[patch 00/12] User controlled virtual machines

[patch 00/12] User controlled virtual machines

[Carsten Otte]

Hi Avi, Hi Marcelo,

this patch series introduces an interface to allow a privileged userspace
program to control a KVM virtual machine. The interface is intended for
use by a machine simulator called CECSIM that can simulate an entire
mainframe machine with nested virtualization and I/O for the purpose
of testing and debugging its firmware prior to availability of silicon.
This patchset allows for concurrent use of the KVM device driver to drive
both regular and user controlled virtual machines at the same time.
I would kindly like to ask for review and inclusion of these patches.

with kind regards,
Carsten

[patch 01/12] [PATCH] kvm-s390: ioctl to switch to user controlled virtual machines

[Carsten Otte]

[-- Attachment #1: enable-ucontrol.patch --]
[-- Type: text/plain, Size: 3103 bytes --]

This patch introduces a new config option for user controlled kernel
virtual machines. It introduces a new ioctl named
KVM_S390_ENABLE_UCONTROL on the kvm file descriptor which allows for
a one way transition from a regular kernel virtual machine to a
user controlled virtual machine. The virtual machine must not have
any memory slots installed, and no virtual cpus defined.
Note that the user controlled virtual machines require CAP_SYS_ADMIN
privileges.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
---
---
 arch/s390/kvm/Kconfig    |    9 +++++++++
 arch/s390/kvm/kvm-s390.c |   30 ++++++++++++++++++++++++++++++
 arch/s390/kvm/kvm-s390.h |   10 ++++++++++
 include/linux/kvm.h      |    3 +++
 4 files changed, 52 insertions(+)

--- a/arch/s390/kvm/Kconfig
+++ b/arch/s390/kvm/Kconfig
@@ -34,6 +34,15 @@ config KVM
 
 	  If unsure, say N.
 
+config KVM_UCONTROL
+	bool "Userspace controlled virtual machines"
+	depends on KVM
+	---help---
+	  Allow CAP_SYS_ADMIN users to create KVM virtual machines that are
+	  controlled by userspace.
+
+	  If unsure, say N.
+
 # OK, it's a little counter-intuitive to do this, but it puts it neatly under
 # the virtualization menu.
 source drivers/vhost/Kconfig
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -147,6 +147,32 @@ int kvm_vm_ioctl_get_dirty_log(struct kv
 	return 0;
 }
 
+int kvm_s390_enable_ucontrol(struct kvm *kvm)
+{
+#ifdef CONFIG_KVM_UCONTROL
+	int i;
+
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
+
+	for (i = 0; i < KVM_MAX_VCPUS; i++)
+		if (kvm->vcpus[i])
+			return -EINVAL;
+
+	if (kvm->memslots->nmemslots)
+		return -EPERM;
+
+	if (kvm->arch.gmap)
+		gmap_free(kvm->arch.gmap);
+
+	kvm->arch.gmap = NULL;
+
+	return 0;
+#else
+	return -ENOTTY;
+#endif
+}
+
 long kvm_arch_vm_ioctl(struct file *filp,
 		       unsigned int ioctl, unsigned long arg)
 {
@@ -164,6 +190,10 @@ long kvm_arch_vm_ioctl(struct file *filp
 		r = kvm_s390_inject_vm(kvm, &s390int);
 		break;
 	}
+	case KVM_S390_ENABLE_UCONTROL: {
+		r = kvm_s390_enable_ucontrol(kvm);
+		break;
+	}
 	default:
 		r = -ENOTTY;
 	}
--- a/arch/s390/kvm/kvm-s390.h
+++ b/arch/s390/kvm/kvm-s390.h
@@ -47,6 +47,16 @@ static inline int __cpu_is_stopped(struc
 	return atomic_read(&vcpu->arch.sie_block->cpuflags) & CPUSTAT_STOP_INT;
 }
 
+static inline int kvm_is_ucontrol(struct kvm *kvm)
+{
+#ifdef CONFIG_KVM_UCONTROL
+	if (kvm->arch.gmap)
+		return 0;
+	return 1;
+#else
+	return 0;
+#endif
+}
 int kvm_s390_handle_wait(struct kvm_vcpu *vcpu);
 enum hrtimer_restart kvm_s390_idle_wakeup(struct hrtimer *timer);
 void kvm_s390_tasklet(unsigned long parm);
--- a/include/linux/kvm.h
+++ b/include/linux/kvm.h
@@ -654,6 +654,9 @@ struct kvm_clock_data {
 					struct kvm_userspace_memory_region)
 #define KVM_SET_TSS_ADDR          _IO(KVMIO,   0x47)
 #define KVM_SET_IDENTITY_MAP_ADDR _IOW(KVMIO,  0x48, __u64)
+/* enable ucontrol for s390 */
+#define KVM_S390_ENABLE_UCONTROL  _IO(KVMIO,  0x49)
+
 /* Device model IOC */
 #define KVM_CREATE_IRQCHIP        _IO(KVMIO,   0x60)
 #define KVM_IRQ_LINE              _IOW(KVMIO,  0x61, struct kvm_irq_level)

[patch 02/12] [PATCH] kvm-s390-ucontrol: per vcpu address spaces

[Carsten Otte]

[-- Attachment #1: address-spaces.patch --]
[-- Type: text/plain, Size: 3321 bytes --]

This patch introduces two ioctls for virtual cpus, that are only
valid for kernel virtual machines that are controlled by userspace.
Each virtual cpu has its individual address space in this mode of
operation, and each address space is backed by the gmap
implementation just like the address space for regular KVM guests.
KVM_S390_UCAS_MAP allows to map a part of the user's virtual address
space to the vcpu. Starting offset and length in both the user and
the vcpu address space need to be aligned to 1M.
KVM_S390_UCAS_UNMAP can be used to unmap a range of memory from a
virtual cpu in a similar way.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
---
---
 arch/s390/kvm/kvm-s390.c |   50 ++++++++++++++++++++++++++++++++++++++++++++++-
 include/linux/kvm.h      |    7 ++++++
 2 files changed, 56 insertions(+), 1 deletion(-)

--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -249,6 +249,10 @@ void kvm_arch_vcpu_destroy(struct kvm_vc
 		(__u64) vcpu->arch.sie_block)
 		vcpu->kvm->arch.sca->cpu[vcpu->vcpu_id].sda = 0;
 	smp_mb();
+
+	if (kvm_is_ucontrol(vcpu->kvm))
+		gmap_free(vcpu->arch.gmap);
+
 	free_page((unsigned long)(vcpu->arch.sie_block));
 	kvm_vcpu_uninit(vcpu);
 	kfree(vcpu);
@@ -279,12 +283,20 @@ void kvm_arch_destroy_vm(struct kvm *kvm
 	kvm_free_vcpus(kvm);
 	free_page((unsigned long)(kvm->arch.sca));
 	debug_unregister(kvm->arch.dbf);
-	gmap_free(kvm->arch.gmap);
+	if (!kvm_is_ucontrol(kvm))
+		gmap_free(kvm->arch.gmap);
 }
 
 /* Section: vcpu related */
 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
 {
+	if (kvm_is_ucontrol(vcpu->kvm)) {
+		vcpu->arch.gmap = gmap_alloc(current->mm);
+		if (!vcpu->arch.gmap)
+			return -ENOMEM;
+		return 0;
+	}
+
 	vcpu->arch.gmap = vcpu->kvm->arch.gmap;
 	return 0;
 }
@@ -703,6 +715,42 @@ long kvm_arch_vcpu_ioctl(struct file *fi
 	case KVM_S390_INITIAL_RESET:
 		r = kvm_arch_vcpu_ioctl_initial_reset(vcpu);
 		break;
+#ifdef CONFIG_KVM_UCONTROL
+	case KVM_S390_UCAS_MAP: {
+		struct kvm_s390_ucas_mapping ucasmap;
+
+		if (copy_from_user(&ucasmap, argp, sizeof(ucasmap))) {
+			r = -EFAULT;
+			break;
+		}
+
+		if (!kvm_is_ucontrol(vcpu->kvm)) {
+			r = -EINVAL;
+			break;
+		}
+
+		r = gmap_map_segment(vcpu->arch.gmap, ucasmap.user_addr,
+				     ucasmap.vcpu_addr, ucasmap.length);
+		break;
+	}
+	case KVM_S390_UCAS_UNMAP: {
+		struct kvm_s390_ucas_mapping ucasmap;
+
+		if (copy_from_user(&ucasmap, argp, sizeof(ucasmap))) {
+			r = -EFAULT;
+			break;
+		}
+
+		if (!kvm_is_ucontrol(vcpu->kvm)) {
+			r = -EINVAL;
+			break;
+		}
+
+		r = gmap_unmap_segment(vcpu->arch.gmap, ucasmap.vcpu_addr,
+			ucasmap.length);
+		break;
+	}
+#endif
 	default:
 		r = -EINVAL;
 	}
--- a/include/linux/kvm.h
+++ b/include/linux/kvm.h
@@ -655,7 +655,14 @@ struct kvm_clock_data {
 #define KVM_SET_TSS_ADDR          _IO(KVMIO,   0x47)
 #define KVM_SET_IDENTITY_MAP_ADDR _IOW(KVMIO,  0x48, __u64)
 /* enable ucontrol for s390 */
+struct kvm_s390_ucas_mapping {
+	unsigned long user_addr;
+	unsigned long vcpu_addr;
+	unsigned long length;
+};
 #define KVM_S390_ENABLE_UCONTROL  _IO(KVMIO,  0x49)
+#define KVM_S390_UCAS_MAP        _IOW(KVMIO, 0x50, struct kvm_s390_ucas_mapping)
+#define KVM_S390_UCAS_UNMAP      _IOW(KVMIO, 0x51, struct kvm_s390_ucas_mapping)
 
 /* Device model IOC */
 #define KVM_CREATE_IRQCHIP        _IO(KVMIO,   0x60)

[patch 03/12] [PATCH] kvm-s390-ucontrol: export page faults to user

[Carsten Otte]

[-- Attachment #1: page-fault-exit.patch --]
[-- Type: text/plain, Size: 4037 bytes --]

This patch introduces a new exit reason in the kvm_run structure
named KVM_EXIT_UCONTROL. This exit indicates, that a virtual cpu
has regognized a fault on the host page table. The idea is that
userspace can handle this fault by mapping memory at the fault
location into the cpu's address space and then continue to run the
virtual cpu.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
---
Index: linux-2.5-cecsim/arch/s390/kvm/kvm-s390.c
===================================================================
--- linux-2.5-cecsim.orig/arch/s390/kvm/kvm-s390.c
+++ linux-2.5-cecsim/arch/s390/kvm/kvm-s390.c
@@ -509,8 +509,10 @@ int kvm_arch_vcpu_ioctl_set_mpstate(stru
 	return -EINVAL; /* not implemented yet */
 }
 
-static void __vcpu_run(struct kvm_vcpu *vcpu)
+static int __vcpu_run(struct kvm_vcpu *vcpu)
 {
+	int rc;
+
 	memcpy(&vcpu->arch.sie_block->gg14, &vcpu->arch.guest_gprs[14], 16);
 
 	if (need_resched())
@@ -527,9 +529,15 @@ static void __vcpu_run(struct kvm_vcpu *
 	local_irq_enable();
 	VCPU_EVENT(vcpu, 6, "entering sie flags %x",
 		   atomic_read(&vcpu->arch.sie_block->cpuflags));
-	if (sie64a(vcpu->arch.sie_block, vcpu->arch.guest_gprs)) {
-		VCPU_EVENT(vcpu, 3, "%s", "fault in sie instruction");
-		kvm_s390_inject_program_int(vcpu, PGM_ADDRESSING);
+	rc = sie64a(vcpu->arch.sie_block, vcpu->arch.guest_gprs);
+	if (rc) {
+		if (kvm_is_ucontrol(vcpu->kvm)) {
+			rc = SIE_INTERCEPT_UCONTROL;
+		} else {
+			VCPU_EVENT(vcpu, 3, "%s", "fault in sie instruction");
+			kvm_s390_inject_program_int(vcpu, PGM_ADDRESSING);
+			rc = 0;
+		}
 	}
 	VCPU_EVENT(vcpu, 6, "exit sie icptcode %d",
 		   vcpu->arch.sie_block->icptcode);
@@ -538,6 +546,7 @@ static void __vcpu_run(struct kvm_vcpu *
 	local_irq_enable();
 
 	memcpy(&vcpu->arch.guest_gprs[14], &vcpu->arch.sie_block->gg14, 16);
+	return rc;
 }
 
 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
@@ -558,6 +567,7 @@ rerun_vcpu:
 	case KVM_EXIT_UNKNOWN:
 	case KVM_EXIT_INTR:
 	case KVM_EXIT_S390_RESET:
+	case KVM_EXIT_UCONTROL:
 		break;
 	default:
 		BUG();
@@ -569,7 +579,9 @@ rerun_vcpu:
 	might_fault();
 
 	do {
-		__vcpu_run(vcpu);
+		rc = __vcpu_run(vcpu);
+		if (rc)
+			break;
 		rc = kvm_handle_sie_intercept(vcpu);
 	} while (!signal_pending(current) && !rc);
 
@@ -581,6 +593,16 @@ rerun_vcpu:
 		rc = -EINTR;
 	}
 
+#ifdef CONFIG_KVM_UCONTROL
+	if (rc == SIE_INTERCEPT_UCONTROL) {
+		kvm_run->exit_reason = KVM_EXIT_UCONTROL;
+		kvm_run->s390_ucontrol.trans_exc_code =
+			current->thread.gmap_addr;
+		kvm_run->s390_ucontrol.pgm_code = 0x10;
+		rc = 0;
+	}
+#endif
+
 	if (rc == -EOPNOTSUPP) {
 		/* intercept cannot be handled in-kernel, prepare kvm-run */
 		kvm_run->exit_reason         = KVM_EXIT_S390_SIEIC;
Index: linux-2.5-cecsim/arch/s390/kvm/kvm-s390.h
===================================================================
--- linux-2.5-cecsim.orig/arch/s390/kvm/kvm-s390.h
+++ linux-2.5-cecsim/arch/s390/kvm/kvm-s390.h
@@ -26,6 +26,7 @@ typedef int (*intercept_handler_t)(struc
 
 /* negativ values are error codes, positive values for internal conditions */
 #define SIE_INTERCEPT_RERUNVCPU		(1<<0)
+#define SIE_INTERCEPT_UCONTROL		(1<<1)
 int kvm_handle_sie_intercept(struct kvm_vcpu *vcpu);
 
 #define VM_EVENT(d_kvm, d_loglevel, d_string, d_args...)\
Index: linux-2.5-cecsim/include/linux/kvm.h
===================================================================
--- linux-2.5-cecsim.orig/include/linux/kvm.h
+++ linux-2.5-cecsim/include/linux/kvm.h
@@ -162,6 +162,7 @@ struct kvm_pit_config {
 #define KVM_EXIT_INTERNAL_ERROR   17
 #define KVM_EXIT_OSI              18
 #define KVM_EXIT_PAPR_HCALL	  19
+#define KVM_EXIT_UCONTROL	  20
 
 /* For KVM_EXIT_INTERNAL_ERROR */
 #define KVM_INTERNAL_ERROR_EMULATION 1
@@ -249,6 +250,11 @@ struct kvm_run {
 #define KVM_S390_RESET_CPU_INIT  8
 #define KVM_S390_RESET_IPL       16
 		__u64 s390_reset_flags;
+		/* KVM_EXIT_UCONTROL */
+		struct {
+			__u64 trans_exc_code;
+			__u32 pgm_code;
+		} s390_ucontrol;
 		/* KVM_EXIT_DCR */
 		struct {
 			__u32 dcrn;

[patch 04/12] [PATCH] kvm-s390-ucontrol: export SIE control block to user

[Carsten Otte]

[-- Attachment #1: sie-control-block-to-user.patch --]
[-- Type: text/plain, Size: 1046 bytes --]

This patch exports the SIE hardware control block to userspace
via the mapping of the vcpu file descriptor.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
---
---
 arch/s390/include/asm/kvm_host.h |    2 ++
 virt/kvm/kvm_main.c              |    5 +++++
 2 files changed, 7 insertions(+)

--- a/arch/s390/include/asm/kvm_host.h
+++ b/arch/s390/include/asm/kvm_host.h
@@ -24,6 +24,8 @@
 /* memory slots that does not exposed to userspace */
 #define KVM_PRIVATE_MEM_SLOTS 4
 
+#define KVM_SIE_PAGE_OFFSET 1
+
 struct sca_entry {
 	atomic_t scn;
 	__u32	reserved;
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -1656,6 +1656,11 @@ static int kvm_vcpu_fault(struct vm_area
 	else if (vmf->pgoff == KVM_COALESCED_MMIO_PAGE_OFFSET)
 		page = virt_to_page(vcpu->kvm->coalesced_mmio_ring);
 #endif
+#if defined(CONFIG_S390) && defined(CONFIG_KVM_UCONTROL)
+	else if ((vmf->pgoff == KVM_SIE_PAGE_OFFSET)
+		 && (!(vcpu->kvm->arch.gmap)))
+		page = virt_to_page(vcpu->arch.sie_block);
+#endif
 	else
 		return VM_FAULT_SIGBUS;
 	get_page(page);

[patch 05/12] [PATCH] kvm-s390-ucontrol: disable in-kernel handling of SIE intercepts

[Carsten Otte]

[-- Attachment #1: no-sie-intercepts-for-ucontrol.patch --]
[-- Type: text/plain, Size: 823 bytes --]

This patch disables in-kernel handling of SIE intercepts for user
controlled virtual machines. All intercepts are passed to userspace
via KVM_EXIT_SIE exit reason just like SIE intercepts that cannot be
handled in-kernel for regular KVM guests.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
---
Index: linux-2.5-cecsim/arch/s390/kvm/kvm-s390.c
===================================================================
--- linux-2.5-cecsim.orig/arch/s390/kvm/kvm-s390.c
+++ linux-2.5-cecsim/arch/s390/kvm/kvm-s390.c
@@ -582,7 +582,10 @@ rerun_vcpu:
 		rc = __vcpu_run(vcpu);
 		if (rc)
 			break;
-		rc = kvm_handle_sie_intercept(vcpu);
+		if (kvm_is_ucontrol(vcpu->kvm))
+			rc = -EOPNOTSUPP;
+		else
+			rc = kvm_handle_sie_intercept(vcpu);
 	} while (!signal_pending(current) && !rc);
 
 	if (rc == SIE_INTERCEPT_RERUNVCPU)

[patch 06/12] [PATCH] kvm-s390-ucontrol: disable in-kernel irq stack

[Carsten Otte]

[-- Attachment #1: kvm-disable-irq-stack.patch --]
[-- Type: text/plain, Size: 750 bytes --]

This patch disables the in-kernel interrupt stack for KVM virtual
machines that are controlled by user. Userspace has to take care
of handling interrupts on its own.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
---
Index: linux-2.5-cecsim/arch/s390/kvm/kvm-s390.c
===================================================================
--- linux-2.5-cecsim.orig/arch/s390/kvm/kvm-s390.c
+++ linux-2.5-cecsim/arch/s390/kvm/kvm-s390.c
@@ -521,7 +521,8 @@ static int __vcpu_run(struct kvm_vcpu *v
 	if (test_thread_flag(TIF_MCCK_PENDING))
 		s390_handle_mcck();
 
-	kvm_s390_deliver_pending_interrupts(vcpu);
+	if (!kvm_is_ucontrol(vcpu->kvm))
+		kvm_s390_deliver_pending_interrupts(vcpu);
 
 	vcpu->arch.sie_block->icptcode = 0;
 	local_irq_disable();

[patch 07/12] [PATCH] kvm-s390-ucontrol: interface to inject faults on a vcpu page table

[Carsten Otte]

[-- Attachment #1: guest-fault-interface.patch --]
[-- Type: text/plain, Size: 1469 bytes --]

This patch allows the user to fault in pages on a virtual cpus
address space for user controlled virtual machines. Typically this
is superfluous because userspace can just create a mapping and
let the kernel's page fault logic take are of it. There is one
exception: SIE won't start if the lowcore is not present. Normally
the kernel takes care of this [handle_validity() in
arch/s390/kvm/intercept.c] but since the kernel does not handle
intercepts for user controlled virtual machines, userspace needs to
be able to handle this condition.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
---
---
 arch/s390/kvm/kvm-s390.c |    6 ++++++
 include/linux/kvm.h      |    1 +
 2 files changed, 7 insertions(+)

--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -777,6 +777,12 @@ long kvm_arch_vcpu_ioctl(struct file *fi
 		break;
 	}
 #endif
+	case KVM_S390_VCPU_FAULT: {
+		r = gmap_fault(arg, vcpu->arch.gmap);
+		if (!IS_ERR_VALUE(r))
+			r = 0;
+		break;
+	}
 	default:
 		r = -EINVAL;
 	}
--- a/include/linux/kvm.h
+++ b/include/linux/kvm.h
@@ -669,6 +669,7 @@ struct kvm_s390_ucas_mapping {
 #define KVM_S390_ENABLE_UCONTROL  _IO(KVMIO,  0x49)
 #define KVM_S390_UCAS_MAP        _IOW(KVMIO, 0x50, struct kvm_s390_ucas_mapping)
 #define KVM_S390_UCAS_UNMAP      _IOW(KVMIO, 0x51, struct kvm_s390_ucas_mapping)
+#define KVM_S390_VCPU_FAULT	 _IOW(KVMIO, 0x52, unsigned long)
 
 /* Device model IOC */
 #define KVM_CREATE_IRQCHIP        _IO(KVMIO,   0x60)

[patch 08/12] [PATCH] kvm-s390-ucontrol: disable sca

[Carsten Otte]

[-- Attachment #1: do-not-add-ucontrol-cpus-to-sca.patch --]
[-- Type: text/plain, Size: 2061 bytes --]

This patch makes sure user controlled virtual machines do not use a
system control area (sca). This is needed in order to create
virtual machines with more cpus than the size of the sca [64].

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
---
Index: linux-2.5-cecsim/arch/s390/kvm/kvm-s390.c
===================================================================
--- linux-2.5-cecsim.orig/arch/s390/kvm/kvm-s390.c
+++ linux-2.5-cecsim/arch/s390/kvm/kvm-s390.c
@@ -244,10 +244,13 @@ out_err:
 void kvm_arch_vcpu_destroy(struct kvm_vcpu *vcpu)
 {
 	VCPU_EVENT(vcpu, 3, "%s", "free cpu");
-	clear_bit(63 - vcpu->vcpu_id, (unsigned long *) &vcpu->kvm->arch.sca->mcn);
-	if (vcpu->kvm->arch.sca->cpu[vcpu->vcpu_id].sda ==
-		(__u64) vcpu->arch.sie_block)
-		vcpu->kvm->arch.sca->cpu[vcpu->vcpu_id].sda = 0;
+	if (!kvm_is_ucontrol(vcpu->kvm)) {
+		clear_bit(63 - vcpu->vcpu_id,
+			  (unsigned long *) &vcpu->kvm->arch.sca->mcn);
+		if (vcpu->kvm->arch.sca->cpu[vcpu->vcpu_id].sda ==
+		    (__u64) vcpu->arch.sie_block)
+			vcpu->kvm->arch.sca->cpu[vcpu->vcpu_id].sda = 0;
+	}
 	smp_mb();
 
 	if (kvm_is_ucontrol(vcpu->kvm))
@@ -384,12 +387,19 @@ struct kvm_vcpu *kvm_arch_vcpu_create(st
 		goto out_free_cpu;
 
 	vcpu->arch.sie_block->icpua = id;
-	BUG_ON(!kvm->arch.sca);
-	if (!kvm->arch.sca->cpu[id].sda)
-		kvm->arch.sca->cpu[id].sda = (__u64) vcpu->arch.sie_block;
-	vcpu->arch.sie_block->scaoh = (__u32)(((__u64)kvm->arch.sca) >> 32);
-	vcpu->arch.sie_block->scaol = (__u32)(__u64)kvm->arch.sca;
-	set_bit(63 - id, (unsigned long *) &kvm->arch.sca->mcn);
+	if (!kvm_is_ucontrol(kvm)) {
+		if (!kvm->arch.sca) {
+			WARN_ON_ONCE(1);
+			goto out_free_cpu;
+		}
+		if (!kvm->arch.sca->cpu[id].sda)
+			kvm->arch.sca->cpu[id].sda =
+				(__u64) vcpu->arch.sie_block;
+		vcpu->arch.sie_block->scaoh =
+			(__u32)(((__u64)kvm->arch.sca) >> 32);
+		vcpu->arch.sie_block->scaol = (__u32)(__u64)kvm->arch.sca;
+		set_bit(63 - id, (unsigned long *) &kvm->arch.sca->mcn);
+	}
 
 	spin_lock_init(&vcpu->arch.local_int.lock);
 	INIT_LIST_HEAD(&vcpu->arch.local_int.list);

[patch 09/12] [PATCH] kvm-s390: fix assumption for KVM_MAX_VCPUS

[Carsten Otte]

[-- Attachment #1: allow-more-than-64-vcpus.patch --]
[-- Type: text/plain, Size: 854 bytes --]

This patch fixes definition of the idle_mask and the local_int array
in kvm_s390_float_interrupt. Previous definition had 64 cpus max
hardcoded instead of using KVM_MAX_VCPUS.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
---
Index: linux-2.5-cecsim/arch/s390/include/asm/kvm_host.h
===================================================================
--- linux-2.5-cecsim.orig/arch/s390/include/asm/kvm_host.h
+++ linux-2.5-cecsim/arch/s390/include/asm/kvm_host.h
@@ -222,8 +222,9 @@ struct kvm_s390_float_interrupt {
 	struct list_head list;
 	atomic_t active;
 	int next_rr_cpu;
-	unsigned long idle_mask [(64 + sizeof(long) - 1) / sizeof(long)];
-	struct kvm_s390_local_interrupt *local_int[64];
+	unsigned long idle_mask[(KVM_MAX_VCPUS + sizeof(long) - 1)
+				/ sizeof(long)];
+	struct kvm_s390_local_interrupt *local_int[KVM_MAX_VCPUS];
 };
 
 

[patch 10/12] [PATCH] kvm-s390: storage key interface

[Carsten Otte]

[-- Attachment #1: skey.patch --]
[-- Type: text/plain, Size: 5037 bytes --]

This patch introduces an interface to access the guest visible
storage keys. It supports three operations that model the behavior
that SSKE/ISKE/RRBE instructions would have if they were issued by
the guest. These instructions are all documented in the z architecture
principles of operation book.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
---
Index: linux-2.5-cecsim/arch/s390/include/asm/kvm_host.h
===================================================================
--- linux-2.5-cecsim.orig/arch/s390/include/asm/kvm_host.h
+++ linux-2.5-cecsim/arch/s390/include/asm/kvm_host.h
@@ -25,6 +25,9 @@
 #define KVM_PRIVATE_MEM_SLOTS 4
 
 #define KVM_SIE_PAGE_OFFSET 1
+#define KVM_S390_KEYOP_SSKE 0x01
+#define KVM_S390_KEYOP_ISKE 0x02
+#define KVM_S390_KEYOP_RRBE 0x03
 
 struct sca_entry {
 	atomic_t scn;
Index: linux-2.5-cecsim/arch/s390/kvm/kvm-s390.c
===================================================================
--- linux-2.5-cecsim.orig/arch/s390/kvm/kvm-s390.c
+++ linux-2.5-cecsim/arch/s390/kvm/kvm-s390.c
@@ -112,13 +112,144 @@ void kvm_arch_exit(void)
 {
 }
 
+pte_t *ptep_for_addr(unsigned long addr)
+{
+	struct vm_area_struct *vma;
+	pgd_t *pgd;
+	pud_t *pud;
+	pmd_t *pmd;
+	pte_t *rc;
+
+	down_read(&current->mm->mmap_sem);
+
+	rc = NULL;
+	vma = find_vma(current->mm, addr);
+	if (!vma)
+		goto up_out;
+
+	pgd = pgd_offset(current->mm, addr);
+	pud = pud_alloc(current->mm, pgd, addr);
+	if (!pud)
+		goto up_out;
+
+	pmd = pmd_alloc(current->mm, pud, addr);
+	if (!pmd)
+		goto up_out;
+
+	if (!pmd_present(*pmd) &&
+	    __pte_alloc(current->mm, vma, pmd, addr))
+		goto up_out;
+
+	rc = pte_offset(pmd, addr);
+up_out:
+	up_read(&current->mm->mmap_sem);
+	return rc;
+}
+
+static long kvm_s390_keyop(struct kvm_s390_keyop *kop)
+{
+	unsigned long addr = kop->user_addr;
+	pte_t *ptep;
+	pgste_t pgste;
+	int r;
+	unsigned long skey;
+	unsigned long bits;
+
+	/* make sure this process is a hypervisor */
+	r = -EINVAL;
+	if (!mm_has_pgste(current->mm))
+		goto out;
+
+	r = -ENXIO;
+	if (addr >= PGDIR_SIZE)
+		goto out;
+
+	spin_lock(&current->mm->page_table_lock);
+	ptep = ptep_for_addr(addr);
+	if (!ptep)
+		goto out_unlock;
+
+	pgste = pgste_get_lock(ptep);
+
+	switch (kop->operation) {
+	case KVM_S390_KEYOP_SSKE:
+		pgste = pgste_update_all(ptep, pgste);
+		/* set the real key back w/o rc bits */
+		skey = kop->key & (_PAGE_ACC_BITS | _PAGE_FP_BIT);
+		if (pte_present(*ptep))
+			page_set_storage_key(pte_val(*ptep), skey, 1);
+		/* put acc+f plus guest refereced and changed into the pgste */
+		pgste_val(pgste) &= ~(RCP_ACC_BITS | RCP_FP_BIT | RCP_GR_BIT
+				     | RCP_GC_BIT);
+		bits = (kop->key & (_PAGE_ACC_BITS | _PAGE_FP_BIT));
+		pgste_val(pgste) |= bits << 56;
+		bits = (kop->key & (_PAGE_CHANGED | _PAGE_REFERENCED));
+		pgste_val(pgste) |= bits << 48;
+		r = 0;
+		break;
+	case KVM_S390_KEYOP_ISKE:
+		if (pte_present(*ptep)) {
+			skey = page_get_storage_key(pte_val(*ptep));
+			kop->key = skey & (_PAGE_ACC_BITS | _PAGE_FP_BIT);
+		} else {
+			skey = 0;
+			kop->key = (pgste_val(pgste) >> 56) &
+				   (_PAGE_ACC_BITS | _PAGE_FP_BIT);
+		}
+		kop->key |= skey & (_PAGE_CHANGED | _PAGE_REFERENCED);
+		kop->key |= (pgste_val(pgste) >> 48) &
+			    (_PAGE_CHANGED | _PAGE_REFERENCED);
+		r = 0;
+		break;
+	case KVM_S390_KEYOP_RRBE:
+		pgste = pgste_update_all(ptep, pgste);
+		kop->key = 0;
+		if (pgste_val(pgste) & RCP_GR_BIT)
+			kop->key |= _PAGE_REFERENCED;
+		pgste_val(pgste) &= ~RCP_GR_BIT;
+		r = 0;
+		break;
+	default:
+		r = -EINVAL;
+	}
+	pgste_set_unlock(ptep, pgste);
+
+out_unlock:
+	spin_unlock(&current->mm->page_table_lock);
+out:
+	return r;
+}
+
 /* Section: device related */
 long kvm_arch_dev_ioctl(struct file *filp,
 			unsigned int ioctl, unsigned long arg)
 {
-	if (ioctl == KVM_S390_ENABLE_SIE)
-		return s390_enable_sie();
-	return -EINVAL;
+	void __user *argp = (void __user *)arg;
+	int r;
+
+	switch (ioctl) {
+	case KVM_S390_ENABLE_SIE:
+		r = s390_enable_sie();
+		break;
+	case KVM_S390_KEYOP: {
+		struct kvm_s390_keyop kop;
+		r = -EFAULT;
+		if (copy_from_user(&kop, argp, sizeof(struct kvm_s390_keyop)))
+			break;
+		r = kvm_s390_keyop(&kop);
+		if (r)
+			break;
+		r = -EFAULT;
+		if (copy_to_user(argp, &kop, sizeof(struct kvm_s390_keyop)))
+			break;
+		r = 0;
+		break;
+	}
+	default:
+		r = -ENOTTY;
+	}
+
+	return r;
 }
 
 int kvm_dev_ioctl_check_extension(long ext)
Index: linux-2.5-cecsim/include/linux/kvm.h
===================================================================
--- linux-2.5-cecsim.orig/include/linux/kvm.h
+++ linux-2.5-cecsim/include/linux/kvm.h
@@ -445,6 +445,13 @@ struct kvm_ppc_pvinfo {
 #define KVM_GET_MSR_INDEX_LIST    _IOWR(KVMIO, 0x02, struct kvm_msr_list)
 
 #define KVM_S390_ENABLE_SIE       _IO(KVMIO,   0x06)
+
+struct kvm_s390_keyop {
+	__u64 user_addr;
+	__u8  key;
+	__u8  operation;
+};
+#define KVM_S390_KEYOP            _IOWR(KVMIO,   0x09, struct kvm_s390_keyop)
 /*
  * Check if a kvm extension is available.  Argument is extension number,
  * return is 1 (yes) or 0 (no, sorry).

[patch 11/12] [PATCH] kvm-s390-ucontrol: announce capability for user controlled vms

[Carsten Otte]

[-- Attachment #1: announce-ucas.patch --]
[-- Type: text/plain, Size: 899 bytes --]

This patch announces a new capability KVM_CAP_S390_UCONTROL that
indicates that kvm can now support virtual machines that are
controlled by userspace.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
---
---
 arch/s390/kvm/kvm-s390.c |    3 +++
 include/linux/kvm.h      |    1 +
 2 files changed, 4 insertions(+)

--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -260,6 +260,9 @@ int kvm_dev_ioctl_check_extension(long e
 	case KVM_CAP_S390_PSW:
 	case KVM_CAP_S390_GMAP:
 	case KVM_CAP_SYNC_MMU:
+#ifdef CONFIG_KVM_UCONTROL
+	case KVM_CAP_S390_UCONTROL:
+#endif
 		r = 1;
 		break;
 	default:
--- a/include/linux/kvm.h
+++ b/include/linux/kvm.h
@@ -570,6 +570,7 @@ struct kvm_s390_keyop {
 #define KVM_CAP_MAX_VCPUS 66       /* returns max vcpus per vm */
 #define KVM_CAP_PPC_PAPR 68
 #define KVM_CAP_S390_GMAP 71
+#define KVM_CAP_S390_UCONTROL 72
 
 #ifdef KVM_CAP_IRQ_ROUTING
 

[patch 12/12] From: Carsten Otte <cotte@de.ibm.com>

[Carsten Otte]

[-- Attachment #1: fix-ioctl-return-values.patch --]
[-- Type: text/plain, Size: 495 bytes --]

This patch fixes the return code of kvm_arch_vcpu_ioctl in case
of an unkown ioctl number.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
---
Index: linux-2.5-cecsim/arch/s390/kvm/kvm-s390.c
===================================================================
--- linux-2.5-cecsim.orig/arch/s390/kvm/kvm-s390.c
+++ linux-2.5-cecsim/arch/s390/kvm/kvm-s390.c
@@ -928,7 +928,7 @@ long kvm_arch_vcpu_ioctl(struct file *fi
 		break;
 	}
 	default:
-		r = -EINVAL;
+		r = -ENOTTY;
 	}
 	return r;
 }

Re: [patch 00/12] User controlled virtual machines

[Avi Kivity]

On 12/01/2011 02:57 PM, Carsten Otte wrote:
> Hi Avi, Hi Marcelo,
>
> this patch series introduces an interface to allow a privileged userspace
> program to control a KVM virtual machine. The interface is intended for
> use by a machine simulator called CECSIM that can simulate an entire
> mainframe machine with nested virtualization and I/O for the purpose
> of testing and debugging its firmware prior to availability of silicon.
> This patchset allows for concurrent use of the KVM device driver to drive
> both regular and user controlled virtual machines at the same time.
> I would kindly like to ask for review and inclusion of these patches.

So, this moves the responsibility of handling intercepts from the kernel
to userspace, yes?

How much of the kvm code continues to be active after this?  Perhaps it
makes sense to have a separate interface for this.

-- 
error compiling committee.c: too many arguments to function

Re: [patch 01/12] [PATCH] kvm-s390: ioctl to switch to user controlled virtual machines

[Avi Kivity]

On 12/01/2011 02:57 PM, Carsten Otte wrote:
> This patch introduces a new config option for user controlled kernel
> virtual machines. It introduces a new ioctl named
> KVM_S390_ENABLE_UCONTROL on the kvm file descriptor which allows for
> a one way transition from a regular kernel virtual machine to a
> user controlled virtual machine. The virtual machine must not have
> any memory slots installed, and no virtual cpus defined.
> Note that the user controlled virtual machines require CAP_SYS_ADMIN
> privileges.
>
> Signed-off-by: Carsten Otte <cotte@de.ibm.com>
> ---
> ---
>  arch/s390/kvm/Kconfig    |    9 +++++++++
>  arch/s390/kvm/kvm-s390.c |   30 ++++++++++++++++++++++++++++++
>  arch/s390/kvm/kvm-s390.h |   10 ++++++++++
>  include/linux/kvm.h      |    3 +++
>  4 files changed, 52 insertions(+)

Documentation/virtual/kvm/api.txt +++++++++++++++++++

>  
> +int kvm_s390_enable_ucontrol(struct kvm *kvm)
> +{
> +#ifdef CONFIG_KVM_UCONTROL
> +	int i;
> +
> +	if (!capable(CAP_SYS_ADMIN))
> +		return -EPERM;
> +
> +	for (i = 0; i < KVM_MAX_VCPUS; i++)
> +		if (kvm->vcpus[i])
> +			return -EINVAL;
> +
> +	if (kvm->memslots->nmemslots)
> +		return -EPERM;

Why different errors?


> +
> +	if (kvm->arch.gmap)
> +		gmap_free(kvm->arch.gmap);
> +
> +	kvm->arch.gmap = NULL;

Locking?

What happens if a vcpu is created afterwards?

I guess you don't mind too much since this is a privileged interface for
a single purpose.

> --- a/include/linux/kvm.h
> +++ b/include/linux/kvm.h
> @@ -654,6 +654,9 @@ struct kvm_clock_data {
>  					struct kvm_userspace_memory_region)
>  #define KVM_SET_TSS_ADDR          _IO(KVMIO,   0x47)
>  #define KVM_SET_IDENTITY_MAP_ADDR _IOW(KVMIO,  0x48, __u64)
> +/* enable ucontrol for s390 */
> +#define KVM_S390_ENABLE_UCONTROL  _IO(KVMIO,  0x49)
> +
>  /* Device model IOC */
>  #define KVM_CREATE_IRQCHIP        _IO(KVMIO,   0x60)
>  #define KVM_IRQ_LINE              _IOW(KVMIO,  0x61, struct kvm_irq_level)
>

#define KVM_CAP_S390_UCONTROL


-- 
error compiling committee.c: too many arguments to function

Re: [patch 02/12] [PATCH] kvm-s390-ucontrol: per vcpu address spaces

[Avi Kivity]

On 12/01/2011 02:57 PM, Carsten Otte wrote:
> This patch introduces two ioctls for virtual cpus, that are only
> valid for kernel virtual machines that are controlled by userspace.
> Each virtual cpu has its individual address space in this mode of
> operation, and each address space is backed by the gmap
> implementation just like the address space for regular KVM guests.
> KVM_S390_UCAS_MAP allows to map a part of the user's virtual address
> space to the vcpu. Starting offset and length in both the user and
> the vcpu address space need to be aligned to 1M.
> KVM_S390_UCAS_UNMAP can be used to unmap a range of memory from a
> virtual cpu in a similar way.

>  	}
> --- a/include/linux/kvm.h
> +++ b/include/linux/kvm.h
> @@ -655,7 +655,14 @@ struct kvm_clock_data {
>  #define KVM_SET_TSS_ADDR          _IO(KVMIO,   0x47)
>  #define KVM_SET_IDENTITY_MAP_ADDR _IOW(KVMIO,  0x48, __u64)
>  /* enable ucontrol for s390 */
> +struct kvm_s390_ucas_mapping {
> +	unsigned long user_addr;
> +	unsigned long vcpu_addr;
> +	unsigned long length;
> +};

Do you have 32/64 issues on s390?  This struct changes size with host
userspace bitness.

>  #define KVM_S390_ENABLE_UCONTROL  _IO(KVMIO,  0x49)
> +#define KVM_S390_UCAS_MAP        _IOW(KVMIO, 0x50, struct kvm_s390_ucas_mapping)
> +#define KVM_S390_UCAS_UNMAP      _IOW(KVMIO, 0x51, struct kvm_s390_ucas_mapping)
>  
>

-- 
error compiling committee.c: too many arguments to function

Re: [patch 04/12] [PATCH] kvm-s390-ucontrol: export SIE control block to user

[Avi Kivity]

On 12/01/2011 02:57 PM, Carsten Otte wrote:
> This patch exports the SIE hardware control block to userspace
> via the mapping of the vcpu file descriptor.
>
> Signed-off-by: Carsten Otte <cotte@de.ibm.com>
> ---
> ---
>  arch/s390/include/asm/kvm_host.h |    2 ++
>  virt/kvm/kvm_main.c              |    5 +++++
>  2 files changed, 7 insertions(+)
>
> --- a/arch/s390/include/asm/kvm_host.h
> +++ b/arch/s390/include/asm/kvm_host.h
> @@ -24,6 +24,8 @@
>  /* memory slots that does not exposed to userspace */
>  #define KVM_PRIVATE_MEM_SLOTS 4
>  
> +#define KVM_SIE_PAGE_OFFSET 1
> +

How does userspace get to know what this value is?

Coalesced mmio does this with the return value of
KVM_CAP_COALESCED_MMIO.  You can hardcode it, but in a user visible
header please.

>  struct sca_entry {
>  	atomic_t scn;
>  	__u32	reserved;
> --- a/virt/kvm/kvm_main.c
> +++ b/virt/kvm/kvm_main.c
> @@ -1656,6 +1656,11 @@ static int kvm_vcpu_fault(struct vm_area
>  	else if (vmf->pgoff == KVM_COALESCED_MMIO_PAGE_OFFSET)
>  		page = virt_to_page(vcpu->kvm->coalesced_mmio_ring);
>  #endif
> +#if defined(CONFIG_S390) && defined(CONFIG_KVM_UCONTROL)
> +	else if ((vmf->pgoff == KVM_SIE_PAGE_OFFSET)
> +		 && (!(vcpu->kvm->arch.gmap)))
> +		page = virt_to_page(vcpu->arch.sie_block);
> +#endif

kvm_arch_vcpu_fault()

-- 
error compiling committee.c: too many arguments to function

Re: [patch 04/12] [PATCH] kvm-s390-ucontrol: export SIE control block to user

[Avi Kivity]

On 12/01/2011 02:57 PM, Carsten Otte wrote:
> This patch exports the SIE hardware control block to userspace
> via the mapping of the vcpu file descriptor.
>  	else if (vmf->pgoff == KVM_COALESCED_MMIO_PAGE_OFFSET)
>  		page = virt_to_page(vcpu->kvm->coalesced_mmio_ring);
>  #endif
> +#if defined(CONFIG_S390) && defined(CONFIG_KVM_UCONTROL)
> +	else if ((vmf->pgoff == KVM_SIE_PAGE_OFFSET)
> +		 && (!(vcpu->kvm->arch.gmap)))

Is the second test "kvm_is_ucontrol()"?

> +		page = virt_to_page(vcpu->arch.sie_block);
> +#endif
>  	else
>  		return VM_FAULT_SIGBUS;
>  	get_page(page);
>


-- 
error compiling committee.c: too many arguments to function

Re: [patch 01/12] [PATCH] kvm-s390: ioctl to switch to user controlled virtual machines

[Avi Kivity]

On 12/01/2011 03:15 PM, Avi Kivity wrote:
>
> > +
> > +	if (kvm->arch.gmap)
> > +		gmap_free(kvm->arch.gmap);
> > +
> > +	kvm->arch.gmap = NULL;
>
> Locking?
>
> What happens if a vcpu is created afterwards?
>

Having read the code, I think you can repurpose the argument of
KVM_CREATE_VM to be a vm type; with 0 being a normal vm, and 1 being
your new monster.  The code already checks that the argument is zero, so
we're safe there.

-- 
error compiling committee.c: too many arguments to function

Re: [patch 00/12] User controlled virtual machines

[Avi Kivity]

On 12/01/2011 03:10 PM, Avi Kivity wrote:
> On 12/01/2011 02:57 PM, Carsten Otte wrote:
> > Hi Avi, Hi Marcelo,
> >
> > this patch series introduces an interface to allow a privileged userspace
> > program to control a KVM virtual machine. The interface is intended for
> > use by a machine simulator called CECSIM that can simulate an entire
> > mainframe machine with nested virtualization and I/O for the purpose
> > of testing and debugging its firmware prior to availability of silicon.
> > This patchset allows for concurrent use of the KVM device driver to drive
> > both regular and user controlled virtual machines at the same time.
> > I would kindly like to ask for review and inclusion of these patches.
>
> So, this moves the responsibility of handling intercepts from the kernel
> to userspace, yes?
>
> How much of the kvm code continues to be active after this?  Perhaps it
> makes sense to have a separate interface for this.

Okay, I read the code and I even think I understood a little bit of it. 
In general the patches look okay, I had only minor comments.  But please
do document all the new interfaces.

-- 
error compiling committee.c: too many arguments to function

Re: [patch 04/12] [PATCH] kvm-s390-ucontrol: export SIE control block to user

[Carsten Otte]

On 01.12.2011 14:26, Avi Kivity wrote:
> On 12/01/2011 02:57 PM, Carsten Otte wrote:
>> This patch exports the SIE hardware control block to userspace
>> via the mapping of the vcpu file descriptor.
>>   	else if (vmf->pgoff == KVM_COALESCED_MMIO_PAGE_OFFSET)
>>   		page = virt_to_page(vcpu->kvm->coalesced_mmio_ring);
>>   #endif
>> +#if defined(CONFIG_S390)&&  defined(CONFIG_KVM_UCONTROL)
>> +	else if ((vmf->pgoff == KVM_SIE_PAGE_OFFSET)
>> +		&&  (!(vcpu->kvm->arch.gmap)))
>
> Is the second test "kvm_is_ucontrol()"?
Yes it is, but that is defined in arch/s390/kvm/kvm-s390.h which
I do not dare to include here.

Re: [patch 04/12] [PATCH] kvm-s390-ucontrol: export SIE control block to user

[Avi Kivity]

On 12/01/2011 03:59 PM, Carsten Otte wrote:
> On 01.12.2011 14:26, Avi Kivity wrote:
>> On 12/01/2011 02:57 PM, Carsten Otte wrote:
>>> This patch exports the SIE hardware control block to userspace
>>> via the mapping of the vcpu file descriptor.
>>>       else if (vmf->pgoff == KVM_COALESCED_MMIO_PAGE_OFFSET)
>>>           page = virt_to_page(vcpu->kvm->coalesced_mmio_ring);
>>>   #endif
>>> +#if defined(CONFIG_S390)&&  defined(CONFIG_KVM_UCONTROL)
>>> +    else if ((vmf->pgoff == KVM_SIE_PAGE_OFFSET)
>>> +        &&  (!(vcpu->kvm->arch.gmap)))
>>
>> Is the second test "kvm_is_ucontrol()"?
> Yes it is, but that is defined in arch/s390/kvm/kvm-s390.h which
> I do not dare to include here.
>

Oh, so kvm_arch_vcpu_fault() will help.  The pio stuff sets a bad
example, but we needn't follow it.

-- 
error compiling committee.c: too many arguments to function

Re: [patch 01/12] [PATCH] kvm-s390: ioctl to switch to user controlled virtual machines

[Martin Schwidefsky]

On Thu, 01 Dec 2011 15:15:03 +0200
Avi Kivity <avi@redhat.com> wrote:

> > +
> > +	if (kvm->arch.gmap)
> > +		gmap_free(kvm->arch.gmap);
> > +
> > +	kvm->arch.gmap = NULL;
> 
> Locking?
> 
> What happens if a vcpu is created afterwards?
> 
> I guess you don't mind too much since this is a privileged interface for
> a single purpose.

That is indeed a race. A malicious user space could create a new cpu with
KVM_CREATE_VCPU on another thread after the for loop checked that there
are no VCPUs. The new VCPU could then pick up the kvm->arch.gmap and use it
while the caller of KVM_S390_ENABLE_UCONTROL frees the structure.
The kvm_s390_enable_ucontrol function needs to lock with the kvm->lock mutex.

-- 
blue skies,
   Martin.

"Reality continues to ruin my life." - Calvin.

Re: [patch 00/12] User controlled virtual machines

[Carsten Otte]

On 01.12.2011 14:33, Avi Kivity wrote:
> Okay, I read the code and I even think I understood a little bit of it.
> In general the patches look okay, I had only minor comments.  But please
> do document all the new interfaces.
Since when do we have api documentation? Tssj, kvm has grown up since last I
looked ;-). Thanks for your feedback, all makes sense to me. I'll
implement it and repost the series.

so long,
Carsten

[patch 05/12] [PATCH] kvm-s390-ucontrol: disable in-kernel handling of SIE intercepts

[Carsten Otte]

[-- Attachment #1: no-sie-intercepts-for-ucontrol.patch --]
[-- Type: text/plain, Size: 823 bytes --]

This patch disables in-kernel handling of SIE intercepts for user
controlled virtual machines. All intercepts are passed to userspace
via KVM_EXIT_SIE exit reason just like SIE intercepts that cannot be
handled in-kernel for regular KVM guests.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
---
Index: linux-2.5-cecsim/arch/s390/kvm/kvm-s390.c
===================================================================
--- linux-2.5-cecsim.orig/arch/s390/kvm/kvm-s390.c
+++ linux-2.5-cecsim/arch/s390/kvm/kvm-s390.c
@@ -572,7 +572,10 @@ rerun_vcpu:
 		rc = __vcpu_run(vcpu);
 		if (rc)
 			break;
-		rc = kvm_handle_sie_intercept(vcpu);
+		if (kvm_is_ucontrol(vcpu->kvm))
+			rc = -EOPNOTSUPP;
+		else
+			rc = kvm_handle_sie_intercept(vcpu);
 	} while (!signal_pending(current) && !rc);
 
 	if (rc == SIE_INTERCEPT_RERUNVCPU)

[patch 05/12] [PATCH] kvm-s390-ucontrol: disable in-kernel handling of SIE intercepts

[Carsten Otte]

[-- Attachment #1: no-sie-intercepts-for-ucontrol.patch --]
[-- Type: text/plain, Size: 823 bytes --]

This patch disables in-kernel handling of SIE intercepts for user
controlled virtual machines. All intercepts are passed to userspace
via KVM_EXIT_SIE exit reason just like SIE intercepts that cannot be
handled in-kernel for regular KVM guests.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
---
Index: linux-2.5-cecsim/arch/s390/kvm/kvm-s390.c
===================================================================
--- linux-2.5-cecsim.orig/arch/s390/kvm/kvm-s390.c
+++ linux-2.5-cecsim/arch/s390/kvm/kvm-s390.c
@@ -572,7 +572,10 @@ rerun_vcpu:
 		rc = __vcpu_run(vcpu);
 		if (rc)
 			break;
-		rc = kvm_handle_sie_intercept(vcpu);
+		if (kvm_is_ucontrol(vcpu->kvm))
+			rc = -EOPNOTSUPP;
+		else
+			rc = kvm_handle_sie_intercept(vcpu);
 	} while (!signal_pending(current) && !rc);
 
 	if (rc == SIE_INTERCEPT_RERUNVCPU)

[patch 05/12] [PATCH] kvm-s390-ucontrol: disable in-kernel handling of SIE intercepts

[Carsten Otte]

[-- Attachment #1: no-sie-intercepts-for-ucontrol.patch --]
[-- Type: text/plain, Size: 763 bytes --]

This patch disables in-kernel handling of SIE intercepts for user
controlled virtual machines. All intercepts are passed to userspace
via KVM_EXIT_SIE exit reason just like SIE intercepts that cannot be
handled in-kernel for regular KVM guests.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
---
---
 arch/s390/kvm/kvm-s390.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -572,7 +572,10 @@ rerun_vcpu:
 		rc = __vcpu_run(vcpu);
 		if (rc)
 			break;
-		rc = kvm_handle_sie_intercept(vcpu);
+		if (kvm_is_ucontrol(vcpu->kvm))
+			rc = -EOPNOTSUPP;
+		else
+			rc = kvm_handle_sie_intercept(vcpu);
 	} while (!signal_pending(current) && !rc);
 
 	if (rc == SIE_INTERCEPT_RERUNVCPU)

[patch 05/12] [PATCH] kvm-s390-ucontrol: disable in-kernel handling of SIE intercepts

[Carsten Otte]

[-- Attachment #1: no-sie-intercepts-for-ucontrol.patch --]
[-- Type: text/plain, Size: 763 bytes --]

This patch disables in-kernel handling of SIE intercepts for user
controlled virtual machines. All intercepts are passed to userspace
via KVM_EXIT_SIE exit reason just like SIE intercepts that cannot be
handled in-kernel for regular KVM guests.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
---
---
 arch/s390/kvm/kvm-s390.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -572,7 +572,10 @@ rerun_vcpu:
 		rc = __vcpu_run(vcpu);
 		if (rc)
 			break;
-		rc = kvm_handle_sie_intercept(vcpu);
+		if (kvm_is_ucontrol(vcpu->kvm))
+			rc = -EOPNOTSUPP;
+		else
+			rc = kvm_handle_sie_intercept(vcpu);
 	} while (!signal_pending(current) && !rc);
 
 	if (rc == SIE_INTERCEPT_RERUNVCPU)

[patch 05/12] [PATCH] kvm-s390-ucontrol: disable in-kernel handling of SIE intercepts

[Carsten Otte]

[-- Attachment #1: no-sie-intercepts-for-ucontrol.patch --]
[-- Type: text/plain, Size: 763 bytes --]

This patch disables in-kernel handling of SIE intercepts for user
controlled virtual machines. All intercepts are passed to userspace
via KVM_EXIT_SIE exit reason just like SIE intercepts that cannot be
handled in-kernel for regular KVM guests.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
---
---
 arch/s390/kvm/kvm-s390.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -566,7 +566,10 @@ rerun_vcpu:
 		rc = __vcpu_run(vcpu);
 		if (rc)
 			break;
-		rc = kvm_handle_sie_intercept(vcpu);
+		if (kvm_is_ucontrol(vcpu->kvm))
+			rc = -EOPNOTSUPP;
+		else
+			rc = kvm_handle_sie_intercept(vcpu);
 	} while (!signal_pending(current) && !rc);
 
 	if (rc == SIE_INTERCEPT_RERUNVCPU)