Patchwork [1/4] KVM: MMU: nuke shadowed pgtable pages and ptes on memslot destruction

login
register
mail settings
Submitter Herton Ronaldo Krzesinski
Date June 29, 2012, 4:32 p.m.
Message ID <1340987524-22261-2-git-send-email-herton.krzesinski@canonical.com>
Download mbox | patch
Permalink /patch/168176/
State New
Headers show

Comments

Herton Ronaldo Krzesinski - June 29, 2012, 4:32 p.m.
From: Marcelo Tosatti <mtosatti@redhat.com>

CVE-2012-1601

BugLink: http://bugs.launchpad.net/bugs/971685

Flush the shadow mmu before removing regions to avoid stale entries.

Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Avi Kivity <avi@qumranet.com>
(backported from commit 34d4cb8fca1f2a31be152b74797e6cd160ec9de6 upstream)
[ herton: rediffed and dropped powerpc/ia64/s390 changes, since kvm for
  these architectures aren't available on hardy/2.6.24 ]
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
---
 arch/x86/kvm/x86.c                                 |    5 +++++
 .../binary-custom.d/openvz/src/arch/x86/kvm/x86.c  |    5 +++++
 .../openvz/src/include/linux/kvm_host.h            |    1 +
 .../binary-custom.d/openvz/src/virt/kvm/kvm_main.c |    3 +++
 debian/binary-custom.d/xen/src/arch/x86/kvm/x86.c  |    5 +++++
 .../xen/src/include/linux/kvm_host.h               |    1 +
 debian/binary-custom.d/xen/src/virt/kvm/kvm_main.c |    3 +++
 include/linux/kvm_host.h                           |    1 +
 virt/kvm/kvm_main.c                                |    3 +++
 9 files changed, 27 insertions(+)

Patch

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 2085040..9331b67 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3496,6 +3496,11 @@  int kvm_arch_set_memory_region(struct kvm *kvm,
 	return 0;
 }
 
+void kvm_arch_flush_shadow(struct kvm *kvm)
+{
+	kvm_mmu_zap_all(kvm);
+}
+
 int kvm_arch_vcpu_runnable(struct kvm_vcpu *vcpu)
 {
 	return vcpu->arch.mp_state == VCPU_MP_STATE_RUNNABLE
diff --git a/debian/binary-custom.d/openvz/src/arch/x86/kvm/x86.c b/debian/binary-custom.d/openvz/src/arch/x86/kvm/x86.c
index 2085040..9331b67 100644
--- a/debian/binary-custom.d/openvz/src/arch/x86/kvm/x86.c
+++ b/debian/binary-custom.d/openvz/src/arch/x86/kvm/x86.c
@@ -3496,6 +3496,11 @@  int kvm_arch_set_memory_region(struct kvm *kvm,
 	return 0;
 }
 
+void kvm_arch_flush_shadow(struct kvm *kvm)
+{
+	kvm_mmu_zap_all(kvm);
+}
+
 int kvm_arch_vcpu_runnable(struct kvm_vcpu *vcpu)
 {
 	return vcpu->arch.mp_state == VCPU_MP_STATE_RUNNABLE
diff --git a/debian/binary-custom.d/openvz/src/include/linux/kvm_host.h b/debian/binary-custom.d/openvz/src/include/linux/kvm_host.h
index 958e003..588e4f9 100644
--- a/debian/binary-custom.d/openvz/src/include/linux/kvm_host.h
+++ b/debian/binary-custom.d/openvz/src/include/linux/kvm_host.h
@@ -172,6 +172,7 @@  int kvm_arch_set_memory_region(struct kvm *kvm,
 				struct kvm_userspace_memory_region *mem,
 				struct kvm_memory_slot old,
 				int user_alloc);
+void kvm_arch_flush_shadow(struct kvm *kvm);
 gfn_t unalias_gfn(struct kvm *kvm, gfn_t gfn);
 struct page *gfn_to_page(struct kvm *kvm, gfn_t gfn);
 unsigned long gfn_to_hva(struct kvm *kvm, gfn_t gfn);
diff --git a/debian/binary-custom.d/openvz/src/virt/kvm/kvm_main.c b/debian/binary-custom.d/openvz/src/virt/kvm/kvm_main.c
index 240156e..2a4bdbd 100644
--- a/debian/binary-custom.d/openvz/src/virt/kvm/kvm_main.c
+++ b/debian/binary-custom.d/openvz/src/virt/kvm/kvm_main.c
@@ -358,6 +358,9 @@  int __kvm_set_memory_region(struct kvm *kvm,
 	if (mem->slot >= kvm->nmemslots)
 		kvm->nmemslots = mem->slot + 1;
 
+	if (!npages)
+		kvm_arch_flush_shadow(kvm);
+
 	*memslot = new;
 
 	r = kvm_arch_set_memory_region(kvm, mem, old, user_alloc);
diff --git a/debian/binary-custom.d/xen/src/arch/x86/kvm/x86.c b/debian/binary-custom.d/xen/src/arch/x86/kvm/x86.c
index 2085040..9331b67 100644
--- a/debian/binary-custom.d/xen/src/arch/x86/kvm/x86.c
+++ b/debian/binary-custom.d/xen/src/arch/x86/kvm/x86.c
@@ -3496,6 +3496,11 @@  int kvm_arch_set_memory_region(struct kvm *kvm,
 	return 0;
 }
 
+void kvm_arch_flush_shadow(struct kvm *kvm)
+{
+	kvm_mmu_zap_all(kvm);
+}
+
 int kvm_arch_vcpu_runnable(struct kvm_vcpu *vcpu)
 {
 	return vcpu->arch.mp_state == VCPU_MP_STATE_RUNNABLE
diff --git a/debian/binary-custom.d/xen/src/include/linux/kvm_host.h b/debian/binary-custom.d/xen/src/include/linux/kvm_host.h
index 958e003..588e4f9 100644
--- a/debian/binary-custom.d/xen/src/include/linux/kvm_host.h
+++ b/debian/binary-custom.d/xen/src/include/linux/kvm_host.h
@@ -172,6 +172,7 @@  int kvm_arch_set_memory_region(struct kvm *kvm,
 				struct kvm_userspace_memory_region *mem,
 				struct kvm_memory_slot old,
 				int user_alloc);
+void kvm_arch_flush_shadow(struct kvm *kvm);
 gfn_t unalias_gfn(struct kvm *kvm, gfn_t gfn);
 struct page *gfn_to_page(struct kvm *kvm, gfn_t gfn);
 unsigned long gfn_to_hva(struct kvm *kvm, gfn_t gfn);
diff --git a/debian/binary-custom.d/xen/src/virt/kvm/kvm_main.c b/debian/binary-custom.d/xen/src/virt/kvm/kvm_main.c
index 240156e..2a4bdbd 100644
--- a/debian/binary-custom.d/xen/src/virt/kvm/kvm_main.c
+++ b/debian/binary-custom.d/xen/src/virt/kvm/kvm_main.c
@@ -358,6 +358,9 @@  int __kvm_set_memory_region(struct kvm *kvm,
 	if (mem->slot >= kvm->nmemslots)
 		kvm->nmemslots = mem->slot + 1;
 
+	if (!npages)
+		kvm_arch_flush_shadow(kvm);
+
 	*memslot = new;
 
 	r = kvm_arch_set_memory_region(kvm, mem, old, user_alloc);
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
index 958e003..588e4f9 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -172,6 +172,7 @@  int kvm_arch_set_memory_region(struct kvm *kvm,
 				struct kvm_userspace_memory_region *mem,
 				struct kvm_memory_slot old,
 				int user_alloc);
+void kvm_arch_flush_shadow(struct kvm *kvm);
 gfn_t unalias_gfn(struct kvm *kvm, gfn_t gfn);
 struct page *gfn_to_page(struct kvm *kvm, gfn_t gfn);
 unsigned long gfn_to_hva(struct kvm *kvm, gfn_t gfn);
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 240156e..2a4bdbd 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -358,6 +358,9 @@  int __kvm_set_memory_region(struct kvm *kvm,
 	if (mem->slot >= kvm->nmemslots)
 		kvm->nmemslots = mem->slot + 1;
 
+	if (!npages)
+		kvm_arch_flush_shadow(kvm);
+
 	*memslot = new;
 
 	r = kvm_arch_set_memory_region(kvm, mem, old, user_alloc);