From 3eb77d5116d78cce5b9fa9eb19d012bc636116b6 Mon Sep 17 00:00:00 2001 From: Christian Borntraeger Date: Mon, 17 Nov 2008 14:50:35 +0100 Subject: KVM: s390: Fix problem state handling in guest sigp handler We can get an exit for instructions starting with 0xae, even if the guest is in userspace. Lets make sure, that the signal processor handler is only called in guest supervisor mode. Otherwise, send a program check. Signed-off-by: Christian Borntraeger Signed-off-by: Avi Kivity --- arch/s390/kvm/sigp.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'arch') diff --git a/arch/s390/kvm/sigp.c b/arch/s390/kvm/sigp.c index 1703926..2a01b9e 100644 --- a/arch/s390/kvm/sigp.c +++ b/arch/s390/kvm/sigp.c @@ -237,6 +237,11 @@ int kvm_s390_handle_sigp(struct kvm_vcpu *vcpu) u8 order_code; int rc; + /* sigp in userspace can exit */ + if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE) + return kvm_s390_inject_program_int(vcpu, + PGM_PRIVILEGED_OPERATION); + order_code = disp2; if (base2) order_code += vcpu->arch.guest_gprs[base2]; -- cgit v1.1 From bd2b3ca7686d9470b1b58df631daa03179486182 Mon Sep 17 00:00:00 2001 From: Avi Kivity Date: Thu, 20 Nov 2008 11:47:18 +0200 Subject: KVM: VMX: Fix interrupt loss during race with NMI If an interrupt cannot be injected for some reason (say, page fault when fetching the IDT descriptor), the interrupt is marked for reinjection. However, if an NMI is queued at this time, the NMI will be injected instead and the NMI will be lost. Fix by deferring the NMI injection until the interrupt has been injected successfully. Analyzed by Jan Kiszka. Signed-off-by: Avi Kivity --- arch/x86/kvm/vmx.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'arch') diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index d06b4dc..a4018b0 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -3149,7 +3149,9 @@ static void vmx_intr_assist(struct kvm_vcpu *vcpu) if (cpu_has_virtual_nmis()) { if (vcpu->arch.nmi_pending && !vcpu->arch.nmi_injected) { - if (vmx_nmi_enabled(vcpu)) { + if (vcpu->arch.interrupt.pending) { + enable_nmi_window(vcpu); + } else if (vmx_nmi_enabled(vcpu)) { vcpu->arch.nmi_pending = false; vcpu->arch.nmi_injected = true; } else { -- cgit v1.1 From 547567c67774d872eb344d21e0f2d7a76eb1e9c5 Mon Sep 17 00:00:00 2001 From: Xiantao Zhang Date: Thu, 20 Nov 2008 10:35:35 +0800 Subject: KVM: ia64: Fix incorrect kbuild CFLAGS override Use CFLAGS_vcpu.o, not EXTRA_CFLAGS, to provide fixed register information to the compiler. Signed-off-by: Xiantao Zhang Signed-off-by: Avi Kivity --- arch/ia64/kvm/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'arch') diff --git a/arch/ia64/kvm/Makefile b/arch/ia64/kvm/Makefile index 3ab4d6d..92cef66 100644 --- a/arch/ia64/kvm/Makefile +++ b/arch/ia64/kvm/Makefile @@ -58,7 +58,7 @@ endif kvm-objs := $(common-objs) kvm-ia64.o kvm_fw.o obj-$(CONFIG_KVM) += kvm.o -EXTRA_CFLAGS_vcpu.o += -mfixed-range=f2-f5,f12-f127 +CFLAGS_vcpu.o += -mfixed-range=f2-f5,f12-f127 kvm-intel-objs = vmm.o vmm_ivt.o trampoline.o vcpu.o optvfault.o mmio.o \ vtlb.o process.o #Add link memcpy and memset to avoid possible structure assignment error -- cgit v1.1 From ce50b91d0f7b0b90e3960a6f306b4027378c7c27 Mon Sep 17 00:00:00 2001 From: Xiantao Zhang Date: Fri, 21 Nov 2008 10:56:08 +0800 Subject: KVM: ia64: Fix: Use correct calling convention for PAL_VPS_RESUME_HANDLER PAL_VPS_RESUME_HANDLER should use r26 to hold vac fields according to SDM. Signed-off-by: Xiantao Zhang Signed-off-by: Avi Kivity --- arch/ia64/kvm/optvfault.S | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'arch') diff --git a/arch/ia64/kvm/optvfault.S b/arch/ia64/kvm/optvfault.S index 634abad..32254ce 100644 --- a/arch/ia64/kvm/optvfault.S +++ b/arch/ia64/kvm/optvfault.S @@ -107,10 +107,10 @@ END(kvm_vps_resume_normal) GLOBAL_ENTRY(kvm_vps_resume_handler) movl r30 = PAL_VPS_RESUME_HANDLER ;; - ld8 r27=[r25] + ld8 r26=[r25] shr r17=r17,IA64_ISR_IR_BIT ;; - dep r27=r17,r27,63,1 // bit 63 of r27 indicate whether enable CFLE + dep r26=r17,r26,63,1 // bit 63 of r26 indicate whether enable CFLE mov pr=r23,-2 br.sptk.many kvm_vps_entry END(kvm_vps_resume_handler) @@ -894,12 +894,15 @@ ENTRY(kvm_resume_to_guest) ;; ld8 r19=[r19] mov b0=r29 - cmp.ne p6,p7 = r0,r0 + mov r27=cr.isr ;; - tbit.z p6,p7 = r19,IA64_PSR_IC_BIT // p1=vpsr.ic + tbit.z p6,p7 = r19,IA64_PSR_IC_BIT // p7=vpsr.ic + shr r27=r27,IA64_ISR_IR_BIT ;; (p6) ld8 r26=[r25] (p7) mov b0=r28 + ;; + (p6) dep r26=r27,r26,63,1 mov pr=r31,-2 br.sptk.many b0 // call pal service ;; -- cgit v1.1 From 0c0f40bdbe4ddb48ebecfb5c2b56eeb175a57c45 Mon Sep 17 00:00:00 2001 From: Marcelo Tosatti Date: Fri, 21 Nov 2008 19:13:58 +0100 Subject: KVM: MMU: fix sync of ptes addressed at owner pagetable During page sync, if a pagetable contains a self referencing pte (that points to the pagetable), the corresponding spte may be marked as writable even though all mappings are supposed to be write protected. Fix by clearing page unsync before syncing individual sptes. Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity --- arch/x86/kvm/mmu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'arch') diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c index f1983d9..410ddbc 100644 --- a/arch/x86/kvm/mmu.c +++ b/arch/x86/kvm/mmu.c @@ -1038,13 +1038,13 @@ static int kvm_sync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp) } rmap_write_protect(vcpu->kvm, sp->gfn); + kvm_unlink_unsync_page(vcpu->kvm, sp); if (vcpu->arch.mmu.sync_page(vcpu, sp)) { kvm_mmu_zap_page(vcpu->kvm, sp); return 1; } kvm_mmu_flush_tlb(vcpu); - kvm_unlink_unsync_page(vcpu->kvm, sp); return 0; } -- cgit v1.1 From c30f8a6c6d74f67bc2107726cc61a1e7c71e9740 Mon Sep 17 00:00:00 2001 From: Hollis Blanchard Date: Mon, 24 Nov 2008 11:37:38 -0600 Subject: KVM: ppc: stop leaking host memory on VM exit When the VM exits, we must call put_page() for every page referenced in the shadow TLB. Without this patch, we usually leak 30-50 host pages (120 - 200 KiB with 4 KiB pages). The maximum number of pages leaked is the size of our shadow TLB, 64 pages. Signed-off-by: Hollis Blanchard Signed-off-by: Avi Kivity --- arch/powerpc/include/asm/kvm_ppc.h | 2 ++ arch/powerpc/kvm/44x_tlb.c | 8 ++++++++ arch/powerpc/kvm/powerpc.c | 1 + 3 files changed, 11 insertions(+) (limited to 'arch') diff --git a/arch/powerpc/include/asm/kvm_ppc.h b/arch/powerpc/include/asm/kvm_ppc.h index 8931ba7..bb62ad8 100644 --- a/arch/powerpc/include/asm/kvm_ppc.h +++ b/arch/powerpc/include/asm/kvm_ppc.h @@ -104,4 +104,6 @@ static inline void kvmppc_set_pid(struct kvm_vcpu *vcpu, u32 new_pid) } } +extern void kvmppc_core_destroy_mmu(struct kvm_vcpu *vcpu); + #endif /* __POWERPC_KVM_PPC_H__ */ diff --git a/arch/powerpc/kvm/44x_tlb.c b/arch/powerpc/kvm/44x_tlb.c index 2e227a4..ad72c6f 100644 --- a/arch/powerpc/kvm/44x_tlb.c +++ b/arch/powerpc/kvm/44x_tlb.c @@ -124,6 +124,14 @@ static void kvmppc_44x_shadow_release(struct kvm_vcpu *vcpu, } } +void kvmppc_core_destroy_mmu(struct kvm_vcpu *vcpu) +{ + int i; + + for (i = 0; i <= tlb_44x_hwater; i++) + kvmppc_44x_shadow_release(vcpu, i); +} + void kvmppc_tlbe_set_modified(struct kvm_vcpu *vcpu, unsigned int i) { vcpu->arch.shadow_tlb_mod[i] = 1; diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c index 90a6fc4..fda9baa 100644 --- a/arch/powerpc/kvm/powerpc.c +++ b/arch/powerpc/kvm/powerpc.c @@ -238,6 +238,7 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu) void kvm_arch_vcpu_uninit(struct kvm_vcpu *vcpu) { + kvmppc_core_destroy_mmu(vcpu); } /* Note: clearing MSR[DE] just means that the debug interrupt will not be -- cgit v1.1 From 6c475352e87224a8f0b8cc6f6cc96b30563dc5b4 Mon Sep 17 00:00:00 2001 From: Marcelo Tosatti Date: Tue, 25 Nov 2008 15:33:10 +0100 Subject: KVM: MMU: avoid creation of unreachable pages in the shadow It is possible for a shadow page to have a parent link pointing to a freed page. When zapping a high level table, kvm_mmu_page_unlink_children fails to remove the parent_pte link. For that to happen, the child must be unreachable via the shadow tree, which can happen in shadow_walk_entry if the guest pte was modified in between walk() and fetch(). Remove the parent pte reference in such case. Possible cause for oops in bug #2217430. Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity --- arch/x86/kvm/paging_tmpl.h | 1 + 1 file changed, 1 insertion(+) (limited to 'arch') diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h index 613ec9a..84eee43 100644 --- a/arch/x86/kvm/paging_tmpl.h +++ b/arch/x86/kvm/paging_tmpl.h @@ -331,6 +331,7 @@ static int FNAME(shadow_walk_entry)(struct kvm_shadow_walk *_sw, r = kvm_read_guest_atomic(vcpu->kvm, gw->pte_gpa[level - 2], &curr_pte, sizeof(curr_pte)); if (r || curr_pte != gw->ptes[level - 2]) { + kvm_mmu_put_page(shadow_page, sptep); kvm_release_pfn_clean(sw->pfn); sw->sptep = NULL; return 1; -- cgit v1.1