Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

kvm: mmu: Fix race in emulated page table writes

When a guest page table is updated via an emulated write,
kvm_mmu_pte_write() is called to update the shadow PTE using the just
written guest PTE value. But if two emulated guest PTE writes happened
concurrently, it is possible that the guest PTE and the shadow PTE end
up being out of sync. Emulated writes do not mark the shadow page as
unsync-ed, so this inconsistency will not be resolved even by a guest TLB
flush (unless the page was marked as unsync-ed at some other point).

This is fixed by re-reading the current value of the guest PTE after the
MMU lock has been acquired instead of just using the value that was
written prior to calling kvm_mmu_pte_write().

Signed-off-by: Junaid Shahid <junaids@google.com>
Reviewed-by: Wanpeng Li <wanpengli@tencent.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Junaid Shahid 6 years ago
parent
52ad7eb3d6
commit
0e0fee5c53
1 changed files with 9 additions and 18 deletions
Unified View Show Diff Stats
  1. 9 18
      arch/x86/kvm/mmu.c

+ 9 - 18
arch/x86/kvm/mmu.c
View File 

@@ -5074,9 +5074,9 @@ static bool need_remote_flush(u64 old, u64 new)
 
 }
 
 }
 
 
 
 static u64 mmu_pte_write_fetch_gpte(struct kvm_vcpu *vcpu, gpa_t *gpa,
 
 static u64 mmu_pte_write_fetch_gpte(struct kvm_vcpu *vcpu, gpa_t *gpa,
 
-				    const u8 *new, int *bytes)
 
+				    int *bytes)
 
 {
 
 {
 
-	u64 gentry;
 
+	u64 gentry = 0;
 
 	int r;
 
 	int r;
 
 
 
 	/*
 
 	/*
 
@@ -5088,22 +5088,12 @@ static u64 mmu_pte_write_fetch_gpte(struct kvm_vcpu *vcpu, gpa_t *gpa,
 
 		/* Handle a 32-bit guest writing two halves of a 64-bit gpte */
 
 		/* Handle a 32-bit guest writing two halves of a 64-bit gpte */
 
 		*gpa &= ~(gpa_t)7;
 
 		*gpa &= ~(gpa_t)7;
 
 		*bytes = 8;
 
 		*bytes = 8;
 
-		r = kvm_vcpu_read_guest(vcpu, *gpa, &gentry, 8);
 
-		if (r)
 
-			gentry = 0;
 
-		new = (const u8 *)&gentry;
 
 	}
 
 	}
 
 
 
-	switch (*bytes) {
 
-	case 4:
 
-		gentry = *(const u32 *)new;
 
-		break;
 
-	case 8:
 
-		gentry = *(const u64 *)new;
 
-		break;
 
-	default:
 
-		gentry = 0;
 
-		break;
 
+	if (*bytes == 4 || *bytes == 8) {
 
+		r = kvm_vcpu_read_guest_atomic(vcpu, *gpa, &gentry, *bytes);
 
+		if (r)
 
+			gentry = 0;
 
 	}
 
 	}
 
 
 
 	return gentry;
 
 	return gentry;
 
@@ -5207,8 +5197,6 @@ static void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
 
 
 
 	pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes);
 
 	pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes);
 
 
 
-	gentry = mmu_pte_write_fetch_gpte(vcpu, &gpa, new, &bytes);
 
-
 
 	/*
 
 	/*
 
 	 * No need to care whether allocation memory is successful
 
 	 * No need to care whether allocation memory is successful
 
 	 * or not since pte prefetch is skiped if it does not have
 
 	 * or not since pte prefetch is skiped if it does not have
 
@@ -5217,6 +5205,9 @@ static void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
 
 	mmu_topup_memory_caches(vcpu);
 
 	mmu_topup_memory_caches(vcpu);
 
 
 
 	spin_lock(&vcpu->kvm->mmu_lock);
 
 	spin_lock(&vcpu->kvm->mmu_lock);
 
+
 
+	gentry = mmu_pte_write_fetch_gpte(vcpu, &gpa, &bytes);
 
+
 
 	++vcpu->kvm->stat.mmu_pte_write;
 
 	++vcpu->kvm->stat.mmu_pte_write;
 
 	kvm_mmu_audit(vcpu, AUDIT_PRE_PTE_WRITE);
 
 	kvm_mmu_audit(vcpu, AUDIT_PRE_PTE_WRITE);