From mboxrd@z Thu Jan 1 00:00:00 1970 From: Xiao Guangrong Subject: [PATCH] access: add test for dirty bit tracking if CR0.WP = 0 Date: Sat, 15 Dec 2012 15:03:32 +0800 Message-ID: <50CC20C4.1010206@linux.vnet.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit To: Marcelo Tosatti , Gleb Natapov , KVM Return-path: Received: from e28smtp08.in.ibm.com ([122.248.162.8]:41519 "EHLO e28smtp08.in.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750889Ab2LOHDl (ORCPT ); Sat, 15 Dec 2012 02:03:41 -0500 Received: from /spool/local by e28smtp08.in.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sat, 15 Dec 2012 12:33:02 +0530 Received: from d28relay05.in.ibm.com (d28relay05.in.ibm.com [9.184.220.62]) by d28dlp03.in.ibm.com (Postfix) with ESMTP id 7B1411258050 for ; Sat, 15 Dec 2012 12:33:28 +0530 (IST) Received: from d28av03.in.ibm.com (d28av03.in.ibm.com [9.184.220.65]) by d28relay05.in.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id qBF73YL648300160 for ; Sat, 15 Dec 2012 12:33:34 +0530 Received: from d28av03.in.ibm.com (loopback [127.0.0.1]) by d28av03.in.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id qBF73Yts024991 for ; Sat, 15 Dec 2012 18:03:35 +1100 Sender: kvm-owner@vger.kernel.org List-ID: If the write-fault access is from supervisor and CR0.WP is not set on the vcpu, kvm will fix it by adjusting pte access - it sets the W bit on pte and clears U bit. This is the chance that kvm can change pte access from readonly to writable Unfortunately, the pte access is the access of 'direct' shadow page table, means direct sp.role.access = pte_access, then we will create a writable spte entry on the readonly shadow page table. It will cause Dirty bit is not tracked when two guest ptes point to the same large page. Note, it does not have other impact except Dirty bit since cr0.wp is encoded into sp.role This testcast is not to to trigger this bug Signed-off-by: Xiao Guangrong --- x86/access.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 55 insertions(+), 0 deletions(-) diff --git a/x86/access.c b/x86/access.c index 23a5995..2ca325a 100644 --- a/x86/access.c +++ b/x86/access.c @@ -687,6 +687,60 @@ err: return 0; } +/* + * If the write-fault access is from supervisor and CR0.WP is not set on the + * vcpu, kvm will fix it by adjusting pte access - it sets the W bit on pte + * and clears U bit. This is the chance that kvm can change pte access from + * readonly to writable. + * + * Unfortunately, the pte access is the access of 'direct' shadow page table, + * means direct sp.role.access = pte_access, then we will create a writable + * spte entry on the readonly shadow page table. It will cause Dirty bit is + * not tracked when two guest ptes point to the same large page. Note, it + * does not have other impact except Dirty bit since cr0.wp is encoded into + * sp.role. + * + * Note: to trigger this bug, hugepage should be disabled on host. + */ +static int check_large_pte_dirty_for_nowp(ac_pool_t *pool) +{ + ac_test_t at1, at2; + + ac_test_init(&at1, (void *)(0x123403000000)); + ac_test_init(&at2, (void *)(0x666606000000)); + + at2.flags[AC_PDE_PRESENT] = 1; + at2.flags[AC_PDE_PSE] = 1; + + ac_test_setup_pte(&at2, pool); + if (!ac_test_do_access(&at2)) { + printf("%s: read on the first mapping fail.\n", __FUNCTION__); + goto err; + } + + at1.flags[AC_PDE_PRESENT] = 1; + at1.flags[AC_PDE_PSE] = 1; + at1.flags[AC_ACCESS_WRITE] = 1; + + ac_test_setup_pte(&at1, pool); + if (!ac_test_do_access(&at1)) { + printf("%s: write on the second mapping fail.\n", __FUNCTION__); + goto err; + } + + at2.flags[AC_ACCESS_WRITE] = 1; + ac_set_expected_status(&at2); + if (!ac_test_do_access(&at2)) { + printf("%s: write on the first mapping fail.\n", __FUNCTION__); + goto err; + } + + return 1; + +err: + return 0; +} + static int check_smep_andnot_wp(ac_pool_t *pool) { ac_test_t at1; @@ -756,6 +810,7 @@ const ac_test_fn ac_test_cases[] = { corrupt_hugepage_triger, check_pfec_on_prefetch_pte, + check_large_pte_dirty_for_nowp, check_smep_andnot_wp }; -- 1.7.7.6