mess properly" * tag 'edac_urgent_for_5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras: EDAC/sysfs: Remove csrow objects on errors EDAC/mc: Fix use-after-free and memleaks during device removal
-
git://git.kernel.dk/linux-blockLinus Torvalds authored
Pull block fixes from Jens Axboe: "Not a lot here, which is great, basically just three small bcache fixes from Coly, and four NVMe fixes via Keith" * tag 'block-5.6-2020-02-16' of git://git.kernel.dk/linux-block: nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info nvme/pci: move cqe check after device shutdown nvme: prevent warning triggered by nvme_stop_keep_alive nvme/tcp: fix bug on double requeue when send fails bcache: remove macro nr_to_fifo_front() bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" bcache: ignore pending signals when creating gc and allocator thread
-
git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linuxLinus Torvalds authored
Pull btrfs fixes from David Sterba: "Two races fixed, memory leak fix, sysfs directory fixup and two new log messages: - two fixed race conditions: extent map merging and truncate vs fiemap - create the right sysfs directory with device information and move the individual device dirs under it - print messages when the tree-log is replayed at mount time or cannot be replayed on remount" * tag 'for-5.6-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: sysfs, move device id directories to UUID/devinfo btrfs: sysfs, add UUID/devinfo kobject Btrfs: fix race between shrinking truncate and fiemap btrfs: log message when rw remount is attempted with unclean tree-log btrfs: print message when tree-log replay starts Btrfs: fix race between using extent maps and merging them btrfs: ref-verify: fix memory leaks -
git://git.samba.org/sfrench/cifs-2.6Linus Torvalds authored
Pull cifs fixes from Steve French: "Four small CIFS/SMB3 fixes. One (the EA overflow fix) for stable" * tag '5.6-rc1-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6: cifs: make sure we do not overflow the max EA buffer size cifs: enable change notification for SMB2.1 dialect cifs: Fix mode output in debugging statements cifs: fix mount option display for sec=krb5i
-
git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4Linus Torvalds authored
Pull ext4 fixes from Ted Ts'o: "Miscellaneous ext4 bug fixes (all stable fodder)" * tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: ext4: improve explanation of a mount failure caused by a misconfigured kernel jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer jbd2: move the clearing of b_modified flag to the journal_unmap_buffer() ext4: add cond_resched() to ext4_protect_reserved_inode ext4: fix checksum errors with indexed dirs ext4: fix support for inode sizes > 1024 bytes ext4: simplify checking quota limits in ext4_statfs() ext4: don't assume that mmp_nodename/bdevname have NUL
-
git://git.kernel.org/pub/scm/linux/kernel/git/dtor/inputLinus Torvalds authored
Pull input updates from Dmitry Torokhov: - a few drivers have been updated to use flexible-array syntax instead of GCC extension - ili210x touchscreen driver now supports the 2120 protocol flavor - a couple more of Synaptics devices have been switched over to RMI4 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: cyapa - replace zero-length array with flexible-array member Input: tca6416-keypad - replace zero-length array with flexible-array member Input: gpio_keys_polled - replace zero-length array with flexible-array member Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list Input: synaptics - enable SMBus on ThinkPad L470 Input: synaptics - switch T470s to RMI4 by default Input: gpio_keys - replace zero-length array with flexible-array member Input: goldfish_events - replace zero-length array with flexible-array member Input: psmouse - switch to using i2c_new_scanned_device() Input: ili210x - add ili2120 support Input: ili210x - fix return value of is_visible function
-
git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdmaLinus Torvalds authored
Pull rdma fixes from Jason Gunthorpe: "Not too much going on here, though there are about four fixes related to stuff merged during the last merge window. We also see the return of a syzkaller instance with access to RDMA devices, and a few bugs detected by that squished. - Fix three crashers and a memory memory leak for HFI1 - Several bugs found by syzkaller - A bug fix for the recent QP counters feature on older mlx5 HW - Locking inversion in cxgb4 - Unnecessary WARN_ON in siw - A umad crasher regression during unload, from a bug fix for something else - Bugs introduced in the merge window: - Missed list_del in uverbs file rework, core and mlx5 devx - Unexpected integer math truncation in the mlx5 VAR patches - Compilation bug fix for the VAR patches on 32 bit" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: IB/mlx5: Use div64_u64 for num_var_hw_entries calculation RDMA/core: Fix protection fault in get_pkey_idx_qp_list RDMA/rxe: Fix soft lockup problem due to using tasklets in softirq RDMA/mlx5: Prevent overflow in mmap offset calculations IB/umad: Fix kernel crash while unloading ib_umad RDMA/mlx5: Fix async events cleanup flows RDMA/core: Add missing list deletion on freeing event queue RDMA/siw: Remove unwanted WARN_ON in siw_cm_llp_data_ready() RDMA/iw_cxgb4: initiate CLOSE when entering TERM IB/mlx5: Return failure when rts2rts_qp_counters_set_id is not supported RDMA/core: Fix invalid memory access in spec_filter_size IB/rdmavt: Reset all QPs when the device is shut down IB/hfi1: Close window for pq and request coliding IB/hfi1: Acquire lock to release TID entries when user file is closed RDMA/hfi1: Fix memory leak in _dev_comp_vect_mappings_create
-
- 15 Feb, 2020 4 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/soc/socLinus Torvalds authored
Pull ARM SoC fixes from Olof Johansson: "A handful of fixes that have come in since the merge window: - Fix of PCI interrupt map on arm64 fast model (SW emulator) - Fixlet for sound on ST platforms and a small cleanup of deprecated DT properties - A stack buffer overflow fix for moxtet - Fuse driver build fix for Tegra194 - A few config updates to turn on new drivers merged this cycle" * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: bus: moxtet: fix potential stack buffer overflow soc/tegra: fuse: Fix build with Tegra194 configuration ARM: dts: sti: fixup sound frame-inversion for stihxxx-b2120.dtsi ARM: dts: sti: Remove deprecated snps PHY properties for stih410-b2260 arm64: defconfig: Enable DRM_SUN6I_DSI arm64: defconfig: Enable CONFIG_SUN8I_THERMAL ARM: sunxi: Enable CONFIG_SUN8I_THERMAL arm64: defconfig: Set bcm2835-dma as built-in ARM: configs: Cleanup old Kconfig options ARM: npcm: Bring back GPIOLIB support arm64: dts: fast models: Fix FVP PCI interrupt-map property -
git://git.kernel.org/pub/scm/linux/kernel/git/s390/linuxLinus Torvalds authored
Pull s390 updates from Vasily Gorbik: - Enable paes-s390 cipher selftests in testmgr (acked-by Herbert Xu). - Fix protected key length update in PKEY_SEC2PROTK ioctl and increase card/queue requests counter to 64-bit in crypto code. - Fix clang warning in get_tod_clock. - Fix ultravisor info length extensions handling. - Fix style of SPDX License Identifier in vfio-ccw. - Avoid unnecessary GFP_ATOMIC and simplify ACK tracking in qdio. * tag 's390-5.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: crypto/testmgr: enable selftests for paes-s390 ciphers s390/time: Fix clk type in get_tod_clock s390/uv: Fix handling of length extensions s390/qdio: don't allocate *aob array with GFP_ATOMIC s390/qdio: simplify ACK tracking s390/zcrypt: fix card and queue total counter wrap s390/pkey: fix missing length of protected key on return vfio-ccw: Use the correct style for SPDX License Identifier
-
Linus Torvalds authored
Merge tag 'hwmon-for-v5.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hwmon fixes from Guenter Roeck: "Fix compatible string typos in the xdpe12284 driver, and a wrong bit value in the ltc2978 driver" * tag 'hwmon-for-v5.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: (pmbus/xdpe12284) fix typo in compatible strings hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions.
-
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tipLinus Torvalds authored
Pull scheduler fixes from Ingo Molnar: "Misc fixes all over the place: - Fix NUMA over-balancing between lightly loaded nodes. This is fallout of the big load-balancer rewrite. - Fix the NOHZ remote loadavg update logic, which fixes anomalies like reported 150 loadavg on mostly idle CPUs. - Fix XFS performance/scalability - Fix throttled groups unbound task-execution bug - Fix PSI procfs boundary condition - Fix the cpu.uclamp.{min,max} cgroup configuration write checks - Fix DocBook annotations - Fix RCU annotations - Fix overly CPU-intensive housekeeper CPU logic loop on large CPU counts" * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched/fair: Fix kernel-doc warning in attach_entity_load_avg() sched/core: Annotate curr pointer in rq with __rcu sched/psi: Fix OOB write when writing 0 bytes to PSI files sched/fair: Allow a per-CPU kthread waking a task to stack on the same CPU, to fix XFS performance regression sched/fair: Prevent unlimited runtime on throttled group sched/nohz: Optimize get_nohz_timer_target() sched/uclamp: Reject negative values in cpu_uclamp_write() sched/fair: Allow a small load imbalance between low utilisation SD_NUMA domains timers/nohz: Update NOHZ load in remote tick sched/core: Don't skip remote tick for idle CPUs
-
