diff options
author | Avi Kivity <avi@qumranet.com> | 2007-03-09 06:04:31 -0500 |
---|---|---|
committer | Avi Kivity <avi@qumranet.com> | 2007-03-18 04:49:09 -0400 |
commit | 27aba76615eeb36af84118e8ea6d35ffa51fd1e3 (patch) | |
tree | 8bd933f47eb91818c2e24cb10a4d820f0abea74e | |
parent | ac1b714e78c8f0b252f8d8872e6ce6f898a123b3 (diff) |
KVM: MMU: Fix host memory corruption on i386 with >= 4GB ram
PAGE_MASK is an unsigned long, so using it to mask physical addresses on
i386 (which are 64-bit wide) leads to truncation. This can result in
page->private of unrelated memory pages being modified, with disasterous
results.
Fix by not using PAGE_MASK for physical addresses; instead calculate
the correct value directly from PAGE_SIZE. Also fix a similar BUG_ON().
Acked-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Avi Kivity <avi@qumranet.com>
-rw-r--r-- | drivers/kvm/mmu.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/kvm/mmu.c b/drivers/kvm/mmu.c index 2cb48937be44..e85b4c7c36f7 100644 --- a/drivers/kvm/mmu.c +++ b/drivers/kvm/mmu.c | |||
@@ -131,7 +131,7 @@ static int dbg = 1; | |||
131 | (((address) >> PT32_LEVEL_SHIFT(level)) & ((1 << PT32_LEVEL_BITS) - 1)) | 131 | (((address) >> PT32_LEVEL_SHIFT(level)) & ((1 << PT32_LEVEL_BITS) - 1)) |
132 | 132 | ||
133 | 133 | ||
134 | #define PT64_BASE_ADDR_MASK (((1ULL << 52) - 1) & PAGE_MASK) | 134 | #define PT64_BASE_ADDR_MASK (((1ULL << 52) - 1) & ~(u64)(PAGE_SIZE-1)) |
135 | #define PT64_DIR_BASE_ADDR_MASK \ | 135 | #define PT64_DIR_BASE_ADDR_MASK \ |
136 | (PT64_BASE_ADDR_MASK & ~((1ULL << (PAGE_SHIFT + PT64_LEVEL_BITS)) - 1)) | 136 | (PT64_BASE_ADDR_MASK & ~((1ULL << (PAGE_SHIFT + PT64_LEVEL_BITS)) - 1)) |
137 | 137 | ||
@@ -406,8 +406,8 @@ static void rmap_write_protect(struct kvm_vcpu *vcpu, u64 gfn) | |||
406 | spte = desc->shadow_ptes[0]; | 406 | spte = desc->shadow_ptes[0]; |
407 | } | 407 | } |
408 | BUG_ON(!spte); | 408 | BUG_ON(!spte); |
409 | BUG_ON((*spte & PT64_BASE_ADDR_MASK) != | 409 | BUG_ON((*spte & PT64_BASE_ADDR_MASK) >> PAGE_SHIFT |
410 | page_to_pfn(page) << PAGE_SHIFT); | 410 | != page_to_pfn(page)); |
411 | BUG_ON(!(*spte & PT_PRESENT_MASK)); | 411 | BUG_ON(!(*spte & PT_PRESENT_MASK)); |
412 | BUG_ON(!(*spte & PT_WRITABLE_MASK)); | 412 | BUG_ON(!(*spte & PT_WRITABLE_MASK)); |
413 | rmap_printk("rmap_write_protect: spte %p %llx\n", spte, *spte); | 413 | rmap_printk("rmap_write_protect: spte %p %llx\n", spte, *spte); |