From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org, greg@kroah.com
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
avi@redhat.com, mtosatti@redhat.com,
Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
Subject: [17/45] KVM: MMU: fix conflict access permissions in direct sp
Date: Fri, 19 Nov 2010 13:42:57 -0800 [thread overview]
Message-ID: <20101119214410.822848883@clark.site> (raw)
In-Reply-To: <20101119214439.GA26350@kroah.com>
2.6.32-stable review patch. If anyone has any objections, please let us know.
------------------
From: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
commit 5fd5387c89ec99ff6cb82d2477ffeb7211b781c2 upstream.
In no-direct mapping, we mark sp is 'direct' when we mapping the
guest's larger page, but its access is encoded form upper page-struct
entire not include the last mapping, it will cause access conflict.
For example, have this mapping:
[W]
/ PDE1 -> |---|
P[W] | | LPA
\ PDE2 -> |---|
[R]
P have two children, PDE1 and PDE2, both PDE1 and PDE2 mapping the
same lage page(LPA). The P's access is WR, PDE1's access is WR,
PDE2's access is RO(just consider read-write permissions here)
When guest access PDE1, we will create a direct sp for LPA, the sp's
access is from P, is W, then we will mark the ptes is W in this sp.
Then, guest access PDE2, we will find LPA's shadow page, is the same as
PDE's, and mark the ptes is RO.
So, if guest access PDE1, the incorrect #PF is occured.
Fixed by encode the last mapping access into direct shadow page
Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/x86/kvm/paging_tmpl.h | 1 +
1 file changed, 1 insertion(+)
--- a/arch/x86/kvm/paging_tmpl.h
+++ b/arch/x86/kvm/paging_tmpl.h
@@ -360,6 +360,7 @@ static u64 *FNAME(fetch)(struct kvm_vcpu
/* advance table_gfn when emulating 1gb pages with 4k */
if (delta == 0)
table_gfn += PT_INDEX(addr, level);
+ access &= gw->pte_access;
} else {
direct = 0;
table_gfn = gw->table_gfn[level - 2];
next prev parent reply other threads:[~2010-11-19 21:52 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-19 21:44 [00/45] 2.6.32.26-stable review Greg KH
2010-11-19 21:42 ` Greg KH
2010-11-19 21:42 ` [01/45] staging: usbip: Notify usb core of port status changes Greg KH
2010-11-19 21:42 ` [02/45] staging: usbip: Process event flags without delay Greg KH
2010-11-19 21:42 ` [03/45] powerpc/perf: Fix sampling enable for PPC970 Greg KH
2010-11-19 21:42 ` [04/45] pcmcia: synclink_cs: fix information leak to userland Greg KH
2010-11-19 21:42 ` [05/45] sched: Fix string comparison in /proc/sched_features Greg KH
2010-11-19 21:42 ` [06/45] bluetooth: Fix missing NULL check Greg KH
2010-11-19 21:42 ` [07/45] futex: Fix errors in nested key ref-counting Greg KH
2010-11-19 21:42 ` [08/45] mm, x86: Saving vmcore with non-lazy freeing of vmas Greg KH
2010-11-20 2:16 ` [Stable-review] " Ben Hutchings
2010-11-22 17:59 ` Greg KH
2010-11-19 21:42 ` [09/45] x86, cpu: Fix renamed, not-yet-shipping AMD CPUID feature bit Greg KH
2010-11-19 21:42 ` [10/45] x86, kexec: Make sure to stop all CPUs before exiting the kernel Greg KH
2010-11-19 21:42 ` [11/45] x86, olpc: Dont retry EC commands forever Greg KH
2010-11-19 21:42 ` [12/45] x86, mtrr: Assume SYS_CFG[Tom2ForceMemTypeWB] exists on all future AMD CPUs Greg KH
2010-11-19 21:42 ` [13/45] x86, intr-remap: Set redirection hint in the IRTE Greg KH
2010-11-19 21:42 ` [14/45] x86, kdump: Change copy_oldmem_page() to use cached addressing Greg KH
2010-11-19 21:42 ` [15/45] KVM: SVM: Fix wrong intercept masks on 32 bit Greg KH
2010-11-19 21:42 ` [16/45] KVM: MMU: fix direct sps access corrupted Greg KH
2010-11-19 21:42 ` Greg KH [this message]
2010-11-19 21:42 ` [18/45] KVM: VMX: Fix host GDT.LIMIT corruption Greg KH
2010-11-19 21:42 ` [19/45] KVM: SVM: Adjust tsc_offset only if tsc_unstable Greg KH
2010-11-19 21:43 ` [20/45] KVM: x86: Fix SVM VMCB reset Greg KH
2010-11-19 21:43 ` [21/45] [PATCH 7/8] KVM: x86: Move TSC reset out of vmcb_init Greg KH
2010-11-19 21:43 ` [22/45] KVM: Fix fs/gs reload oops with invalid ldt Greg KH
2010-11-19 21:43 ` [23/45] pipe: fix failure to return error code on ->confirm() Greg KH
2010-11-19 21:43 ` [24/45] p54usb: fix off-by-one on !CONFIG_PM Greg KH
2010-11-19 21:43 ` [25/45] p54usb: add five more USBIDs Greg KH
2010-11-19 21:43 ` [26/45] drivers/net/wireless/p54/eeprom.c: Return -ENOMEM on memory allocation failure Greg KH
2010-11-19 21:43 ` [27/45] USB: ftdi_sio: Add PID for accesio products Greg KH
2010-11-19 21:43 ` [28/45] USB: add PID for FTDI based OpenDCC hardware Greg KH
2010-11-19 21:43 ` [29/45] USB: ftdi_sio: new VID/PIDs for various Papouch devices Greg KH
2010-11-19 21:43 ` [30/45] USB: ftdi_sio: add device ids for ScienceScope Greg KH
2010-11-19 21:43 ` [31/45] usb: musb: blackfin: call gpio_free() on error path in musb_platform_init() Greg KH
2010-11-19 21:43 ` [32/45] USB: option: Add more ZTE modem USB ids Greg KH
2010-11-19 21:43 ` [33/45] USB: cp210x: Add Renesas RX-Stick device ID Greg KH
2010-11-19 21:43 ` [34/45] USB: cp210x: Add WAGO 750-923 Service Cable " Greg KH
2010-11-19 21:43 ` [35/45] USB: atmel_usba_udc: force vbus_pin at -EINVAL when gpio_request failled Greg KH
2010-11-22 9:08 ` Nicolas Ferre
2010-11-22 21:31 ` Greg KH
2010-11-19 21:43 ` [36/45] USB: disable endpoints after unbinding interfaces, not before Greg KH
2010-11-19 21:43 ` [37/45] USB: opticon: Fix long-standing bugs in opticon driver Greg KH
2010-11-19 21:43 ` [38/45] USB: accept some invalid ep0-maxpacket values Greg KH
2010-11-19 21:43 ` [39/45] OHCI: work around for nVidia shutdown problem Greg KH
2010-11-20 2:52 ` [Stable-review] " Ben Hutchings
2010-11-20 16:51 ` Alan Stern
2010-11-22 17:55 ` Greg KH
2010-11-22 18:09 ` Alan Stern
2011-01-19 16:51 ` Alan Stern
2011-02-16 21:40 ` [stable] " Greg KH
2011-03-28 16:13 ` Andre "Osku" Schmidt
2010-11-19 21:43 ` [40/45] [SCSI] sd name space exhaustion causes system hang Greg KH
2010-11-19 21:43 ` [41/45] [SCSI] libsas: fix NCQ mixing with non-NCQ Greg KH
2010-11-19 21:43 ` [42/45] [SCSI] gdth: integer overflow in ioctl Greg KH
2010-11-19 21:43 ` [43/45] [SCSI] Fix race when removing SCSI devices Greg KH
2010-11-19 21:43 ` [44/45] [SCSI] Fix regressions in scsi_internal_device_block Greg KH
2010-11-19 21:43 ` [45/45] sgi-xp: incoming XPC channel messages can come in after the channels partition structures have been torn down Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101119214410.822848883@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=avi@redhat.com \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mtosatti@redhat.com \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=xiaoguangrong@cn.fujitsu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox