lguest: fix guest crash on non-linear addresses in gdt pvops

Fixes guest crash 'lguest: bad read address 0x4800000 len 256' The new per-cpu allocator ends up handing a non-linear address to write_gdt_entry. We do __pa() on it, and hand it to the host, which kills us. I've long wanted to make the hypercall "LOAD_GDT_ENTRY" to match the IDT code, but had no pressing reason until now. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Cc: lguest@ozlabs.org
author: Rusty Russell <rusty@rustcorp.com.au> 2009-04-20 01:14:00 -0400
committer: Rusty Russell <rusty@rustcorp.com.au> 2009-04-19 09:44:01 -0400
commit: a489f0b555b753f9df8ddc24c7e74f657ef7ee7b (patch)
tree: 560bd8c56524b658eb0b46e03ef42e262eb5f9b7 /drivers/lguest
parent: 88df781afb788fa588dbf2e77f205214022a8893 (diff)
3 files changed, 11 insertions, 9 deletions
diff --git a/drivers/lguest/lg.h b/drivers/lguest/lg.h
index ac8a4a3741b8..af92a176697f 100644
--- a/drivers/lguest/lg.h
+++ b/drivers/lguest/lg.h
@@ -158,7 +158,8 @@ void free_interrupts(void);
 /* segments.c: */
 void setup_default_gdt_entries(struct lguest_ro_state *state);
 void setup_guest_gdt(struct lg_cpu *cpu);
-void load_guest_gdt(struct lg_cpu *cpu, unsigned long table, u32 num);
+void load_guest_gdt_entry(struct lg_cpu *cpu, unsigned int i,
+                          u32 low, u32 hi);
 void guest_load_tls(struct lg_cpu *cpu, unsigned long tls_array);
 void copy_gdt(const struct lg_cpu *cpu, struct desc_struct *gdt);
 void copy_gdt_tls(const struct lg_cpu *cpu, struct desc_struct *gdt);
diff --git a/drivers/lguest/segments.c b/drivers/lguest/segments.c
index 4f15439b7f12..7ede64ffeef9 100644
--- a/drivers/lguest/segments.c
+++ b/drivers/lguest/segments.c
@@ -144,18 +144,19 @@ void copy_gdt(const struct lg_cpu *cpu, struct desc_struct *gdt)
                        gdt[i] = cpu->arch.gdt[i];
 }
-/*H:620 This is where the Guest asks us to load a new GDT (LHCALL_LOAD_GDT).
+/*H:620 This is where the Guest asks us to load a new GDT entry
- * We copy it from the Guest and tweak the entries. */
+ * (LHCALL_LOAD_GDT_ENTRY).  We tweak the entry and copy it in. */
-void load_guest_gdt(struct lg_cpu *cpu, unsigned long table, u32 num)
+void load_guest_gdt_entry(struct lg_cpu *cpu, u32 num, u32 lo, u32 hi)
 {
        /* We assume the Guest has the same number of GDT entries as the
         * Host, otherwise we'd have to dynamically allocate the Guest GDT. */
        if (num > ARRAY_SIZE(cpu->arch.gdt))
                kill_guest(cpu, "too many gdt entries %i", num);
-        /* We read the whole thing in, then fix it up. */
+        /* Set it up, then fix it. */
-        __lgread(cpu, cpu->arch.gdt, table, num * sizeof(cpu->arch.gdt[0]));
+        cpu->arch.gdt[num].a = lo;
-        fixup_gdt_table(cpu, 0, ARRAY_SIZE(cpu->arch.gdt));
+        cpu->arch.gdt[num].b = hi;
+        fixup_gdt_table(cpu, num, num+1);
        /* Mark that the GDT changed so the core knows it has to copy it again,
         * even if the Guest is run on the same CPU. */
        cpu->changed |= CHANGED_GDT;
diff --git a/drivers/lguest/x86/core.c b/drivers/lguest/x86/core.c
index d6d7ac0982ab..1a83910f674f 100644
--- a/drivers/lguest/x86/core.c
+++ b/drivers/lguest/x86/core.c
@@ -568,8 +568,8 @@ void __exit lguest_arch_host_fini(void)
 int lguest_arch_do_hcall(struct lg_cpu *cpu, struct hcall_args *args)
 {
        switch (args->arg0) {
-        case LHCALL_LOAD_GDT:
+        case LHCALL_LOAD_GDT_ENTRY:
-                load_guest_gdt(cpu, args->arg1, args->arg2);
+                load_guest_gdt_entry(cpu, args->arg1, args->arg2, args->arg3);
                break;
        case LHCALL_LOAD_IDT_ENTRY:
                load_guest_idt_entry(cpu, args->arg1, args->arg2, args->arg3);
author	Rusty Russell <rusty@rustcorp.com.au>	2009-04-20 01:14:00 -0400
committer	Rusty Russell <rusty@rustcorp.com.au>	2009-04-19 09:44:01 -0400
commit	a489f0b555b753f9df8ddc24c7e74f657ef7ee7b (patch)
tree	560bd8c56524b658eb0b46e03ef42e262eb5f9b7 /drivers/lguest
parent	88df781afb788fa588dbf2e77f205214022a8893 (diff)