From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"James Hogan" <james.hogan@imgtec.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Radim Krčmář" <rkrcmar@redhat.com>,
"Ralf Baechle" <ralf@linux-mips.org>,
linux-mips@linux-mips.org, kvm@vger.kernel.org
Subject: [PATCH 3.14 17/46] [PATCH BACKPORT 3.10-3.15 2/4] MIPS: KVM: Add missing gfn range check
Date: Thu, 18 Aug 2016 15:54:39 +0200 [thread overview]
Message-ID: <20160818135444.987044692@linuxfoundation.org> (raw)
In-Reply-To: <20160818135442.457400364@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 8985d50382359e5bf118fdbefc859d0dbf6cebc7 upstream.
kvm_mips_handle_mapped_seg_tlb_fault() calculates the guest frame number
based on the guest TLB EntryLo values, however it is not range checked
to ensure it lies within the guest_pmap. If the physical memory the
guest refers to is out of range then dump the guest TLB and emit an
internal error.
Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
[james.hogan@imgtec.com: Backport to v3.10.y - v3.15.y]
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/kvm/kvm_tlb.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
--- a/arch/mips/kvm/kvm_tlb.c
+++ b/arch/mips/kvm/kvm_tlb.c
@@ -370,6 +370,7 @@ kvm_mips_handle_mapped_seg_tlb_fault(str
unsigned long entryhi = 0, entrylo0 = 0, entrylo1 = 0;
struct kvm *kvm = vcpu->kvm;
pfn_t pfn0, pfn1;
+ gfn_t gfn0, gfn1;
long tlb_lo[2];
tlb_lo[0] = tlb->tlb_lo0;
@@ -383,14 +384,24 @@ kvm_mips_handle_mapped_seg_tlb_fault(str
VPN2_MASK & (PAGE_MASK << 1)))
tlb_lo[(KVM_GUEST_COMMPAGE_ADDR >> PAGE_SHIFT) & 1] = 0;
- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT) < 0)
+ gfn0 = mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT;
+ gfn1 = mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT;
+ if (gfn0 >= kvm->arch.guest_pmap_npages ||
+ gfn1 >= kvm->arch.guest_pmap_npages) {
+ kvm_err("%s: Invalid gfn: [%#llx, %#llx], EHi: %#lx\n",
+ __func__, gfn0, gfn1, tlb->tlb_hi);
+ kvm_mips_dump_guest_tlbs(vcpu);
return -1;
+ }
- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT) < 0)
+ if (kvm_mips_map_page(kvm, gfn0) < 0)
return -1;
- pfn0 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT];
- pfn1 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT];
+ if (kvm_mips_map_page(kvm, gfn1) < 0)
+ return -1;
+
+ pfn0 = kvm->arch.guest_pmap[gfn0];
+ pfn1 = kvm->arch.guest_pmap[gfn1];
if (hpa0)
*hpa0 = pfn0 << PAGE_SHIFT;
next prev parent reply other threads:[~2016-08-18 13:57 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20160818135526uscas1p209dc90415100838cf7c73a2d19ca32a3@uscas1p2.samsung.com>
2016-08-18 13:54 ` [PATCH 3.14 00/46] 3.14.77-stable review Greg Kroah-Hartman
2016-08-18 13:54 ` [PATCH 3.14 01/46] tcp: make challenge acks faster Greg Kroah-Hartman
2016-08-18 13:54 ` [PATCH 3.14 02/46] usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable() Greg Kroah-Hartman
2016-08-18 13:54 ` [PATCH 3.14 11/46] cifs: Check for existing directory when opening file with O_CREAT Greg Kroah-Hartman
2016-08-18 13:54 ` [PATCH 3.14 12/46] cifs: fix crash due to race in hmac(md5) handling Greg Kroah-Hartman
2016-08-18 13:54 ` [PATCH 3.14 14/46] random: properly align get_random_int_hash Greg Kroah-Hartman
2016-08-19 3:14 ` Eric Biggers
2016-08-19 7:33 ` Greg Kroah-Hartman
2016-08-18 13:54 ` [PATCH 3.14 15/46] random: print a warning for the first ten uninitialized random users Greg Kroah-Hartman
2016-08-18 13:54 ` [PATCH 3.14 16/46] [PATCH BACKPORT 3.10-3.15 1/4] MIPS: KVM: Fix mapped fault broken commpage handling Greg Kroah-Hartman
2016-08-18 13:54 ` Greg Kroah-Hartman [this message]
2016-08-18 13:54 ` [PATCH 3.14 18/46] [PATCH BACKPORT 3.10-3.15 3/4] MIPS: KVM: Fix gfn range check in kseg0 tlb faults Greg Kroah-Hartman
2016-08-18 13:54 ` [PATCH 3.14 19/46] [PATCH BACKPORT 3.10-3.15 4/4] MIPS: KVM: Propagate kseg0/mapped tlb fault errors Greg Kroah-Hartman
2016-08-18 13:54 ` [PATCH 3.14 20/46] nfs: dont create zero-length requests Greg Kroah-Hartman
2016-08-18 13:54 ` [PATCH 3.14 30/46] balloon: check the number of available pages in leak balloon Greg Kroah-Hartman
2016-08-18 13:54 ` [PATCH 3.14 31/46] ftrace/recordmcount: Work around for addition of metag magic but not relocations Greg Kroah-Hartman
2016-08-18 13:54 ` [PATCH 3.14 32/46] metag: Fix __cmpxchg_u32 asm constraint for CMP Greg Kroah-Hartman
2016-08-18 13:54 ` [PATCH 3.14 33/46] IB/mlx5: Fix MODIFY_QP command input structure Greg Kroah-Hartman
2016-08-18 13:54 ` [PATCH 3.14 34/46] IB/mlx5: Fix returned values of query QP Greg Kroah-Hartman
2016-08-18 13:54 ` [PATCH 3.14 35/46] IB/mlx5: Fix post send fence logic Greg Kroah-Hartman
2016-08-18 13:54 ` [PATCH 3.14 36/46] IB/IPoIB: Dont update neigh validity for unresolved entries Greg Kroah-Hartman
2016-08-18 13:54 ` [PATCH 3.14 37/46] IB/mlx4: Fix the SQ size of an RC QP Greg Kroah-Hartman
2016-08-18 13:55 ` [PATCH 3.14 38/46] ubi: Make volume resize power cut aware Greg Kroah-Hartman
2016-08-18 13:55 ` [PATCH 3.14 39/46] ubi: Fix race condition between ubi device creation and udev Greg Kroah-Hartman
2016-08-18 13:55 ` [PATCH 3.14 40/46] target: Fix race between iscsi-target connection shutdown + ABORT_TASK Greg Kroah-Hartman
2016-08-18 13:55 ` [PATCH 3.14 41/46] target: Fix max_unmap_lba_count calc overflow Greg Kroah-Hartman
2016-08-18 13:55 ` [PATCH 3.14 42/46] Input: i8042 - break load dependency between atkbd/psmouse and i8042 Greg Kroah-Hartman
2016-08-18 13:55 ` [PATCH 3.14 43/46] PCI: Mark Atheros AR9485 and QCA9882 to avoid bus reset Greg Kroah-Hartman
2016-08-18 13:55 ` [PATCH 3.14 44/46] dm flakey: error READ bios during the down_interval Greg Kroah-Hartman
2016-08-18 13:55 ` [PATCH 3.14 45/46] module: Invalidate signatures on force-loaded modules Greg Kroah-Hartman
2016-08-18 13:55 ` [PATCH 3.14 46/46] Documentation/module-signing.txt: Note need for version info if reusing a key Greg Kroah-Hartman
2016-08-18 20:05 ` [PATCH 3.14 00/46] 3.14.77-stable review Guenter Roeck
2016-08-19 7:38 ` Greg Kroah-Hartman
2016-08-18 21:34 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160818135444.987044692@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=james.hogan@imgtec.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=pbonzini@redhat.com \
--cc=ralf@linux-mips.org \
--cc=rkrcmar@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.