• P
    KVM: x86: fix off-by-one in reserved bits check · 58c95070
    Paolo Bonzini 提交于
    29ecd660 ("KVM: x86: avoid uninitialized variable warning",
    2015-09-06) introduced a not-so-subtle problem, which probably
    escaped review because it was not part of the patch context.
    
    Before the patch, leaf was always equal to iterator.level.  After,
    it is equal to iterator.level - 1 in the call to is_shadow_zero_bits_set,
    and when is_shadow_zero_bits_set does another "-1" the check on
    reserved bits becomes incorrect.  Using "iterator.level" in the call
    fixes this call trace:
    
    WARNING: CPU: 2 PID: 17000 at arch/x86/kvm/mmu.c:3385 handle_mmio_page_fault.part.93+0x1a/0x20 [kvm]()
    Modules linked in: tun sha256_ssse3 sha256_generic drbg binfmt_misc ipv6 vfat fat fuse dm_crypt dm_mod kvm_amd kvm crc32_pclmul aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd fam15h_power amd64_edac_mod k10temp edac_core amdkfd amd_iommu_v2 radeon acpi_cpufreq
    [...]
    Call Trace:
      dump_stack+0x4e/0x84
      warn_slowpath_common+0x95/0xe0
      warn_slowpath_null+0x1a/0x20
      handle_mmio_page_fault.part.93+0x1a/0x20 [kvm]
      tdp_page_fault+0x231/0x290 [kvm]
      ? emulator_pio_in_out+0x6e/0xf0 [kvm]
      kvm_mmu_page_fault+0x36/0x240 [kvm]
      ? svm_set_cr0+0x95/0xc0 [kvm_amd]
      pf_interception+0xde/0x1d0 [kvm_amd]
      handle_exit+0x181/0xa70 [kvm_amd]
      ? kvm_arch_vcpu_ioctl_run+0x68b/0x1730 [kvm]
      kvm_arch_vcpu_ioctl_run+0x6f6/0x1730 [kvm]
      ? kvm_arch_vcpu_ioctl_run+0x68b/0x1730 [kvm]
      ? preempt_count_sub+0x9b/0xf0
      ? mutex_lock_killable_nested+0x26f/0x490
      ? preempt_count_sub+0x9b/0xf0
      kvm_vcpu_ioctl+0x358/0x710 [kvm]
      ? __fget+0x5/0x210
      ? __fget+0x101/0x210
      do_vfs_ioctl+0x2f4/0x560
      ? __fget_light+0x29/0x90
      SyS_ioctl+0x4c/0x90
      entry_SYSCALL_64_fastpath+0x16/0x73
    ---[ end trace 37901c8686d84de6 ]---
    Reported-by: NBorislav Petkov <bp@alien8.de>
    Tested-by: NBorislav Petkov <bp@alien8.de>
    Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
    58c95070
mmu.c 123.7 KB