From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Marcelo Tosatti <mtosatti@redhat.com>,
Josh Boyer <jwboyer@fedoraproject.org>
Subject: [PATCH 3.10 17/22] KVM: x86: handle invalid root_hpa everywhere
Date: Fri, 28 Mar 2014 10:32:09 -0700 [thread overview]
Message-ID: <20140328173111.740839045@linuxfoundation.org> (raw)
In-Reply-To: <20140328173109.378288825@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcelo Tosatti <mtosatti@redhat.com>
commit 37f6a4e237303549c8676dfe1fd1991ceab512eb upstream.
Rom Freiman <rom@stratoscale.com> notes other code paths vulnerable to
bug fixed by 989c6b34f6a9480e397b.
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/mmu.c | 9 +++++++++
arch/x86/kvm/paging_tmpl.h | 8 ++++++++
2 files changed, 17 insertions(+)
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -2751,6 +2751,9 @@ static bool fast_page_fault(struct kvm_v
bool ret = false;
u64 spte = 0ull;
+ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
+ return false;
+
if (!page_fault_can_be_fast(vcpu, error_code))
return false;
@@ -3142,6 +3145,9 @@ static u64 walk_shadow_page_get_mmio_spt
struct kvm_shadow_walk_iterator iterator;
u64 spte = 0ull;
+ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
+ return spte;
+
walk_shadow_page_lockless_begin(vcpu);
for_each_shadow_entry_lockless(vcpu, addr, iterator, spte)
if (!is_shadow_present_pte(spte))
@@ -4332,6 +4338,9 @@ int kvm_mmu_get_spte_hierarchy(struct kv
u64 spte;
int nr_sptes = 0;
+ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
+ return nr_sptes;
+
walk_shadow_page_lockless_begin(vcpu);
for_each_shadow_entry_lockless(vcpu, addr, iterator, spte) {
sptes[iterator.level-1] = spte;
--- a/arch/x86/kvm/paging_tmpl.h
+++ b/arch/x86/kvm/paging_tmpl.h
@@ -423,6 +423,9 @@ static int FNAME(fetch)(struct kvm_vcpu
if (FNAME(gpte_changed)(vcpu, gw, top_level))
goto out_gpte_changed;
+ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
+ goto out_gpte_changed;
+
for (shadow_walk_init(&it, vcpu, addr);
shadow_walk_okay(&it) && it.level > gw->level;
shadow_walk_next(&it)) {
@@ -671,6 +674,11 @@ static void FNAME(invlpg)(struct kvm_vcp
*/
mmu_topup_memory_caches(vcpu);
+ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa)) {
+ WARN_ON(1);
+ return;
+ }
+
spin_lock(&vcpu->kvm->mmu_lock);
for_each_shadow_entry(vcpu, gva, iterator) {
level = iterator.level;
next prev parent reply other threads:[~2014-03-28 17:50 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-28 17:31 [PATCH 3.10 00/22] 3.10.35-stable review Greg Kroah-Hartman
2014-03-28 17:31 ` [PATCH 3.10 01/22] ALSA: compress: Pass through return value of open ops callback Greg Kroah-Hartman
2014-03-28 17:31 ` [PATCH 3.10 02/22] tracing: Fix array size mismatch in format string Greg Kroah-Hartman
2014-03-28 17:31 ` [PATCH 3.10 03/22] media: cxusb: unlock on error in cxusb_i2c_xfer() Greg Kroah-Hartman
2014-03-28 17:31 ` [PATCH 3.10 04/22] media: dw2102: some missing unlocks on error Greg Kroah-Hartman
2014-03-28 17:31 ` [PATCH 3.10 05/22] media: cx18: check for allocation failure in cx18_read_eeprom() Greg Kroah-Hartman
2014-03-28 17:31 ` [PATCH 3.10 06/22] libceph: block I/O when PAUSE or FULL osd map flags are set Greg Kroah-Hartman
2014-03-28 17:31 ` [PATCH 3.10 07/22] libceph: resend all writes after the osdmap loses the full flag Greg Kroah-Hartman
2014-03-28 17:32 ` [PATCH 3.10 08/22] ASoC: max98090: make REVISION_ID readable Greg Kroah-Hartman
2014-03-28 17:32 ` [PATCH 3.10 09/22] x86: bpf_jit: support negative offsets Greg Kroah-Hartman
2014-03-28 17:32 ` [PATCH 3.10 10/22] deb-pkg: Fix cross-building linux-headers package Greg Kroah-Hartman
2014-03-28 17:32 ` [PATCH 3.10 11/22] p54: clamp properly instead of just truncating Greg Kroah-Hartman
2014-03-28 17:32 ` [PATCH 3.10 12/22] regulator: core: Replace direct ops->disable usage Greg Kroah-Hartman
2014-03-28 17:32 ` [PATCH 3.10 13/22] ARM: move outer_cache declaration out of ifdef Greg Kroah-Hartman
2014-03-28 17:32 ` [PATCH 3.10 14/22] ARM: highbank: avoid L2 cache smc calls when PL310 is not present Greg Kroah-Hartman
2014-03-28 17:32 ` [PATCH 3.10 15/22] Input: elantech - improve clickpad detection Greg Kroah-Hartman
2014-03-28 17:32 ` [PATCH 3.10 16/22] KVM: MMU: handle invalid root_hpa at __direct_map Greg Kroah-Hartman
2014-03-28 17:32 ` Greg Kroah-Hartman [this message]
2014-03-28 17:32 ` [PATCH 3.10 18/22] KVM: VMX: fix use after free of vmx->loaded_vmcs Greg Kroah-Hartman
2014-03-28 17:32 ` [PATCH 3.10 19/22] Input: wacom - make sure touch_max is set for touch devices Greg Kroah-Hartman
2014-03-28 17:32 ` [PATCH 3.10 20/22] xhci: Fix resume issues on Renesas chips in Samsung laptops Greg Kroah-Hartman
2014-03-28 17:32 ` [PATCH 3.10 21/22] e100: Fix "disabling already-disabled device" warning Greg Kroah-Hartman
2014-03-28 17:32 ` [PATCH 3.10 22/22] sched/autogroup: Fix race with task_groups list Greg Kroah-Hartman
2014-03-29 1:00 ` [PATCH 3.10 00/22] 3.10.35-stable review Guenter Roeck
2014-03-30 1:26 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140328173111.740839045@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jwboyer@fedoraproject.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mtosatti@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.