linux/Documentation
Lai Jiangshan 84e5ffd045 KVM: X86/MMU: Fix shadowing 5-level NPT for 4-level NPT L1 guest
When shadowing 5-level NPT for 4-level NPT L1 guest, the root_sp is
allocated with role.level = 5 and the guest pagetable's root gfn.

And root_sp->spt[0] is also allocated with the same gfn and the same
role except role.level = 4.  Luckily that they are different shadow
pages, but only root_sp->spt[0] is the real translation of the guest
pagetable.

Here comes a problem:

If the guest switches from gCR4_LA57=0 to gCR4_LA57=1 (or vice verse)
and uses the same gfn as the root page for nested NPT before and after
switching gCR4_LA57.  The host (hCR4_LA57=1) might use the same root_sp
for the guest even the guest switches gCR4_LA57.  The guest will see
unexpected page mapped and L2 may exploit the bug and hurt L1.  It is
lucky that the problem can't hurt L0.

And three special cases need to be handled:

The root_sp should be like role.direct=1 sometimes: its contents are
not backed by gptes, root_sp->gfns is meaningless.  (For a normal high
level sp in shadow paging, sp->gfns is often unused and kept zero, but
it could be relevant and meaningful if sp->gfns is used because they
are backed by concrete gptes.)

For such root_sp in the case, root_sp is just a portal to contribute
root_sp->spt[0], and root_sp->gfns should not be used and
root_sp->spt[0] should not be dropped if gpte[0] of the guest root
pagetable is changed.

Such root_sp should not be accounted too.

So add role.passthrough to distinguish the shadow pages in the hash
when gCR4_LA57 is toggled and fix above special cases by using it in
kvm_mmu_page_{get|set}_gfn() and sp_has_gptes().

Signed-off-by: Lai Jiangshan <jiangshan.ljs@antgroup.com>
Message-Id: <20220420131204.2850-3-jiangshanlai@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-04-29 12:50:00 -04:00
..
ABI libnvdimm for 5.18 2022-03-30 10:04:11 -07:00
accounting - A bunch of fixes: forced idle time accounting, utilization values 2022-01-23 17:35:27 +02:00
admin-guide Random number generator fixes for Linux 5.18-rc1. 2022-03-31 14:51:34 -07:00
arc
arm Documentation: arm: marvell: Extend Avanta list 2022-01-27 11:22:34 -07:00
arm64 Merge branch 'for-next/mte' into for-next/core 2022-03-14 19:01:23 +00:00
block block: remove biodoc.rst 2022-02-15 07:47:52 -07:00
bpf docs: netdev: move the netdev-FAQ to the process pages 2022-03-31 10:49:39 +02:00
cdrom Documentation: Fix links for udftools project and pktcdvd tool 2022-02-15 16:15:33 -07:00
core-api XArray update for 5.18: 2022-04-01 13:40:44 -07:00
cpu-freq cpufreq: Reintroduce ready() callback 2022-02-09 13:18:49 +05:30
crypto
dev-tools Some late-arriving documentation improvements. This is mostly build-system 2022-03-31 12:10:42 -07:00
devicetree dt-bindings: Fix phandle-array issues in the idle-states bindings 2022-04-01 15:09:50 -07:00
doc-guide
driver-api libnvdimm for 5.18 2022-03-30 10:04:11 -07:00
fault-injection
fb
features nds32: Remove the architecture 2022-03-07 13:54:59 +01:00
filesystems six ksmbd server fixes 2022-04-01 14:39:28 -07:00
firmware_class
firmware-guide Merge branch 'i2c/for-mergewindow' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2022-03-26 12:46:08 -07:00
fpga
gpu pci-v5.18-changes 2022-03-25 13:02:05 -07:00
hid
hwmon Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
i2c i2c: i801: Add support for Intel Raptor Lake PCH-S 2022-02-15 10:03:40 +01:00
ia64
ide
iio
infiniband
input Input: docs: add more details on the use of BTN_TOOL 2022-03-01 15:46:03 +01:00
isdn
kbuild kbuild: Make $(LLVM) more flexible 2022-03-31 12:03:46 +09:00
kernel-hacking docs: fix typo in Documentation/kernel-hacking/locking.rst 2022-01-27 11:22:33 -07:00
leds
litmus-tests
livepatch
locking Documentation: Fix duplicate statement about raw_spinlock_t type 2022-03-25 13:30:08 -06:00
m68k
maintainer Some late-arriving documentation improvements. This is mostly build-system 2022-03-31 12:10:42 -07:00
mhi
mips
misc-devices
netlabel
networking docs: netdev: move the netdev-FAQ to the process pages 2022-03-31 10:49:39 +02:00
nios2
nvdimm
openrisc
parisc
PCI PCI/doc: cleanup references to the legacy PCI DMA API 2022-03-30 16:54:24 +02:00
pcmcia
peci docs: Add PECI documentation 2022-02-09 08:04:44 +01:00
power Documentation: EM: Describe new registration method using DT 2022-03-03 09:35:04 +05:30
powerpc
process docs: netdev: move the netdev-FAQ to the process pages 2022-03-31 10:49:39 +02:00
RCU
riscv Documentation: riscv: remove non-existent directory from table of contents 2022-03-31 16:18:56 -07:00
s390
scheduler Changes in this cycle were: 2022-03-22 14:39:12 -07:00
scsi scsi: ufs: docs: UFS documentation corrections 2022-03-08 22:49:49 -05:00
security selinux/stable-5.18 PR 20220321 2022-03-21 20:47:54 -07:00
sh
sound ALSA: hda/realtek: Add alc256-samsung-headphone fixup 2022-03-22 21:51:02 +01:00
sparc
sphinx docs: sphinx/requirements: Limit jinja2<3.1 2022-03-30 13:44:54 -06:00
sphinx-static
spi spi: pxa2xx_spi: Convert to use GPIO descriptors 2022-01-31 15:17:27 +00:00
staging remoteproc: Change rproc_shutdown() to return a status 2022-03-11 14:31:55 -06:00
target
timers
tools Real Time Analysis Tool updates for 5.18 2022-03-23 11:08:10 -07:00
trace Updates to Tracing: 2022-04-03 12:26:01 -07:00
translations Kbuild -std=gnu11 updates for v5.18 2022-03-25 11:48:01 -07:00
tty
usb usb: gadget: f_uac2: Optionally determine bInterval for HS and SS 2022-01-31 14:26:18 +01:00
userspace-api platform-drivers-x86 for v5.18-1 2022-03-25 12:14:39 -07:00
virt KVM: X86/MMU: Fix shadowing 5-level NPT for 4-level NPT L1 guest 2022-04-29 12:50:00 -04:00
vm doc/vm/page_owner.rst: remove content related to -c option 2022-04-01 11:46:09 -07:00
w1
watchdog
x86 - More noinstr fixes 2022-03-25 12:34:53 -07:00
xtensa
.gitignore
arch.rst
asm-annotations.rst linkage: remove SYM_FUNC_{START,END}_ALIAS() 2022-02-22 16:21:34 +00:00
atomic_bitops.txt
atomic_t.txt
Changes
CodingStyle
conf.py docs: pdfdocs: Pull LaTeX preamble part out of conf.py 2022-02-24 12:26:13 -07:00
COPYING-logo
docutils.conf
dontdiff
index.rst docs: Add PECI documentation 2022-02-09 08:04:44 +01:00
Kconfig
logo.gif
Makefile docs: Makefile: Add -no-shell-escape option to LATEXOPTS 2022-02-14 12:50:17 -07:00
memory-barriers.txt
SubmittingPatches
watch_queue.rst