Commit 4391bd8a authored by Takuya Yoshikawa's avatar Takuya Yoshikawa Committed by Stefan Bader

KVM: x86: MMU: Make mmu_set_spte() return emulate value

mmu_set_spte()'s code is based on the assumption that the emulate
parameter has a valid pointer value if set_spte() returns true and
write_fault is not zero.  In other cases, emulate may be NULL, so a
NULL-check is needed.

Stop passing emulate pointer and make mmu_set_spte() return the emulate
value instead to clean up this complex interface.  Prefetch functions
can just throw away the return value.
Signed-off-by: default avatarTakuya Yoshikawa <yoshikawa_takuya_b1@lab.ntt.co.jp>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>

CVE-2018-12207

(cherry picked from commit 029499b4)
Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
parent 5c731275
...@@ -2580,13 +2580,13 @@ static int set_spte(struct kvm_vcpu *vcpu, u64 *sptep, ...@@ -2580,13 +2580,13 @@ static int set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
return ret; return ret;
} }
static void mmu_set_spte(struct kvm_vcpu *vcpu, u64 *sptep, static bool mmu_set_spte(struct kvm_vcpu *vcpu, u64 *sptep, unsigned pte_access,
unsigned pte_access, int write_fault, int *emulate, int write_fault, int level, gfn_t gfn, pfn_t pfn,
int level, gfn_t gfn, pfn_t pfn, bool speculative, bool speculative, bool host_writable)
bool host_writable)
{ {
int was_rmapped = 0; int was_rmapped = 0;
int rmap_count; int rmap_count;
bool emulate = false;
pgprintk("%s: spte %llx write_fault %d gfn %llx\n", __func__, pgprintk("%s: spte %llx write_fault %d gfn %llx\n", __func__,
*sptep, write_fault, gfn); *sptep, write_fault, gfn);
...@@ -2616,12 +2616,12 @@ static void mmu_set_spte(struct kvm_vcpu *vcpu, u64 *sptep, ...@@ -2616,12 +2616,12 @@ static void mmu_set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
if (set_spte(vcpu, sptep, pte_access, level, gfn, pfn, speculative, if (set_spte(vcpu, sptep, pte_access, level, gfn, pfn, speculative,
true, host_writable)) { true, host_writable)) {
if (write_fault) if (write_fault)
*emulate = 1; emulate = true;
kvm_make_request(KVM_REQ_TLB_FLUSH, vcpu); kvm_make_request(KVM_REQ_TLB_FLUSH, vcpu);
} }
if (unlikely(is_mmio_spte(*sptep) && emulate)) if (unlikely(is_mmio_spte(*sptep)))
*emulate = 1; emulate = true;
pgprintk("%s: setting spte %llx\n", __func__, *sptep); pgprintk("%s: setting spte %llx\n", __func__, *sptep);
pgprintk("instantiating %s PTE (%s) at %llx (%llx) addr %p\n", pgprintk("instantiating %s PTE (%s) at %llx (%llx) addr %p\n",
...@@ -2640,6 +2640,8 @@ static void mmu_set_spte(struct kvm_vcpu *vcpu, u64 *sptep, ...@@ -2640,6 +2640,8 @@ static void mmu_set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
} }
kvm_release_pfn_clean(pfn); kvm_release_pfn_clean(pfn);
return emulate;
} }
static pfn_t pte_prefetch_gfn_to_pfn(struct kvm_vcpu *vcpu, gfn_t gfn, static pfn_t pte_prefetch_gfn_to_pfn(struct kvm_vcpu *vcpu, gfn_t gfn,
...@@ -2674,9 +2676,8 @@ static int direct_pte_prefetch_many(struct kvm_vcpu *vcpu, ...@@ -2674,9 +2676,8 @@ static int direct_pte_prefetch_many(struct kvm_vcpu *vcpu,
return -1; return -1;
for (i = 0; i < ret; i++, gfn++, start++) for (i = 0; i < ret; i++, gfn++, start++)
mmu_set_spte(vcpu, start, access, 0, NULL, mmu_set_spte(vcpu, start, access, 0, sp->role.level, gfn,
sp->role.level, gfn, page_to_pfn(pages[i]), page_to_pfn(pages[i]), true, true);
true, true);
return 0; return 0;
} }
...@@ -2738,9 +2739,9 @@ static int __direct_map(struct kvm_vcpu *vcpu, gpa_t v, int write, ...@@ -2738,9 +2739,9 @@ static int __direct_map(struct kvm_vcpu *vcpu, gpa_t v, int write,
for_each_shadow_entry(vcpu, (u64)gfn << PAGE_SHIFT, iterator) { for_each_shadow_entry(vcpu, (u64)gfn << PAGE_SHIFT, iterator) {
if (iterator.level == level) { if (iterator.level == level) {
mmu_set_spte(vcpu, iterator.sptep, ACC_ALL, emulate = mmu_set_spte(vcpu, iterator.sptep, ACC_ALL,
write, &emulate, level, gfn, pfn, write, level, gfn, pfn, prefault,
prefault, map_writable); map_writable);
direct_pte_prefetch(vcpu, iterator.sptep); direct_pte_prefetch(vcpu, iterator.sptep);
++vcpu->stat.pf_fixed; ++vcpu->stat.pf_fixed;
break; break;
......
...@@ -475,8 +475,8 @@ FNAME(prefetch_gpte)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp, ...@@ -475,8 +475,8 @@ FNAME(prefetch_gpte)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
* we call mmu_set_spte() with host_writable = true because * we call mmu_set_spte() with host_writable = true because
* pte_prefetch_gfn_to_pfn always gets a writable pfn. * pte_prefetch_gfn_to_pfn always gets a writable pfn.
*/ */
mmu_set_spte(vcpu, spte, pte_access, 0, NULL, PT_PAGE_TABLE_LEVEL, mmu_set_spte(vcpu, spte, pte_access, 0, PT_PAGE_TABLE_LEVEL, gfn, pfn,
gfn, pfn, true, true); true, true);
return true; return true;
} }
...@@ -556,7 +556,7 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr, ...@@ -556,7 +556,7 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
struct kvm_mmu_page *sp = NULL; struct kvm_mmu_page *sp = NULL;
struct kvm_shadow_walk_iterator it; struct kvm_shadow_walk_iterator it;
unsigned direct_access, access = gw->pt_access; unsigned direct_access, access = gw->pt_access;
int top_level, emulate = 0; int top_level, emulate;
direct_access = gw->pte_access; direct_access = gw->pte_access;
...@@ -622,7 +622,7 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr, ...@@ -622,7 +622,7 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
} }
clear_sp_write_flooding_count(it.sptep); clear_sp_write_flooding_count(it.sptep);
mmu_set_spte(vcpu, it.sptep, gw->pte_access, write_fault, &emulate, emulate = mmu_set_spte(vcpu, it.sptep, gw->pte_access, write_fault,
it.level, gw->gfn, pfn, prefault, map_writable); it.level, gw->gfn, pfn, prefault, map_writable);
FNAME(pte_prefetch)(vcpu, gw, it.sptep); FNAME(pte_prefetch)(vcpu, gw, it.sptep);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment