1. 03 5月, 2007 12 次提交
  2. 19 4月, 2007 1 次提交
    • A
      KVM: Fix off-by-one when writing to a nonpae guest pde · 6b8d0f9b
      Avi Kivity 提交于
      Nonpae guest pdes are shadowed by two pae ptes, so we double the offset
      twice: once to account for the pte size difference, and once because we
      need to shadow pdes for a single guest pde.
      
      But when writing to the upper guest pde we also need to truncate the
      lower bits, otherwise the multiply shifts these bits into the pde index
      and causes an access to the wrong shadow pde.  If we're at the end of the
      page (accessing the very last guest pde) we can even overflow into the
      next host page and oops.
      Signed-off-by: NAvi Kivity <avi@qumranet.com>
      6b8d0f9b
  3. 27 3月, 2007 2 次提交
    • I
      KVM: always reload segment selectors · 6d9658df
      Ingo Molnar 提交于
      failed VM entry on VMX might still change %fs or %gs, thus make sure
      that KVM always reloads the segment selectors. This is crutial on both
      x86 and x86_64: x86 has __KERNEL_PDA in %fs on which things like
      'current' depends and x86_64 has 0 there and needs MSR_GS_BASE to work.
      Signed-off-by: NIngo Molnar <mingo@elte.hu>
      6d9658df
    • A
      KVM: Prevent system selectors leaking into guest on real->protected mode transition on vmx · 6af11b9e
      Avi Kivity 提交于
      Intel virtualization extensions do not support virtualizing real mode.  So
      kvm uses virtualized vm86 mode to run real mode code.  Unfortunately, this
      virtualized vm86 mode does not support the so called "big real" mode, where
      the segment selector and base do not agree with each other according to the
      real mode rules (base == selector << 4).
      
      To work around this, kvm checks whether a selector/base pair violates the
      virtualized vm86 rules, and if so, forces it into conformance.  On a
      transition back to protected mode, if we see that the guest did not touch
      a forced segment, we restore it back to the original protected mode value.
      
      This pile of hacks breaks down if the gdt has changed in real mode, as it
      can cause a segment selector to point to a system descriptor instead of a
      normal data segment.  In fact, this happens with the Windows bootloader
      and the qemu acpi bios, where a protected mode memcpy routine issues an
      innocent 'pop %es' and traps on an attempt to load a system descriptor.
      
      "Fix" by checking if the to-be-restored selector points at a system segment,
      and if so, coercing it into a normal data segment.  The long term solution,
      of course, is to abandon vm86 mode and use emulation for big real mode.
      Signed-off-by: NAvi Kivity <avi@qumranet.com>
      6af11b9e
  4. 18 3月, 2007 4 次提交
    • A
      KVM: MMU: Fix host memory corruption on i386 with >= 4GB ram · 27aba766
      Avi Kivity 提交于
      PAGE_MASK is an unsigned long, so using it to mask physical addresses on
      i386 (which are 64-bit wide) leads to truncation.  This can result in
      page->private of unrelated memory pages being modified, with disasterous
      results.
      
      Fix by not using PAGE_MASK for physical addresses; instead calculate
      the correct value directly from PAGE_SIZE.  Also fix a similar BUG_ON().
      Acked-by: NIngo Molnar <mingo@elte.hu>
      Signed-off-by: NAvi Kivity <avi@qumranet.com>
      27aba766
    • A
      KVM: MMU: Fix guest writes to nonpae pde · ac1b714e
      Avi Kivity 提交于
      KVM shadow page tables are always in pae mode, regardless of the guest
      setting.  This means that a guest pde (mapping 4MB of memory) is mapped
      to two shadow pdes (mapping 2MB each).
      
      When the guest writes to a pte or pde, we intercept the write and emulate it.
      We also remove any shadowed mappings corresponding to the write.  Since the
      mmu did not account for the doubling in the number of pdes, it removed the
      wrong entry, resulting in a mismatch between shadow page tables and guest
      page tables, followed shortly by guest memory corruption.
      
      This patch fixes the problem by detecting the special case of writing to
      a non-pae pde and adjusting the address and number of shadow pdes zapped
      accordingly.
      Acked-by: NIngo Molnar <mingo@elte.hu>
      Signed-off-by: NAvi Kivity <avi@qumranet.com>
      ac1b714e
    • A
      KVM: Fix guest sysenter on vmx · f5b42c33
      Avi Kivity 提交于
      The vmx code currently treats the guest's sysenter support msrs as 32-bit
      values, which breaks 32-bit compat mode userspace on 64-bit guests.  Fix by
      using the native word width of the machine.
      Signed-off-by: NAvi Kivity <avi@qumranet.com>
      f5b42c33
    • A
      KVM: Unset kvm_arch_ops if arch module loading failed · ca45aaae
      Avi Kivity 提交于
      Otherwise, the core module thinks the arch module is loaded, and won't
      let you reload it after you've fixed the bug.
      Signed-off-by: NAvi Kivity <avi@qumranet.com>
      ca45aaae
  5. 04 3月, 2007 21 次提交