These patches fix several issues in the management of MIPS KVM TLB faults: 1) kvm_mips_handle_mapped_seg_tlb_fault() misbehaves for virtual address zero, which can be hit if the guest creates such a mapping and accesses it in a way unexpected for the commpage (e.g. a CACHE instruction). 2) kvm_mips_handle_mapped_seg_tlb_fault() doesn't range check the gfn, allowing a high mapping by the guest to overflow the guest_pmap[]. 3) kvm_mips_handle_kseg0_tlb_fault() has an off by one in its gfn range check, which could allow an odd sized guest_pmap[] to be overflowed. 4) some callers of kvm_mips_handle_kseg0_tlb_fault() and kvm_mips_handle_mapped_seg_tlb_fault() don't correctly propagate errors upwards. They're all marked for stable but won't apply cleanly before v4.8-rc1 due to recent changes. I have backports ready though. Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx> Cc: "Radim Krčmář" <rkrcmar@xxxxxxxxxx> Cc: Ralf Baechle <ralf@xxxxxxxxxxxxxx> Cc: linux-mips@xxxxxxxxxxxxxx Cc: kvm@xxxxxxxxxxxxxxx Cc: <stable@xxxxxxxxxxxxxxx> James Hogan (4): MIPS: KVM: Fix mapped fault broken commpage handling MIPS: KVM: Add missing gfn range check MIPS: KVM: Fix gfn range check in kseg0 tlb faults MIPS: KVM: Propagate kseg0/mapped tlb fault errors arch/mips/kvm/emulate.c | 35 ++++++++++++++++------ arch/mips/kvm/mmu.c | 68 +++++++++++++++++++++++++++--------------- 2 files changed, 70 insertions(+), 33 deletions(-) -- git-series 0.8.7