mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-11 04:54:13 +08:00
84e5ffd045
When shadowing 5-level NPT for 4-level NPT L1 guest, the root_sp is allocated with role.level = 5 and the guest pagetable's root gfn. And root_sp->spt[0] is also allocated with the same gfn and the same role except role.level = 4. Luckily that they are different shadow pages, but only root_sp->spt[0] is the real translation of the guest pagetable. Here comes a problem: If the guest switches from gCR4_LA57=0 to gCR4_LA57=1 (or vice verse) and uses the same gfn as the root page for nested NPT before and after switching gCR4_LA57. The host (hCR4_LA57=1) might use the same root_sp for the guest even the guest switches gCR4_LA57. The guest will see unexpected page mapped and L2 may exploit the bug and hurt L1. It is lucky that the problem can't hurt L0. And three special cases need to be handled: The root_sp should be like role.direct=1 sometimes: its contents are not backed by gptes, root_sp->gfns is meaningless. (For a normal high level sp in shadow paging, sp->gfns is often unused and kept zero, but it could be relevant and meaningful if sp->gfns is used because they are backed by concrete gptes.) For such root_sp in the case, root_sp is just a portal to contribute root_sp->spt[0], and root_sp->gfns should not be used and root_sp->spt[0] should not be dropped if gpte[0] of the guest root pagetable is changed. Such root_sp should not be accounted too. So add role.passthrough to distinguish the shadow pages in the hash when gCR4_LA57 is toggled and fix above special cases by using it in kvm_mmu_page_{get|set}_gfn() and sp_has_gptes(). Signed-off-by: Lai Jiangshan <jiangshan.ljs@antgroup.com> Message-Id: <20220420131204.2850-3-jiangshanlai@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
||
---|---|---|
.. | ||
ABI | ||
accounting | ||
admin-guide | ||
arc | ||
arm | ||
arm64 | ||
block | ||
bpf | ||
cdrom | ||
core-api | ||
cpu-freq | ||
crypto | ||
dev-tools | ||
devicetree | ||
doc-guide | ||
driver-api | ||
fault-injection | ||
fb | ||
features | ||
filesystems | ||
firmware_class | ||
firmware-guide | ||
fpga | ||
gpu | ||
hid | ||
hwmon | ||
i2c | ||
ia64 | ||
ide | ||
iio | ||
infiniband | ||
input | ||
isdn | ||
kbuild | ||
kernel-hacking | ||
leds | ||
litmus-tests | ||
livepatch | ||
locking | ||
m68k | ||
maintainer | ||
mhi | ||
mips | ||
misc-devices | ||
netlabel | ||
networking | ||
nios2 | ||
nvdimm | ||
openrisc | ||
parisc | ||
PCI | ||
pcmcia | ||
peci | ||
power | ||
powerpc | ||
process | ||
RCU | ||
riscv | ||
s390 | ||
scheduler | ||
scsi | ||
security | ||
sh | ||
sound | ||
sparc | ||
sphinx | ||
sphinx-static | ||
spi | ||
staging | ||
target | ||
timers | ||
tools | ||
trace | ||
translations | ||
tty | ||
usb | ||
userspace-api | ||
virt | ||
vm | ||
w1 | ||
watchdog | ||
x86 | ||
xtensa | ||
.gitignore | ||
arch.rst | ||
asm-annotations.rst | ||
atomic_bitops.txt | ||
atomic_t.txt | ||
Changes | ||
CodingStyle | ||
conf.py | ||
COPYING-logo | ||
docutils.conf | ||
dontdiff | ||
index.rst | ||
Kconfig | ||
logo.gif | ||
Makefile | ||
memory-barriers.txt | ||
SubmittingPatches | ||
watch_queue.rst |