Skip to content

Commit c604cff

Browse files
James Hoganrkrcmar
James Hogan
authored and
rkrcmar
committed
MIPS: KVM: Fix mapped fault broken commpage handling
kvm_mips_handle_mapped_seg_tlb_fault() appears to map the guest page at virtual address 0 to PFN 0 if the guest has created its own mapping there. The intention is unclear, but it may have been an attempt to protect the zero page from being mapped to anything but the comm page in code paths you wouldn't expect from genuine commpage accesses (guest kernel mode cache instructions on that address, hitting trapping instructions when executing from that address with a coincidental TLB eviction during the KVM handling, and guest user mode accesses to that address). Fix this to check for mappings exactly at KVM_GUEST_COMMPAGE_ADDR (it may not be at address 0 since commit 42aa12e ("MIPS: KVM: Move commpage so 0x0 is unmapped")), and set the corresponding EntryLo to be interpreted as 0 (invalid). Fixes: 858dd5d ("KVM/MIPS32: MMU/TLB operations for the Guest.") Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: "Radim Krčmář" <rkrcmar@redhat.com> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: linux-mips@linux-mips.org Cc: kvm@vger.kernel.org Cc: <stable@vger.kernel.org> # 3.10.x- Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
1 parent a28ebea commit c604cff

File tree

1 file changed

+28
-21
lines changed

1 file changed

+28
-21
lines changed

arch/mips/kvm/mmu.c

Lines changed: 28 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -138,35 +138,42 @@ int kvm_mips_handle_mapped_seg_tlb_fault(struct kvm_vcpu *vcpu,
138138
unsigned long entryhi = 0, entrylo0 = 0, entrylo1 = 0;
139139
struct kvm *kvm = vcpu->kvm;
140140
kvm_pfn_t pfn0, pfn1;
141+
long tlb_lo[2];
141142
int ret;
142143

143-
if ((tlb->tlb_hi & VPN2_MASK) == 0) {
144-
pfn0 = 0;
145-
pfn1 = 0;
146-
} else {
147-
if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb->tlb_lo[0])
148-
>> PAGE_SHIFT) < 0)
149-
return -1;
150-
151-
if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb->tlb_lo[1])
152-
>> PAGE_SHIFT) < 0)
153-
return -1;
154-
155-
pfn0 = kvm->arch.guest_pmap[
156-
mips3_tlbpfn_to_paddr(tlb->tlb_lo[0]) >> PAGE_SHIFT];
157-
pfn1 = kvm->arch.guest_pmap[
158-
mips3_tlbpfn_to_paddr(tlb->tlb_lo[1]) >> PAGE_SHIFT];
159-
}
144+
tlb_lo[0] = tlb->tlb_lo[0];
145+
tlb_lo[1] = tlb->tlb_lo[1];
146+
147+
/*
148+
* The commpage address must not be mapped to anything else if the guest
149+
* TLB contains entries nearby, or commpage accesses will break.
150+
*/
151+
if (!((tlb->tlb_hi ^ KVM_GUEST_COMMPAGE_ADDR) &
152+
VPN2_MASK & (PAGE_MASK << 1)))
153+
tlb_lo[(KVM_GUEST_COMMPAGE_ADDR >> PAGE_SHIFT) & 1] = 0;
154+
155+
if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[0])
156+
>> PAGE_SHIFT) < 0)
157+
return -1;
158+
159+
if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[1])
160+
>> PAGE_SHIFT) < 0)
161+
return -1;
162+
163+
pfn0 = kvm->arch.guest_pmap[
164+
mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT];
165+
pfn1 = kvm->arch.guest_pmap[
166+
mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT];
160167

161168
/* Get attributes from the Guest TLB */
162169
entrylo0 = mips3_paddr_to_tlbpfn(pfn0 << PAGE_SHIFT) |
163170
((_page_cachable_default >> _CACHE_SHIFT) << ENTRYLO_C_SHIFT) |
164-
(tlb->tlb_lo[0] & ENTRYLO_D) |
165-
(tlb->tlb_lo[0] & ENTRYLO_V);
171+
(tlb_lo[0] & ENTRYLO_D) |
172+
(tlb_lo[0] & ENTRYLO_V);
166173
entrylo1 = mips3_paddr_to_tlbpfn(pfn1 << PAGE_SHIFT) |
167174
((_page_cachable_default >> _CACHE_SHIFT) << ENTRYLO_C_SHIFT) |
168-
(tlb->tlb_lo[1] & ENTRYLO_D) |
169-
(tlb->tlb_lo[1] & ENTRYLO_V);
175+
(tlb_lo[1] & ENTRYLO_D) |
176+
(tlb_lo[1] & ENTRYLO_V);
170177

171178
kvm_debug("@ %#lx tlb_lo0: 0x%08lx tlb_lo1: 0x%08lx\n", vcpu->arch.pc,
172179
tlb->tlb_lo[0], tlb->tlb_lo[1]);

0 commit comments

Comments
 (0)