Update to 5.6.11-1

1 files changed, 79 insertions, 0 deletions

diff --git a/0002-kvm-ioapic-Restrict-lazy-EOI-update-to-edge-triggere.patch b/0002-kvm-ioapic-Restrict-lazy-EOI-update-to-edge-triggere.patch
new file mode 100644
index 000000000000..a950a72f5260
--- /dev/null
+++ b/0002-kvm-ioapic-Restrict-lazy-EOI-update-to-edge-triggere.patch
@@ -0,0 +1,79 @@
+From da707adaee9ff035c943178160be54a90de00cb3 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 4 May 2020 12:19:45 -0400
+Subject: [PATCH 2/3] kvm: ioapic: Restrict lazy EOI update to edge-triggered
+ interrupts
+
+Commit f458d039db7e ("kvm: ioapic: Lazy update IOAPIC EOI") introduces
+the following infinite loop:
+
+BUG: stack guard page was hit at 000000008f595917 \
+(stack is 00000000bdefe5a4..00000000ae2b06f5)
+kernel stack overflow (double-fault): 0000 [#1] SMP NOPTI
+RIP: 0010:kvm_set_irq+0x51/0x160 [kvm]
+Call Trace:
+ irqfd_resampler_ack+0x32/0x90 [kvm]
+ kvm_notify_acked_irq+0x62/0xd0 [kvm]
+ kvm_ioapic_update_eoi_one.isra.0+0x30/0x120 [kvm]
+ ioapic_set_irq+0x20e/0x240 [kvm]
+ kvm_ioapic_set_irq+0x5c/0x80 [kvm]
+ kvm_set_irq+0xbb/0x160 [kvm]
+ ? kvm_hv_set_sint+0x20/0x20 [kvm]
+ irqfd_resampler_ack+0x32/0x90 [kvm]
+ kvm_notify_acked_irq+0x62/0xd0 [kvm]
+ kvm_ioapic_update_eoi_one.isra.0+0x30/0x120 [kvm]
+ ioapic_set_irq+0x20e/0x240 [kvm]
+ kvm_ioapic_set_irq+0x5c/0x80 [kvm]
+ kvm_set_irq+0xbb/0x160 [kvm]
+ ? kvm_hv_set_sint+0x20/0x20 [kvm]
+....
+
+The re-entrancy happens because the irq state is the OR of
+the interrupt state and the resamplefd state.  That is, we don't
+want to show the state as 0 until we've had a chance to set the
+resamplefd.  But if the interrupt has _not_ gone low then
+ioapic_set_irq is invoked again, causing an infinite loop.
+
+This can only happen for a level-triggered interrupt, otherwise
+irqfd_inject would immediately set the KVM_USERSPACE_IRQ_SOURCE_ID high
+and then low.  Fortunately, in the case of level-triggered interrupts the VMEXIT already happens because
+TMR is set.  Thus, fix the bug by restricting the lazy invocation
+of the ack notifier to edge-triggered interrupts, the only ones that
+need it.
+
+Tested-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Reported-by: borisvk@bstnet.org
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Link: https://www.spinics.net/lists/kvm/msg213512.html
+Fixes: f458d039db7e ("kvm: ioapic: Lazy update IOAPIC EOI")
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=207489
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/ioapic.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c
+index 750ff0b29404..d057376bd3d3 100644
+--- a/arch/x86/kvm/ioapic.c
++++ b/arch/x86/kvm/ioapic.c
+@@ -225,12 +225,12 @@ static int ioapic_set_irq(struct kvm_ioapic *ioapic, unsigned int irq,
+ 	}
+ 
+ 	/*
+-	 * AMD SVM AVIC accelerate EOI write and do not trap,
+-	 * in-kernel IOAPIC will not be able to receive the EOI.
+-	 * In this case, we do lazy update of the pending EOI when
+-	 * trying to set IOAPIC irq.
++	 * AMD SVM AVIC accelerate EOI write iff the interrupt is edge
++	 * triggered, in which case the in-kernel IOAPIC will not be able
++	 * to receive the EOI.  In this case, we do a lazy update of the
++	 * pending EOI when trying to set IOAPIC irq.
+ 	 */
+-	if (kvm_apicv_activated(ioapic->kvm))
++	if (edge && kvm_apicv_activated(ioapic->kvm))
+ 		ioapic_lazy_update_eoi(ioapic, irq);
+ 
+ 	/*
+-- 
+2.26.2
+