KVM: Avoid killing userspace through guest SRAO MCE on unmapped pages

In common cases, guest SRAO MCE will cause corresponding poisoned page be un-mapped and SIGBUS be sent to QEMU-KVM, then QEMU-KVM will relay the MCE to guest OS. But it is reported that if the poisoned page is accessed in guest after unmapping and before MCE is relayed to guest OS, userspace will be killed. The reason is as follows. Because poisoned page has been un-mapped, guest access will cause guest exit and kvm_mmu_page_fault will be called. kvm_mmu_page_fault can not get the poisoned page for fault address, so kernel and user space MMIO processing is tried in turn. In user MMIO processing, poisoned page is accessed again, then userspace is killed by force_sig_info. To fix the bug, kvm_mmu_page_fault send HWPOISON signal to QEMU-KVM and do not try kernel and user space MMIO processing for poisoned page. [xiao: fix warning introduced by avi] Reported-by: Max Asbock <masbock@linux.vnet.ibm.com> Signed-off-by: Huang Ying <ying.huang@intel.com> Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com> Signed-off-by: Avi Kivity <avi@redhat.com>
author: Huang Ying <ying.huang@intel.com> 2010-05-31 02:28:19 -0400
committer: Avi Kivity <avi@redhat.com> 2010-08-01 03:35:26 -0400
commit: bf998156d24bcb127318ad5bf531ac3bdfcd6449 (patch)
tree: 616c19474d7cb626ff9eebc54f6753563a4322cd /arch/x86/kvm/mmu.c
parent: 540ad6b62b3a188a53b51cac81d8a60d40e29fbd (diff)
1 files changed, 26 insertions, 8 deletions
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index b1ed0a1a5913..b666d8d106a9 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -32,6 +32,7 @@
 #include <linux/compiler.h>
 #include <linux/srcu.h>
 #include <linux/slab.h>
+#include <linux/uaccess.h>
 #include <asm/page.h>
 #include <asm/cmpxchg.h>
@@ -1960,6 +1961,27 @@ static int __direct_map(struct kvm_vcpu *vcpu, gpa_t v, int write,
        return pt_write;
 }
+static void kvm_send_hwpoison_signal(struct kvm *kvm, gfn_t gfn)
+{
+        char buf[1];
+        void __user *hva;
+        int r;
+        /* Touch the page, so send SIGBUS */
+        hva = (void __user *)gfn_to_hva(kvm, gfn);
+        r = copy_from_user(buf, hva, 1);
+}
+static int kvm_handle_bad_page(struct kvm *kvm, gfn_t gfn, pfn_t pfn)
+{
+        kvm_release_pfn_clean(pfn);
+        if (is_hwpoison_pfn(pfn)) {
+                kvm_send_hwpoison_signal(kvm, gfn);
+                return 0;
+        }
+        return 1;
+}
 static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, int write, gfn_t gfn)
 {
        int r;
@@ -1983,10 +2005,8 @@ static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, int write, gfn_t gfn)
        pfn = gfn_to_pfn(vcpu->kvm, gfn);
        /* mmio */
-        if (is_error_pfn(pfn)) {
+        if (is_error_pfn(pfn))
-                kvm_release_pfn_clean(pfn);
+                return kvm_handle_bad_page(vcpu->kvm, gfn, pfn);
-                return 1;
-        }
        spin_lock(&vcpu->kvm->mmu_lock);
        if (mmu_notifier_retry(vcpu, mmu_seq))
@@ -2198,10 +2218,8 @@ static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa,
        mmu_seq = vcpu->kvm->mmu_notifier_seq;
        smp_rmb();
        pfn = gfn_to_pfn(vcpu->kvm, gfn);
-        if (is_error_pfn(pfn)) {
+        if (is_error_pfn(pfn))
-                kvm_release_pfn_clean(pfn);
+                return kvm_handle_bad_page(vcpu->kvm, gfn, pfn);
-                return 1;
-        }
        spin_lock(&vcpu->kvm->mmu_lock);
        if (mmu_notifier_retry(vcpu, mmu_seq))
                goto out_unlock;
author	Huang Ying <ying.huang@intel.com>	2010-05-31 02:28:19 -0400
committer	Avi Kivity <avi@redhat.com>	2010-08-01 03:35:26 -0400
commit	bf998156d24bcb127318ad5bf531ac3bdfcd6449 (patch)
tree	616c19474d7cb626ff9eebc54f6753563a4322cd /arch/x86/kvm/mmu.c
parent	540ad6b62b3a188a53b51cac81d8a60d40e29fbd (diff)