[GIT PULL 0/5] KVM: s390: Fixes for 4.4

[GIT PULL 0/5] KVM: s390: Fixes for 4.4

[Christian Borntraeger]

Paolo,

The following changes since commit 8005c49d9aea74d382f474ce11afbbc7d7130bec:

  Linux 4.4-rc1 (2015-11-15 17:00:27 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git  tags/kvm-s390-master-4.4-1

for you to fetch changes up to 152e9f65d66f0a3891efc3869440becc0e7ff53f:

  KVM: s390: fix wrong lookup of VCPUs by array index (2015-11-19 14:47:43 +0100)

----------------------------------------------------------------
KVM: s390: Fixes for 4.4

1. disallow changing the SIMD mode when CPUs have been created.
   it allowed userspace to corrupt kernel memory
2. Fix vCPU lookup. Until now the vCPU number equals the vCPU id. Some
   kernel code places relied on that. This might
   a: cause guest failures
   b: allow userspace to corrupt kernel memory
3. Fencing of the PFMF instruction should use the guest facilities
   and not the host facilities.

----------------------------------------------------------------
David Hildenbrand (4):
      KVM: s390: enable SIMD only when no VCPUs were created
      KVM: Provide function for VCPU lookup by id
      KVM: s390: avoid memory overwrites on emergency signal injection
      KVM: s390: fix wrong lookup of VCPUs by array index

Heiko Carstens (1):
      KVM: s390: fix pfmf intercept handler

 arch/s390/kvm/interrupt.c |  7 +++++--
 arch/s390/kvm/kvm-s390.c  |  6 +++++-
 arch/s390/kvm/priv.c      |  2 +-
 arch/s390/kvm/sigp.c      |  8 ++------
 include/linux/kvm_host.h  | 11 +++++++++++
 5 files changed, 24 insertions(+), 10 deletions(-)

[GIT PULL 1/5] KVM: s390: enable SIMD only when no VCPUs were created

[Christian Borntraeger]

From: David Hildenbrand <dahi@linux.vnet.ibm.com>

We should never allow to enable/disable any facilities for the guest
when other VCPUs were already created.

kvm_arch_vcpu_(load|put) relies on SIMD not changing during runtime.
If somebody would create and run VCPUs and then decides to enable
SIMD, undefined behaviour could be possible (e.g. vector save area
not being set up).

Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: stable@vger.kernel.org # 4.1+
---
 arch/s390/kvm/kvm-s390.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
index 8fe2f1c..8465892 100644
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -342,12 +342,16 @@ static int kvm_vm_ioctl_enable_cap(struct kvm *kvm, struct kvm_enable_cap *cap)
 		r = 0;
 		break;
 	case KVM_CAP_S390_VECTOR_REGISTERS:
-		if (MACHINE_HAS_VX) {
+		mutex_lock(&kvm->lock);
+		if (atomic_read(&kvm->online_vcpus)) {
+			r = -EBUSY;
+		} else if (MACHINE_HAS_VX) {
 			set_kvm_facility(kvm->arch.model.fac->mask, 129);
 			set_kvm_facility(kvm->arch.model.fac->list, 129);
 			r = 0;
 		} else
 			r = -EINVAL;
+		mutex_unlock(&kvm->lock);
 		VM_EVENT(kvm, 3, "ENABLE: CAP_S390_VECTOR_REGISTERS %s",
 			 r ? "(not available)" : "(success)");
 		break;
-- 
2.3.0

[GIT PULL 2/5] KVM: s390: fix pfmf intercept handler

[Christian Borntraeger]

From: Heiko Carstens <heiko.carstens@de.ibm.com>

The pfmf intercept handler should check if the EDAT 1 facility
is installed in the guest, not if it is installed in the host.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
---
 arch/s390/kvm/priv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/s390/kvm/priv.c b/arch/s390/kvm/priv.c
index 77191b8..d76b51c 100644
--- a/arch/s390/kvm/priv.c
+++ b/arch/s390/kvm/priv.c
@@ -660,7 +660,7 @@ static int handle_pfmf(struct kvm_vcpu *vcpu)
 
 	kvm_s390_get_regs_rre(vcpu, &reg1, &reg2);
 
-	if (!MACHINE_HAS_PFMF)
+	if (!test_kvm_facility(vcpu->kvm, 8))
 		return kvm_s390_inject_program_int(vcpu, PGM_OPERATION);
 
 	if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE)
-- 
2.3.0

[GIT PULL 3/5] KVM: Provide function for VCPU lookup by id

[Christian Borntraeger]

From: David Hildenbrand <dahi@linux.vnet.ibm.com>

Let's provide a function to lookup a VCPU by id.

Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
Reviewed-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
[split patch from refactoring patch]
---
 include/linux/kvm_host.h | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
index 5706a21..c923350 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -460,6 +460,17 @@ static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i)
 	     (vcpup = kvm_get_vcpu(kvm, idx)) != NULL; \
 	     idx++)
 
+static inline struct kvm_vcpu *kvm_get_vcpu_by_id(struct kvm *kvm, int id)
+{
+	struct kvm_vcpu *vcpu;
+	int i;
+
+	kvm_for_each_vcpu(i, vcpu, kvm)
+		if (vcpu->vcpu_id == id)
+			return vcpu;
+	return NULL;
+}
+
 #define kvm_for_each_memslot(memslot, slots)	\
 	for (memslot = &slots->memslots[0];	\
 	      memslot < slots->memslots + KVM_MEM_SLOTS_NUM && memslot->npages;\
-- 
2.3.0

[GIT PULL 4/5] KVM: s390: avoid memory overwrites on emergency signal injection

[Christian Borntraeger]

From: David Hildenbrand <dahi@linux.vnet.ibm.com>

Commit 383d0b050106 ("KVM: s390: handle pending local interrupts via
bitmap") introduced a possible memory overwrite from user space.

User space could pass an invalid emergency signal code (sending VCPU)
and therefore exceed the bitmap. Let's take care of this case and
check that the id is in the valid range.

Reviewed-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
Cc: stable@vger.kernel.org # v3.19+ db27a7a KVM: Provide function for VCPU lookup by id
Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
---
 arch/s390/kvm/interrupt.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c
index 373e323..7242c2d 100644
--- a/arch/s390/kvm/interrupt.c
+++ b/arch/s390/kvm/interrupt.c
@@ -1110,6 +1110,10 @@ static int __inject_sigp_emergency(struct kvm_vcpu *vcpu,
 	trace_kvm_s390_inject_vcpu(vcpu->vcpu_id, KVM_S390_INT_EMERGENCY,
 				   irq->u.emerg.code, 0);
 
+	/* sending vcpu invalid */
+	if (kvm_get_vcpu_by_id(vcpu->kvm, irq->u.emerg.code) == NULL)
+		return -EINVAL;
+
 	set_bit(irq->u.emerg.code, li->sigp_emerg_pending);
 	set_bit(IRQ_PEND_EXT_EMERGENCY, &li->pending_irqs);
 	atomic_or(CPUSTAT_EXT_INT, li->cpuflags);
-- 
2.3.0

[GIT PULL 5/5] KVM: s390: fix wrong lookup of VCPUs by array index

[Christian Borntraeger]

From: David Hildenbrand <dahi@linux.vnet.ibm.com>

For now, VCPUs were always created sequentially with incrementing
VCPU ids. Therefore, the index in the VCPUs array matched the id.

As sequential creation might change with cpu hotplug, let's use
the correct lookup function to find a VCPU by id, not array index.

Let's also use kvm_lookup_vcpu() for validation of the sending VCPU
on external call injection.

Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: stable@vger.kernel.org # db27a7a KVM: Provide function for VCPU lookup by id
---
 arch/s390/kvm/interrupt.c | 3 +--
 arch/s390/kvm/sigp.c      | 8 ++------
 2 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c
index 7242c2d..6a75352 100644
--- a/arch/s390/kvm/interrupt.c
+++ b/arch/s390/kvm/interrupt.c
@@ -1030,8 +1030,7 @@ static int __inject_extcall(struct kvm_vcpu *vcpu, struct kvm_s390_irq *irq)
 				   src_id, 0);
 
 	/* sending vcpu invalid */
-	if (src_id >= KVM_MAX_VCPUS ||
-	    kvm_get_vcpu(vcpu->kvm, src_id) == NULL)
+	if (kvm_get_vcpu_by_id(vcpu->kvm, src_id) == NULL)
 		return -EINVAL;
 
 	if (sclp.has_sigpif)
diff --git a/arch/s390/kvm/sigp.c b/arch/s390/kvm/sigp.c
index da690b6..77c22d6 100644
--- a/arch/s390/kvm/sigp.c
+++ b/arch/s390/kvm/sigp.c
@@ -291,12 +291,8 @@ static int handle_sigp_dst(struct kvm_vcpu *vcpu, u8 order_code,
 			   u16 cpu_addr, u32 parameter, u64 *status_reg)
 {
 	int rc;
-	struct kvm_vcpu *dst_vcpu;
+	struct kvm_vcpu *dst_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr);
 
-	if (cpu_addr >= KVM_MAX_VCPUS)
-		return SIGP_CC_NOT_OPERATIONAL;
-
-	dst_vcpu = kvm_get_vcpu(vcpu->kvm, cpu_addr);
 	if (!dst_vcpu)
 		return SIGP_CC_NOT_OPERATIONAL;
 
@@ -478,7 +474,7 @@ int kvm_s390_handle_sigp_pei(struct kvm_vcpu *vcpu)
 	trace_kvm_s390_handle_sigp_pei(vcpu, order_code, cpu_addr);
 
 	if (order_code == SIGP_EXTERNAL_CALL) {
-		dest_vcpu = kvm_get_vcpu(vcpu->kvm, cpu_addr);
+		dest_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr);
 		BUG_ON(dest_vcpu == NULL);
 
 		kvm_s390_vcpu_wakeup(dest_vcpu);
-- 
2.3.0

Re: [GIT PULL 0/5] KVM: s390: Fixes for 4.4

[Paolo Bonzini]

On 19/11/2015 15:09, Christian Borntraeger wrote:
> Paolo,
> 
> The following changes since commit 8005c49d9aea74d382f474ce11afbbc7d7130bec:
> 
>   Linux 4.4-rc1 (2015-11-15 17:00:27 -0800)
> 
> are available in the git repository at:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git  tags/kvm-s390-master-4.4-1
> 
> for you to fetch changes up to 152e9f65d66f0a3891efc3869440becc0e7ff53f:
> 
>   KVM: s390: fix wrong lookup of VCPUs by array index (2015-11-19 14:47:43 +0100)
> 
> ----------------------------------------------------------------
> KVM: s390: Fixes for 4.4
> 
> 1. disallow changing the SIMD mode when CPUs have been created.
>    it allowed userspace to corrupt kernel memory
> 2. Fix vCPU lookup. Until now the vCPU number equals the vCPU id. Some
>    kernel code places relied on that. This might
>    a: cause guest failures
>    b: allow userspace to corrupt kernel memory
> 3. Fencing of the PFMF instruction should use the guest facilities
>    and not the host facilities.
> 
> ----------------------------------------------------------------
> David Hildenbrand (4):
>       KVM: s390: enable SIMD only when no VCPUs were created
>       KVM: Provide function for VCPU lookup by id
>       KVM: s390: avoid memory overwrites on emergency signal injection
>       KVM: s390: fix wrong lookup of VCPUs by array index
> 
> Heiko Carstens (1):
>       KVM: s390: fix pfmf intercept handler
> 
>  arch/s390/kvm/interrupt.c |  7 +++++--
>  arch/s390/kvm/kvm-s390.c  |  6 +++++-
>  arch/s390/kvm/priv.c      |  2 +-
>  arch/s390/kvm/sigp.c      |  8 ++------
>  include/linux/kvm_host.h  | 11 +++++++++++
>  5 files changed, 24 insertions(+), 10 deletions(-)
> 

Pulled, thanks (for now to kvm/next, since that's what Stephen Rothwell
tests daily).

Paolo