Changes in 5.15.91
memory: tegra: Remove clients SID override programming
memory: atmel-sdramc: Fix missing clk_disable_unprepare in atmel_ramc_probe()
memory: mvebu-devbus: Fix missing clk_disable_unprepare in mvebu_devbus_probe()
dmaengine: ti: k3-udma: Do conditional decrement of UDMA_CHAN_RT_PEER_BCNT_REG
arm64: dts: imx8mp-phycore-som: Remove invalid PMIC property
ARM: dts: imx6ul-pico-dwarf: Use 'clock-frequency'
ARM: dts: imx7d-pico: Use 'clock-frequency'
ARM: dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts'
arm64: dts: imx8mm-beacon: Fix ecspi2 pinmux
ARM: imx: add missing of_node_put()
HID: intel_ish-hid: Add check for ishtp_dma_tx_map
arm64: dts: imx8mm-venice-gw7901: fix USB2 controller OC polarity
soc: imx8m: Fix incorrect check for of_clk_get_by_name()
reset: uniphier-glue: Use reset_control_bulk API
reset: uniphier-glue: Fix possible null-ptr-deref
EDAC/highbank: Fix memory leak in highbank_mc_probe()
firmware: arm_scmi: Harden shared memory access in fetch_response
firmware: arm_scmi: Harden shared memory access in fetch_notification
tomoyo: fix broken dependency on *.conf.default
RDMA/core: Fix ib block iterator counter overflow
IB/hfi1: Reject a zero-length user expected buffer
IB/hfi1: Reserve user expected TIDs
IB/hfi1: Fix expected receive setup error exit issues
IB/hfi1: Immediately remove invalid memory from hardware
IB/hfi1: Remove user expected buffer invalidate race
affs: initialize fsdata in affs_truncate()
PM: AVS: qcom-cpr: Fix an error handling path in cpr_probe()
arm64: dts: qcom: msm8992: Don't use sfpb mutex
arm64: dts: qcom: msm8992-libra: Add CPU regulators
arm64: dts: qcom: msm8992-libra: Fix the memory map
phy: ti: fix Kconfig warning and operator precedence
NFSD: fix use-after-free in nfsd4_ssc_setup_dul()
ARM: dts: at91: sam9x60: fix the ddr clock for sam9x60
amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent
amd-xgbe: Delay AN timeout during KR training
bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation
phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in rockchip_usb2phy_power_on()
net: nfc: Fix use-after-free in local_cleanup()
net: wan: Add checks for NULL for utdm in undo_uhdlc_init and unmap_si_regs
net: enetc: avoid deadlock in enetc_tx_onestep_tstamp()
sch_htb: Avoid grafting on htb_destroy_class_offload when destroying htb
gpio: use raw spinlock for gpio chip shadowed data
gpio: mxc: Protect GPIO irqchip RMW with bgpio spinlock
gpio: mxc: Always set GPIOs used as interrupt source to INPUT mode
wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid
pinctrl/rockchip: Use temporary variable for struct device
pinctrl/rockchip: add error handling for pull/drive register getters
pinctrl: rockchip: fix reading pull type on rk3568
net: stmmac: Fix queue statistics reading
net/sched: sch_taprio: fix possible use-after-free
l2tp: Serialize access to sk_user_data with sk_callback_lock
l2tp: Don't sleep and disable BH under writer-side sk_callback_lock
l2tp: convert l2tp_tunnel_list to idr
l2tp: close all race conditions in l2tp_tunnel_register()
octeontx2-pf: Avoid use of GFP_KERNEL in atomic context
net: usb: sr9700: Handle negative len
net: mdio: validate parameter addr in mdiobus_get_phy()
HID: check empty report_list in hid_validate_values()
HID: check empty report_list in bigben_probe()
net: stmmac: fix invalid call to mdiobus_get_phy()
pinctrl: rockchip: fix mux route data for rk3568
HID: revert CHERRY_MOUSE_000C quirk
usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait
usb: gadget: f_fs: Ensure ep0req is dequeued before free_request
Bluetooth: Fix possible deadlock in rfcomm_sk_state_change
net: ipa: disable ipa interrupt during suspend
net/mlx5: E-switch, Fix setting of reserved fields on MODIFY_SCHEDULING_ELEMENT
net: mlx5: eliminate anonymous module_init & module_exit
drm/panfrost: fix GENERIC_ATOMIC64 dependency
dmaengine: Fix double increment of client_count in dma_chan_get()
net: macb: fix PTP TX timestamp failure due to packet padding
virtio-net: correctly enable callback during start_xmit
l2tp: prevent lockdep issue in l2tp_tunnel_register()
HID: betop: check shape of output reports
cifs: fix potential deadlock in cache_refresh_path()
dmaengine: xilinx_dma: call of_node_put() when breaking out of for_each_child_of_node()
phy: phy-can-transceiver: Skip warning if no "max-bitrate"
drm/amd/display: fix issues with driver unload
nvme-pci: fix timeout request state check
tcp: avoid the lookup process failing to get sk in ehash table
octeontx2-pf: Fix the use of GFP_KERNEL in atomic context on rt
ptdma: pt_core_execute_cmd() should use spinlock
device property: fix of node refcount leak in fwnode_graph_get_next_endpoint()
w1: fix deadloop in __w1_remove_master_device()
w1: fix WARNING after calling w1_process()
driver core: Fix test_async_probe_init saves device in wrong array
selftests/net: toeplitz: fix race on tpacket_v3 block close
net: dsa: microchip: ksz9477: port map correction in ALU table entry register
thermal/core: Remove duplicate information when an error occurs
thermal/core: Rename 'trips' to 'num_trips'
thermal: Validate new state in cur_state_store()
thermal/core: fix error code in __thermal_cooling_device_register()
thermal: core: call put_device() only after device_register() fails
net: stmmac: enable all safety features by default
tcp: fix rate_app_limited to default to 1
scsi: iscsi: Fix multiple iSCSI session unbind events sent to userspace
cpufreq: Add Tegra234 to cpufreq-dt-platdev blocklist
kcsan: test: don't put the expect array on the stack
cpufreq: Add SM6375 to cpufreq-dt-platdev blocklist
ASoC: fsl_micfil: Correct the number of steps on SX controls
net: usb: cdc_ether: add support for Thales Cinterion PLS62-W modem
drm: Add orientation quirk for Lenovo ideapad D330-10IGL
s390/debug: add _ASM_S390_ prefix to header guard
s390: expicitly align _edata and _end symbols on page boundary
perf/x86/msr: Add Emerald Rapids
perf/x86/intel/uncore: Add Emerald Rapids
cpufreq: armada-37xx: stop using 0 as NULL pointer
ASoC: fsl_ssi: Rename AC'97 streams to avoid collisions with AC'97 CODEC
ASoC: fsl-asoc-card: Fix naming of AC'97 CODEC widgets
spi: spidev: remove debug messages that access spidev->spi without locking
KVM: s390: interrupt: use READ_ONCE() before cmpxchg()
scsi: hisi_sas: Set a port invalid only if there are no devices attached when refreshing port id
r8152: add vendor/device ID pair for Microsoft Devkit
platform/x86: touchscreen_dmi: Add info for the CSL Panther Tab HD
platform/x86: asus-nb-wmi: Add alternate mapping for KEY_SCREENLOCK
lockref: stop doing cpu_relax in the cmpxchg loop
firmware: coreboot: Check size of table entry and use flex-array
drm/i915: Allow switching away via vga-switcheroo if uninitialized
Revert "selftests/bpf: check null propagation only neither reg is PTR_TO_BTF_ID"
drm/i915: Remove unused variable
x86: ACPI: cstate: Optimize C3 entry on AMD CPUs
fs: reiserfs: remove useless new_opts in reiserfs_remount
sysctl: add a new register_sysctl_init() interface
kernel/panic: move panic sysctls to its own file
panic: unset panic_on_warn inside panic()
ubsan: no need to unset panic_on_warn in ubsan_epilogue()
kasan: no need to unset panic_on_warn in end_report()
exit: Add and use make_task_dead.
objtool: Add a missing comma to avoid string concatenation
hexagon: Fix function name in die()
h8300: Fix build errors from do_exit() to make_task_dead() transition
csky: Fix function name in csky_alignment() and die()
ia64: make IA64_MCA_RECOVERY bool instead of tristate
panic: Separate sysctl logic from CONFIG_SMP
exit: Put an upper limit on how often we can oops
exit: Expose "oops_count" to sysfs
exit: Allow oops_limit to be disabled
panic: Consolidate open-coded panic_on_warn checks
panic: Introduce warn_limit
panic: Expose "warn_count" to sysfs
docs: Fix path paste-o for /sys/kernel/warn_count
exit: Use READ_ONCE() for all oops/warn limit reads
Bluetooth: hci_sync: cancel cmd_timer if hci_open failed
drm/amdgpu: complete gfxoff allow signal during suspend without delay
scsi: hpsa: Fix allocation size for scsi_host_alloc()
KVM: SVM: fix tsc scaling cache logic
module: Don't wait for GOING modules
tracing: Make sure trace_printk() can output as soon as it can be used
trace_events_hist: add check for return value of 'create_hist_field'
ftrace/scripts: Update the instructions for ftrace-bisect.sh
cifs: Fix oops due to uncleared server->smbd_conn in reconnect
i2c: mv64xxx: Remove shutdown method from driver
i2c: mv64xxx: Add atomic_xfer method to driver
ksmbd: add smbd max io size parameter
ksmbd: add max connections parameter
ksmbd: do not sign response to session request for guest login
ksmbd: downgrade ndr version error message to debug
ksmbd: limit pdu length size according to connection status
ovl: fail on invalid uid/gid mapping at copy up
KVM: x86/vmx: Do not skip segment attributes if unusable bit is set
KVM: arm64: GICv4.1: Fix race with doorbell on VPE activation/deactivation
thermal: intel: int340x: Protect trip temperature from concurrent updates
ipv6: fix reachability confirmation with proxy_ndp
ARM: 9280/1: mm: fix warning on phys_addr_t to void pointer assignment
EDAC/device: Respect any driver-supplied workqueue polling value
EDAC/qcom: Do not pass llcc_driv_data as edac_device_ctl_info's pvt_info
net: mana: Fix IRQ name - add PCI and queue number
scsi: ufs: core: Fix devfreq deadlocks
i2c: designware: use casting of u64 in clock multiplication to avoid overflow
netlink: prevent potential spectre v1 gadgets
net: fix UaF in netns ops registration error path
drm/i915/selftest: fix intel_selftest_modify_policy argument types
netfilter: nft_set_rbtree: Switch to node list walk for overlap detection
netfilter: nft_set_rbtree: skip elements in transaction from garbage collection
netlink: annotate data races around nlk->portid
netlink: annotate data races around dst_portid and dst_group
netlink: annotate data races around sk_state
ipv4: prevent potential spectre v1 gadget in ip_metrics_convert()
ipv4: prevent potential spectre v1 gadget in fib_metrics_match()
netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE
netrom: Fix use-after-free of a listening socket.
net/sched: sch_taprio: do not schedule in taprio_reset()
sctp: fail if no bound addresses can be used for a given scope
riscv/kprobe: Fix instruction simulation of JALR
nvme: fix passthrough csi check
gpio: mxc: Unlock on error path in mxc_flip_edge()
ravb: Rename "no_ptp_cfg_active" and "ptp_cfg_active" variables
net: ravb: Fix lack of register setting after system resumed for Gen3
net: ravb: Fix possible hang if RIS2_QFF1 happen
net: mctp: mark socks as dead on unhash, prevent re-add
thermal: intel: int340x: Add locking to int340x_thermal_get_trip_type()
net/tg3: resolve deadlock in tg3_reset_task() during EEH
net: mdio-mux-meson-g12a: force internal PHY off on mux switch
treewide: fix up files incorrectly marked executable
tools: gpio: fix -c option of gpio-event-mon
Revert "Input: synaptics - switch touchpad on HP Laptop 15-da3001TU to RMI mode"
cpufreq: Move to_gov_attr_set() to cpufreq.h
cpufreq: governor: Use kobject release() method to free dbs_data
kbuild: Allow kernel installation packaging to override pkg-config
block: fix and cleanup bio_check_ro
x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL
netfilter: conntrack: unify established states for SCTP paths
perf/x86/amd: fix potential integer overflow on shift of a int
Linux 5.15.91
Change-Id: I3349d802533097ac86e5c680fbd40c00c9719ec7
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit ef3691683d7bfd0a2acf48812e4ffe894f10bfa8 upstream.
To save the vgic LPI pending state with GICv4.1, the VPEs must all be
unmapped from the ITSs so that the sGIC caches can be flushed.
The opposite is done once the state is saved.
This is all done by using the activate/deactivate irqdomain callbacks
directly from the vgic code. Crutially, this is done without holding
the irqdesc lock for the interrupts that represent the VPE. And these
callbacks are changing the state of the irqdesc. What could possibly
go wrong?
If a doorbell fires while we are messing with the irqdesc state,
it will acquire the lock and change the interrupt state concurrently.
Since we don't hole the lock, curruption occurs in on the interrupt
state. Oh well.
While acquiring the lock would fix this (and this was Shanker's
initial approach), this is still a layering violation we could do
without. A better approach is actually to free the VPE interrupt,
do what we have to do, and re-request it.
It is more work, but this usually happens only once in the lifetime
of the VM and we don't really care about this sort of overhead.
Fixes: f66b7b151e ("KVM: arm64: GICv4.1: Try to save VLPI state in save_pending_tables")
Reported-by: Shanker Donthineni <sdonthineni@nvidia.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20230118022348.4137094-1-sdonthineni@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Rather than look-up the hyp vCPU on every run hypercall at EL2,
introduce a per-CPU 'loaded_hyp_vcpu' tracking variable which is updated
by a pair of load/put hypercalls called directly from
kvm_arch_vcpu_{load,put}() when pKVM is enabled.
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Will Deacon <willdeacon@google.com>
Bug: 233587962
Change-Id: Ic640cb805d0f9610059713ff19918dcffc477d44
Consolidate the GICv3 VMCR accessor hypercalls into the APR save/restore
hypercalls so that all of the EL2 GICv3 state is covered by a single pair
of hypercalls.
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Will Deacon <willdeacon@google.com>
Bug: 233587962
Change-Id: Ifb109d1592a82d0858d5040482d5cf686f9e74e2
Unsusprisingly, Apple M1 Pro/Max have the exact same defect as the
original M1 and generate random SErrors in the host when a guest
tickles the GICv3 CPU interface the wrong way.
Add the part numbers for both the CPU types found in these two
new implementations, and add them to the hall of shame. This also
applies to the Ultra version, as it is composed of 2 Max SoCs.
Signed-off-by: Marc Zyngier <maz@kernel.org>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Link: https://lore.kernel.org/r/20220514102524.3188730-1-maz@kernel.org
(cherry picked from commit cae889302ebf5a9b22ca3580996118b8d20b3ae6)
Signed-off-by: Will Deacon <willdeacon@google.com>
Bug: 233587962
Bug: 233588291
Change-Id: I82e51d730ff1df0098015da29fa3e622bce57ce1
Everywhere we use kvm_for_each_vpcu(), we use an int as the vcpu
index. Unfortunately, we're about to move rework the iterator,
which requires this to be upgrade to an unsigned long.
Let's bite the bullet and repaint all of it in one go.
Signed-off-by: Marc Zyngier <maz@kernel.org>
Message-Id: <20211116160403.4074052-7-maz@kernel.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 46808a4cb89708c2e5b264eb9d1035762581921b)
[willdeacon@: Drop riscv hunks; drop x86 hunks for code that isn't present;
convert kvm_hyperv_tsc_notifier() as well]
Signed-off-by: Will Deacon <willdeacon@google.com>
Bug: 233587962
Bug: 233588291
Change-Id: I78a3ae244de22575684dd47a9823b9fc61b6fa7d
Contrary to what df652bcf1136 ("KVM: arm64: vgic-v3: Work around GICv3
locally generated SErrors") was asserting, there is at least one other
system out there (Cavium ThunderX2) implementing SEIS, and not in
an obviously broken way.
So instead of imposing the M1 workaround on an innocent bystander,
let's limit it to the two known broken Apple implementations.
Fixes: df652bcf1136 ("KVM: arm64: vgic-v3: Work around GICv3 locally generated SErrors")
Reported-by: Ard Biesheuvel <ardb@kernel.org>
Tested-by: Ard Biesheuvel <ardb@kernel.org>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220122103912.795026-1-maz@kernel.org
(cherry picked from commit d11a327ed95dbec756b99cbfef2a7fd85c9eeb09)
Signed-off-by: Will Deacon <willdeacon@google.com>
Bug: 233587962
Bug: 233588291
Change-Id: I4c1b8faab30744f81b012e03b31cdd8254614f87
Running the KVM selftests results in these messages being dumped
in the kernel console:
[ 188.051073] kvm [469]: VGIC redist and dist frames overlap
[ 188.056820] kvm [469]: VGIC redist and dist frames overlap
[ 188.076199] kvm [469]: VGIC redist and dist frames overlap
Being amle to trigger this from userspace is definitely not on,
so demote these warnings to kvm_debug().
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20211216104507.1482017-1-maz@kernel.org
(cherry picked from commit 440523b92be6a25e53f9ba1f3b418345fe465b51)
Signed-off-by: Will Deacon <willdeacon@google.com>
Bug: 233587962
Bug: 233588291
Change-Id: I0c6c94795a86705925dc1c9519bb0dec831b641c
GICv2 requires having device mappings in guests and the hypervisor,
which is incompatible with the current pKVM EL2 page ownership model
which only covers memory. While it would be desirable to support pKVM
with GICv2, this will require a lot more work, so let's make the
current assumption clear until then.
Co-developed-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Quentin Perret <qperret@google.com>
Acked-by: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20211208152300.2478542-3-qperret@google.com
(cherry picked from commit a770ee80e66270a7df183dda5ad6df4e8c8ab615)
Signed-off-by: Will Deacon <willdeacon@google.com>
Bug: 233587962
Bug: 233588291
Change-Id: I0c507b698e7cefc389e1a49ed6b15cf59d9daaa7
Contrary to what df652bcf1136 ("KVM: arm64: vgic-v3: Work around GICv3
locally generated SErrors") was asserting, there is at least one other
system out there (Cavium ThunderX2) implementing SEIS, and not in
an obviously broken way.
So instead of imposing the M1 workaround on an innocent bystander,
let's limit it to the two known broken Apple implementations.
Fixes: df652bcf1136 ("KVM: arm64: vgic-v3: Work around GICv3 locally generated SErrors")
Reported-by: Ard Biesheuvel <ardb@kernel.org>
Tested-by: Ard Biesheuvel <ardb@kernel.org>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220122103912.795026-1-maz@kernel.org
(cherry picked from commit d11a327ed95dbec756b99cbfef2a7fd85c9eeb09
git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git fixes)
Bug: 209777660
Signed-off-by: Will Deacon <willdeacon@google.com>
Change-Id: I4c1b8faab30744f81b012e03b31cdd8254614f87
Now that protected VMs have a shadow state maintained at EL2 in nVHE
protected mode, make sure to sync and flush the vgic state between host
and hyp data structure upon entry and exit from a guest.
Signed-off-by: Marc Zyngier <maz@kernel.org>
Bug: 209580772
Change-Id: I8d7ab950041a5cd79217c9ee0e04742a27439a99
Signed-off-by: Will Deacon <willdeacon@google.com>
Merge the functions to save and restore vmcr and apr. This can in some
cases reduce the number of hypercalls necessary to load/put the vgic
state in nVHE and will also ease its management in protected mode later
on.
Signed-off-by: Marc Zyngier <maz@kernel.org>
Bug: 209580772
Change-Id: Id85f0698a7a346282e55c15993c274828bd5309c
Signed-off-by: Will Deacon <willdeacon@google.com>
Running the KVM selftests results in these messages being dumped
in the kernel console:
[ 188.051073] kvm [469]: VGIC redist and dist frames overlap
[ 188.056820] kvm [469]: VGIC redist and dist frames overlap
[ 188.076199] kvm [469]: VGIC redist and dist frames overlap
Being amle to trigger this from userspace is definitely not on,
so demote these warnings to kvm_debug().
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20211216104507.1482017-1-maz@kernel.org
(cherry picked from commit 440523b92be6a25e53f9ba1f3b418345fe465b51
git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git next)
Bug: 209777660
Signed-off-by: Will Deacon <willdeacon@google.com>
Change-Id: I0c6c94795a86705925dc1c9519bb0dec831b641c
GICv2 requires having device mappings in guests and the hypervisor,
which is incompatible with the current pKVM EL2 page ownership model
which only covers memory. While it would be desirable to support pKVM
with GICv2, this will require a lot more work, so let's make the
current assumption clear until then.
Co-developed-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Quentin Perret <qperret@google.com>
Link: https://lore.kernel.org/r/20211208152300.2478542-3-qperret@google.com
Bug: 209580772
Change-Id: I0c507b698e7cefc389e1a49ed6b15cf59d9daaa7
On systems that advertise ICH_VTR_EL2.SEIS, we trap all GICv3 sysreg
accesses from the guest. From a performance perspective, this is OK
as long as the guest doesn't hammer the GICv3 CPU interface.
In most cases, this is fine, unless the guest actively uses
priorities and switches PMR_EL1 very often. Which is exactly what
happens when a Linux guest runs with irqchip.gicv3_pseudo_nmi=1.
In these condition, the performance plumets as we hit PMR each time
we mask/unmask interrupts. Not good.
There is however an opportunity for improvement. Careful reading
of the architecture specification indicates that the only GICv3
sysreg belonging to the common group (which contains the SGI
registers, PMR, DIR, CTLR and RPR) that is allowed to generate
a SError is DIR. Everything else is safe.
It is thus possible to substitute the trapping of all the common
group with just that of DIR if it supported by the implementation.
Yes, that's yet another optional bit of the architecture.
So let's just do that, as it leads to some impressive result on
the M1:
Without this change:
bash-5.1# /host/home/maz/hackbench 100 process 1000
Running with 100*40 (== 4000) tasks.
Time: 56.596
With this change:
bash-5.1# /host/home/maz/hackbench 100 process 1000
Running with 100*40 (== 4000) tasks.
Time: 8.649
which is a pretty convincing result.
Signed-off-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Alexandru Elisei <alexandru.elisei@arm.com>
Link: https://lore.kernel.org/r/20211010150910.2911495-4-maz@kernel.org
(cherry picked from commit 0924729b21bffdd0e13f29ea6256d299fc807cff)
Bug: 204960018
Signed-off-by: Will Deacon <willdeacon@google.com>
Change-Id: I93eeac29ea47f1f03d0dc4dd97efe9e2ec18db58
The infamous M1 has a feature nobody else ever implemented,
in the form of the "GIC locally generated SError interrupts",
also known as SEIS for short.
These SErrors are generated when a guest does something that violates
the GIC state machine. It would have been simpler to just *ignore*
the damned thing, but that's not what this HW does. Oh well.
This part of of the architecture is also amazingly under-specified.
There is a whole 10 lines that describe the feature in a spec that
is 930 pages long, and some of these lines are factually wrong.
Oh, and it is deprecated, so the insentive to clarify it is low.
Now, the spec says that this should be a *virtual* SError when
HCR_EL2.AMO is set. As it turns out, that's not always the case
on this CPU, and the SError sometimes fires on the host as a
physical SError. Goodbye, cruel world. This clearly is a HW bug,
and it means that a guest can easily take the host down, on demand.
Thankfully, we have seen systems that were just as broken in the
past, and we have the perfect vaccine for it.
Apple M1, please meet the Cavium ThunderX workaround. All your
GIC accesses will be trapped, sanitised, and emulated. Only the
signalling aspect of the HW will be used. It won't be super speedy,
but it will at least be safe. You're most welcome.
Given that this has only ever been seen on this single implementation,
that the spec is unclear at best and that we cannot trust it to ever
be implemented correctly, gate the workaround solely on ICH_VTR_EL2.SEIS
being set.
Tested-by: Joey Gouly <joey.gouly@arm.com>
Reviewed-by: Alexandru Elisei <alexandru.elisei@arm.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20211010150910.2911495-3-maz@kernel.org
(cherry picked from commit df652bcf1136db7f16e486a204ba4b4fc4181759)
Bug: 204960018
Signed-off-by: Will Deacon <willdeacon@google.com>
Change-Id: Icee1ac199b1e6850d6d487d386f2e6e6929c19ca
Verify that the redistributor regions do not extend beyond the
VM-specified IPA range (phys_size). This can happen when using
KVM_VGIC_V3_ADDR_TYPE_REDIST or KVM_VGIC_V3_ADDR_TYPE_REDIST_REGIONS
with:
base + size > phys_size AND base < phys_size
Add the missing check into vgic_v3_alloc_redist_region() which is called
when setting the regions, and into vgic_v3_check_base() which is called
when attempting the first vcpu-run. The vcpu-run check does not apply to
KVM_VGIC_V3_ADDR_TYPE_REDIST_REGIONS because the regions size is known
before the first vcpu-run. Note that using the REDIST_REGIONS API
results in a different check, which already exists, at first vcpu run:
that the number of redist regions is enough for all vcpus.
Finally, this patch also enables some extra tests in
vgic_v3_alloc_redist_region() by calculating "size" early for the legacy
redist api: like checking that the REDIST region can fit all the already
created vcpus.
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Ricardo Koller <ricarkol@google.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20211005011921.437353-3-ricarkol@google.com
(cherry picked from commit 4612d98f58c73ad63928200fd332f75c8e524dae)
Bug: 204960018
Signed-off-by: Will Deacon <willdeacon@google.com>
Change-Id: I9c5877cb305621d206e36250aa970a55926d4b5e
When a mapped level interrupt (a timer, for example) is deactivated
by the guest, the corresponding host interrupt is equally deactivated.
However, the fate of the pending state still needs to be dealt
with in SW.
This is specially true when the interrupt was in the active+pending
state in the virtual distributor at the point where the guest
was entered. On exit, the pending state is potentially stale
(the guest may have put the interrupt in a non-pending state).
If we don't do anything, the interrupt will be spuriously injected
in the guest. Although this shouldn't have any ill effect (spurious
interrupts are always possible), we can improve the emulation by
detecting the deactivation-while-pending case and resample the
interrupt.
While we're at it, move the logic into a common helper that can
be shared between the two GIC implementations.
Fixes: e40cc57bac ("KVM: arm/arm64: vgic: Support level-triggered mapped interrupts")
Reported-by: Raghavendra Rao Ananta <rananta@google.com>
Tested-by: Raghavendra Rao Ananta <rananta@google.com>
Reviewed-by: Oliver Upton <oupton@google.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20210819180305.1670525-1-maz@kernel.org
In order to deal with these systems that do not offer HW-based
deactivation of interrupts, let implement a SW-based approach:
- When the irq is queued into a LR, treat it as a pure virtual
interrupt and set the EOI flag in the LR.
- When the interrupt state is read back from the LR, force a
deactivation when the state is invalid (neither active nor
pending)
Interrupts requiring such treatment get the VGIC_SW_RESAMPLE flag.
Signed-off-by: Marc Zyngier <maz@kernel.org>
After pausing all vCPUs and devices capable of interrupting, in order
to save the states of all interrupts, besides flushing the states in
kvm’s vgic, we also try to flush the states of VLPIs in the virtual
pending tables into guest RAM, but we need to have GICv4.1 and safely
unmap the vPEs first.
As for the saving of VSGIs, which needs the vPEs to be mapped and might
conflict with the saving of VLPIs, but since we will map the vPEs back
at the end of save_pending_tables and both savings require the kvm->lock
to be held (thus only happen serially), it will work fine.
Signed-off-by: Shenming Lu <lushenming@huawei.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20210322060158.1584-5-lushenming@huawei.com
It looks like we have broken firmware out there that wrongly advertises
a GICv2 compatibility interface, despite the CPUs not being able to deal
with it.
To work around this, check that the CPU initialising KVM is actually able
to switch to MMIO instead of system registers, and use that as a
precondition to enable GICv2 compatibility in KVM.
Note that the detection happens on a single CPU. If the firmware is
lying *and* that the CPUs are asymetric, all hope is lost anyway.
Reported-by: Shameerali Kolothum Thodi <shameerali.kolothum.thodi@huawei.com>
Tested-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Message-Id: <20210305185254.3730990-8-maz@kernel.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
dist->ready setting is pointlessly spread across the two vgic
backends, while it could be consolidated in kvm_vgic_map_resources().
Move it there, and slightly simplify the flows in both backends.
Suggested-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
kvm_vgic_map_resources() is called when a VCPU if first run and it maps all
the VGIC MMIO regions. To prevent double-initialization, the VGIC uses the
ready variable to keep track of the state of resources and the global KVM
mutex to protect against concurrent accesses. After the lock is taken, the
variable is checked again in case another VCPU took the lock between the
current VCPU reading ready equals false and taking the lock.
The double-checked lock pattern is spread across four different functions:
in kvm_vcpu_first_run_init(), in kvm_vgic_map_resource() and in
vgic_{v2,v3}_map_resources(), which makes it hard to reason about and
introduces minor code duplication. Consolidate the checks in
kvm_vgic_map_resources(), where the lock is taken.
No functional change intended.
Signed-off-by: Alexandru Elisei <alexandru.elisei@arm.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20201201150157.223625-4-alexandru.elisei@arm.com
The host need not concern itself with the pointer differences for the
hyp interfaces that are shared between VHE and nVHE so leave it to the
hyp to handle.
As the SMCCC function IDs are converted into function calls, it is a
suitable place to also convert any pointer arguments into hyp pointers.
This, additionally, eases the reuse of the handlers in different
contexts.
Signed-off-by: Andrew Scull <ascull@google.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20200915104643.2543892-20-ascull@google.com
If we move the used_lrs field to the version-specific cpu interface
structure, the following functions only operate on the struct
vgic_v3_cpu_if and not the full vcpu:
__vgic_v3_save_state
__vgic_v3_restore_state
__vgic_v3_activate_traps
__vgic_v3_deactivate_traps
__vgic_v3_save_aprs
__vgic_v3_restore_aprs
This is going to be very useful for nested virt, so move the used_lrs
field and change the prototypes and implementations of these functions to
take the cpu_if parameter directly.
No functional change.
Reviewed-by: James Morse <james.morse@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@arm.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
