diff options
| author | Xiao Guangrong <guangrong.xiao@linux.intel.com> | 2015-05-11 10:55:21 -0400 |
|---|---|---|
| committer | Paolo Bonzini <pbonzini@redhat.com> | 2015-05-11 11:17:50 -0400 |
| commit | 0be0226f07d14b153a5eedf2bb86e1eb7dcefab5 (patch) | |
| tree | a69e9c24597cd620922617e6315ba07b7bd63ca3 /Documentation | |
| parent | 898761158be7682082955e3efa4ad24725305fc7 (diff) | |
KVM: MMU: fix SMAP virtualization
KVM may turn a user page to a kernel page when kernel writes a readonly
user page if CR0.WP = 1. This shadow page entry will be reused after
SMAP is enabled so that kernel is allowed to access this user page
Fix it by setting SMAP && !CR0.WP into shadow page's role and reset mmu
once CR4.SMAP is updated
Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'Documentation')
| -rw-r--r-- | Documentation/virtual/kvm/mmu.txt | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/Documentation/virtual/kvm/mmu.txt b/Documentation/virtual/kvm/mmu.txt index 53838d9c6295..c59bd9bc41ef 100644 --- a/Documentation/virtual/kvm/mmu.txt +++ b/Documentation/virtual/kvm/mmu.txt | |||
| @@ -169,6 +169,10 @@ Shadow pages contain the following information: | |||
| 169 | Contains the value of cr4.smep && !cr0.wp for which the page is valid | 169 | Contains the value of cr4.smep && !cr0.wp for which the page is valid |
| 170 | (pages for which this is true are different from other pages; see the | 170 | (pages for which this is true are different from other pages; see the |
| 171 | treatment of cr0.wp=0 below). | 171 | treatment of cr0.wp=0 below). |
| 172 | role.smap_andnot_wp: | ||
| 173 | Contains the value of cr4.smap && !cr0.wp for which the page is valid | ||
| 174 | (pages for which this is true are different from other pages; see the | ||
| 175 | treatment of cr0.wp=0 below). | ||
| 172 | gfn: | 176 | gfn: |
| 173 | Either the guest page table containing the translations shadowed by this | 177 | Either the guest page table containing the translations shadowed by this |
| 174 | page, or the base page frame for linear translations. See role.direct. | 178 | page, or the base page frame for linear translations. See role.direct. |
| @@ -344,10 +348,16 @@ on fault type: | |||
| 344 | 348 | ||
| 345 | (user write faults generate a #PF) | 349 | (user write faults generate a #PF) |
| 346 | 350 | ||
| 347 | In the first case there is an additional complication if CR4.SMEP is | 351 | In the first case there are two additional complications: |
| 348 | enabled: since we've turned the page into a kernel page, the kernel may now | 352 | - if CR4.SMEP is enabled: since we've turned the page into a kernel page, |
| 349 | execute it. We handle this by also setting spte.nx. If we get a user | 353 | the kernel may now execute it. We handle this by also setting spte.nx. |
| 350 | fetch or read fault, we'll change spte.u=1 and spte.nx=gpte.nx back. | 354 | If we get a user fetch or read fault, we'll change spte.u=1 and |
| 355 | spte.nx=gpte.nx back. | ||
| 356 | - if CR4.SMAP is disabled: since the page has been changed to a kernel | ||
| 357 | page, it can not be reused when CR4.SMAP is enabled. We set | ||
| 358 | CR4.SMAP && !CR0.WP into shadow page's role to avoid this case. Note, | ||
| 359 | here we do not care the case that CR4.SMAP is enabled since KVM will | ||
| 360 | directly inject #PF to guest due to failed permission check. | ||
| 351 | 361 | ||
| 352 | To prevent an spte that was converted into a kernel page with cr0.wp=0 | 362 | To prevent an spte that was converted into a kernel page with cr0.wp=0 |
| 353 | from being written by the kernel after cr0.wp has changed to 1, we make | 363 | from being written by the kernel after cr0.wp has changed to 1, we make |