Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3692569ybv; Mon, 10 Feb 2020 04:49:07 -0800 (PST) X-Google-Smtp-Source: APXvYqza4c3t4qiDxUkPONBWP74pr5JlHZkItnC69Kjpzv4itM2httHl1FElPqaJryUL69k5gurX X-Received: by 2002:aca:1913:: with SMTP id l19mr669289oii.47.1581338947026; Mon, 10 Feb 2020 04:49:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581338947; cv=none; d=google.com; s=arc-20160816; b=z+pnpc6VwttEDqZtEAZUmAKFraA69mLaiSwoaOM9UBuVNuttOyd1yMv3f1yqeUu/vP G6bYUxPYIAcsQdlIz6xU2YsJmBTqIt+K1382uPacaj1G3M7S2qNALgTKqtVgHHHh52bA 3P5ExEUAtFyef6LqBeuZUCqnz/5TG1V1ytYsfnEZzgCLm5XFVpjnB38peTsEQtRBzR7U m3bhl2+4foHfuXA4C3C19avNwKTl7LQgckTtCoCRfnCk1h3vVCWcVnYntxR3ZVz/5JAz TEHpuWZv267KiQjdCnH+Xd37T8qCfohAODFi1aysGA+I+d07qrMl3PdeCYjv8xNjIsgB xUbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=2C4K7RH2+nb7lEnHd6fxYMoGEtz9DNTXPAgwtvoS1po=; b=c+NeX8xoGpQnmzrQu5k8Gyk41y625KYnzMiqkc2qh3Ndh4rZ7gwSFWbwCtjZMMA8uI 2z5uDv52k1R2uOmegTIVOJ41pc3PmFuiedzT6If7b8pnB6sXoNrIP1AlpXHW7b8abhGC TCme2TNDRkuJQmwf4fyGkYqSxbe5RHBXmJWdMT4W74Ars/PaZdzTqNL8KlMN3HeirdB2 FT6Iqxm9dMwv61KOXGoCN2KbasgZvKmvaEY9aZw3PkFLThhrxQaZyI39KZFFmKYS05HX 08WDb4ep/KAwHqZXrTzdXBuMiiROEjGXXiFskaoTFyitQwQK5FVkXoT/x37P522EqXuI rA8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hFp7nOFt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r8si134834ota.288.2020.02.10.04.48.54; Mon, 10 Feb 2020 04:49:07 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hFp7nOFt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729941AbgBJMqc (ORCPT + 99 others); Mon, 10 Feb 2020 07:46:32 -0500 Received: from mail.kernel.org ([198.145.29.99]:44324 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730046AbgBJMll (ORCPT ); Mon, 10 Feb 2020 07:41:41 -0500 Received: from localhost (unknown [209.37.97.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9F6A820838; Mon, 10 Feb 2020 12:41:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1581338500; bh=mvnVJV3p3/i8WhR2AKqQjf6C6rLK0nHmBp7089fRAX4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hFp7nOFtPF+8ttiuEbxE9M4YPX9NnABkfHV498Vpo6/SNdL4bWcS99/xI+pT+tkVJ Krjfsu1nKt4wtG5hC0C99X1+7ER6206lkHghgIwqLXAmcOZPilH6Q4QHgf7Ljerft/ yeVpJ4LYSJY8UJQCBtw1t3TRVfQaszJDC+BHgTQ8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ben Gardon , Paolo Bonzini Subject: [PATCH 5.5 254/367] KVM: x86: fix overlap between SPTE_MMIO_MASK and generation Date: Mon, 10 Feb 2020 04:32:47 -0800 Message-Id: <20200210122447.865741331@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200210122423.695146547@linuxfoundation.org> References: <20200210122423.695146547@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Paolo Bonzini commit 56871d444bc4d7ea66708775e62e2e0926384dbc upstream. The SPTE_MMIO_MASK overlaps with the bits used to track MMIO generation number. A high enough generation number would overwrite the SPTE_SPECIAL_MASK region and cause the MMIO SPTE to be misinterpreted. Likewise, setting bits 52 and 53 would also cause an incorrect generation number to be read from the PTE, though this was partially mitigated by the (useless if it weren't for the bug) removal of SPTE_SPECIAL_MASK from the spte in get_mmio_spte_generation. Drop that removal, and replace it with a compile-time assertion. Fixes: 6eeb4ef049e7 ("KVM: x86: assign two bits to track SPTE kinds") Reported-by: Ben Gardon Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/mmu/mmu.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) --- a/arch/x86/kvm/mmu/mmu.c +++ b/arch/x86/kvm/mmu/mmu.c @@ -418,22 +418,24 @@ static inline bool is_access_track_spte( * requires a full MMU zap). The flag is instead explicitly queried when * checking for MMIO spte cache hits. */ -#define MMIO_SPTE_GEN_MASK GENMASK_ULL(18, 0) +#define MMIO_SPTE_GEN_MASK GENMASK_ULL(17, 0) #define MMIO_SPTE_GEN_LOW_START 3 #define MMIO_SPTE_GEN_LOW_END 11 #define MMIO_SPTE_GEN_LOW_MASK GENMASK_ULL(MMIO_SPTE_GEN_LOW_END, \ MMIO_SPTE_GEN_LOW_START) -#define MMIO_SPTE_GEN_HIGH_START 52 -#define MMIO_SPTE_GEN_HIGH_END 61 +#define MMIO_SPTE_GEN_HIGH_START PT64_SECOND_AVAIL_BITS_SHIFT +#define MMIO_SPTE_GEN_HIGH_END 62 #define MMIO_SPTE_GEN_HIGH_MASK GENMASK_ULL(MMIO_SPTE_GEN_HIGH_END, \ MMIO_SPTE_GEN_HIGH_START) + static u64 generation_mmio_spte_mask(u64 gen) { u64 mask; WARN_ON(gen & ~MMIO_SPTE_GEN_MASK); + BUILD_BUG_ON((MMIO_SPTE_GEN_HIGH_MASK | MMIO_SPTE_GEN_LOW_MASK) & SPTE_SPECIAL_MASK); mask = (gen << MMIO_SPTE_GEN_LOW_START) & MMIO_SPTE_GEN_LOW_MASK; mask |= (gen << MMIO_SPTE_GEN_HIGH_START) & MMIO_SPTE_GEN_HIGH_MASK; @@ -444,8 +446,6 @@ static u64 get_mmio_spte_generation(u64 { u64 gen; - spte &= ~shadow_mmio_mask; - gen = (spte & MMIO_SPTE_GEN_LOW_MASK) >> MMIO_SPTE_GEN_LOW_START; gen |= (spte & MMIO_SPTE_GEN_HIGH_MASK) >> MMIO_SPTE_GEN_HIGH_START; return gen;