rpms/kernel/F-13 kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch, NONE, 1.1 kernel.spec, 1.2108, 1.2109

Thu Jul 22 12:12:04 UTC 2010

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv11015

Modified Files:
	kernel.spec 
Added Files:
	kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch 
Log Message:
kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch:
  Fix crash in guest Python programs (#610911)

kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch:
 paging_tmpl.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch ---
>From 567b1bbf982637ce3f0ac8597af91ae8106648c8 Mon Sep 17 00:00:00 2001
From: Xiao Guangrong <xiaoguangrong at cn.fujitsu.com>
Date: Wed, 30 Jun 2010 16:02:45 +0800
Subject: [PATCH] KVM: MMU: fix conflict access permissions in direct sp

In no-direct mapping, we mark sp is 'direct' when we mapping the
guest's larger page, but its access is encoded form upper page-struct
entire not include the last mapping, it will cause access conflict.

For example, have this mapping:
        [W]
      / PDE1 -> |---|
  P[W]          |   | LPA
      \ PDE2 -> |---|
        [R]

P have two children, PDE1 and PDE2, both PDE1 and PDE2 mapping the
same lage page(LPA). The P's access is WR, PDE1's access is WR,
PDE2's access is RO(just consider read-write permissions here)

When guest access PDE1, we will create a direct sp for LPA, the sp's
access is from P, is W, then we will mark the ptes is W in this sp.

Then, guest access PDE2, we will find LPA's shadow page, is the same as
PDE's, and mark the ptes is RO.

So, if guest access PDE1, the incorrect #PF is occured.

Fixed by encode the last mapping access into direct shadow page

Signed-off-by: Xiao Guangrong <xiaoguangrong at cn.fujitsu.com>
Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
Signed-off-by: Avi Kivity <avi at redhat.com>
---
 arch/x86/kvm/paging_tmpl.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
index ede2131..b473c0f 100644
--- a/arch/x86/kvm/paging_tmpl.h
+++ b/arch/x86/kvm/paging_tmpl.h
@@ -336,6 +336,7 @@ static u64 *FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
 			/* advance table_gfn when emulating 1gb pages with 4k */
 			if (delta == 0)
 				table_gfn += PT_INDEX(addr, level);
+			access &= gw->pte_access;
 		} else {
 			direct = 0;
 			table_gfn = gw->table_gfn[level - 2];
-- 
1.7.1



Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-13/kernel.spec,v
retrieving revision 1.2108
retrieving revision 1.2109
diff -u -p -r1.2108 -r1.2109
--- kernel.spec	21 Jul 2010 12:11:55 -0000	1.2108
+++ kernel.spec	22 Jul 2010 12:12:04 -0000	1.2109
@@ -774,6 +774,7 @@ Patch12230: kbuild-fix-modpost-segfault.
 Patch12250: inotify-fix-inotify-oneshot-support.patch
 Patch12260: inotify-send-IN_UNMOUNT-events.patch
 
+Patch12270: kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1431,6 +1432,9 @@ ApplyPatch kbuild-fix-modpost-segfault.p
 ApplyPatch inotify-fix-inotify-oneshot-support.patch
 ApplyPatch inotify-send-IN_UNMOUNT-events.patch
 
+# 610911
+ApplyPatch kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2050,6 +2054,10 @@ fi
 
 
 %changelog
+* Thu Jul 22 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.34.1-25
+- kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch:
+  Fix crash in guest Python programs (#610911)
+
 * Wed Jul 21 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.34.1-24
 - Drop crypto-aesni-kill-module_alias.patch; bug #571577 should
   not be present in 2.6.34.

