From mboxrd@z Thu Jan 1 00:00:00 1970 From: Xiao Guangrong Subject: Re: [PATCH] check smap and !cr0.wp Date: Tue, 12 May 2015 11:13:17 +0800 Message-ID: <55516FCD.4020503@linux.intel.com> References: <1430988242-7186-1-git-send-email-guangrong.xiao@linux.intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Cc: gleb@kernel.org, mtosatti@redhat.com, kvm@vger.kernel.org, linux-kernel@vger.kernel.org To: pbonzini@redhat.com Return-path: In-Reply-To: <1430988242-7186-1-git-send-email-guangrong.xiao@linux.intel.com> Sender: linux-kernel-owner@vger.kernel.org List-Id: kvm.vger.kernel.org Hi Paolo, Could you please apply this patch to kvm-unit-tests if it looks good to you? Thanks! On 05/07/2015 04:44 PM, Xiao Guangrong wrote: > This test case is used to produce the bug that: > > KVM may turn a user page to a kernel page when kernel writes a readonly > user page if CR0.WP = 1. This shadow page entry will be reused after > SMAP is enabled so that kernel is allowed to access this user page > > Signed-off-by: Xiao Guangrong > --- > x86/smap.c | 26 ++++++++++++++++++++++++++ > 1 file changed, 26 insertions(+) > > diff --git a/x86/smap.c b/x86/smap.c > index 042c5aa..66f97b8 100644 > --- a/x86/smap.c > +++ b/x86/smap.c > @@ -48,6 +48,7 @@ asm ("pf_tss:\n" > > #define USER_BASE (1 << 24) > #define USER_VAR(v) (*((__typeof__(&(v))) (((unsigned long)&v) + USER_BASE))) > +#define USER_ADDR(v) ((void *)((unsigned long)(&v) + USER_BASE)) > > static void init_test(int i) > { > @@ -58,6 +59,29 @@ static void init_test(int i) > } > } > > +static void check_smap_nowp(void) > +{ > + test = 0x99; > + > + *get_pte(phys_to_virt(read_cr3()), USER_ADDR(test)) &= ~PTE_WRITE; > + > + write_cr4(read_cr4() & ~X86_CR4_SMAP); > + write_cr0(read_cr0() & ~X86_CR0_WP); > + clac(); > + write_cr3(read_cr3()); > + > + init_test(0); > + USER_VAR(test) = 0x99; > + report("write from user page with SMAP=0, AC=0, WP=0, PTE.U=1 && PTE.W=0", pf_count == 0); > + > + write_cr4(read_cr4() | X86_CR4_SMAP); > + write_cr3(read_cr3()); > + > + init_test(0); > + (void)USER_VAR(test); > + report("read from user page with SMAP=1, AC=0, WP=0, PTE.U=1 && PTE.W=0", pf_count == 1 && save == 0x99); > +} > + > int main(int ac, char **av) > { > unsigned long i; > @@ -150,6 +174,8 @@ int main(int ac, char **av) > report("executing on user page with AC=0", pf_count == 0); > } > > + check_smap_nowp(); > + > // TODO: implicit kernel access from ring 3 (e.g. int) > > return report_summary(); >