From: Paul Mackerras <paulus@samba.org>
To: Alexander Graf <agraf@suse.de>
Cc: kvm-ppc@vger.kernel.org, kvm@vger.kernel.org
Subject: [PATCH 4/5] KVM: PPC: Book3S HV: Don't give the guest RW access to RO pages
Date: Thu, 22 Nov 2012 20:28:41 +1100 [thread overview]
Message-ID: <20121122092841.GE31117@bloggs.ozlabs.ibm.com> (raw)
In-Reply-To: <20121122092442.GA31117@bloggs.ozlabs.ibm.com>
Currently, if the guest does an H_PROTECT hcall requesting that the
permissions on a HPT entry be changed to allow writing, we make the
requested change even if the page is marked read-only in the host
Linux page tables. This is a problem since it would for instance
allow a guest to modify a page that KSM has decided can be shared
between multiple guests.
To fix this, if the new permissions for the page allow writing, we need
to look up the memslot for the page, work out the host virtual address,
and look up the Linux page tables to get the PTE for the page. If that
PTE is read-only, we reduce the HPTE permissions to read-only.
Signed-off-by: Paul Mackerras <paulus@samba.org>
---
arch/powerpc/kvm/book3s_hv_rm_mmu.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/arch/powerpc/kvm/book3s_hv_rm_mmu.c b/arch/powerpc/kvm/book3s_hv_rm_mmu.c
index 7e1f7e2..19c93ba 100644
--- a/arch/powerpc/kvm/book3s_hv_rm_mmu.c
+++ b/arch/powerpc/kvm/book3s_hv_rm_mmu.c
@@ -629,6 +629,28 @@ long kvmppc_h_protect(struct kvm_vcpu *vcpu, unsigned long flags,
asm volatile("tlbiel %0" : : "r" (rb));
asm volatile("ptesync" : : : "memory");
}
+ /*
+ * If the host has this page as readonly but the guest
+ * wants to make it read/write, reduce the permissions.
+ * Checking the host permissions involves finding the
+ * memslot and then the Linux PTE for the page.
+ */
+ if (hpte_is_writable(r) && kvm->arch.using_mmu_notifiers) {
+ unsigned long psize, gfn, hva;
+ struct kvm_memory_slot *memslot;
+ pgd_t *pgdir = vcpu->arch.pgdir;
+ pte_t pte;
+
+ psize = hpte_page_size(v, r);
+ gfn = ((r & HPTE_R_RPN) & ~(psize - 1)) >> PAGE_SHIFT;
+ memslot = __gfn_to_memslot(kvm_memslots(kvm), gfn);
+ if (memslot) {
+ hva = __gfn_to_hva_memslot(memslot, gfn);
+ pte = lookup_linux_pte(pgdir, hva, 1, &psize);
+ if (pte_present(pte) && !pte_write(pte))
+ r = hpte_make_readonly(r);
+ }
+ }
}
hpte[1] = r;
eieio();
--
1.7.10.rc3.219.g53414
WARNING: multiple messages have this Message-ID (diff)
From: Paul Mackerras <paulus@samba.org>
To: Alexander Graf <agraf@suse.de>
Cc: kvm-ppc@vger.kernel.org, kvm@vger.kernel.org
Subject: [PATCH 4/5] KVM: PPC: Book3S HV: Don't give the guest RW access to RO pages
Date: Thu, 22 Nov 2012 09:28:41 +0000 [thread overview]
Message-ID: <20121122092841.GE31117@bloggs.ozlabs.ibm.com> (raw)
In-Reply-To: <20121122092442.GA31117@bloggs.ozlabs.ibm.com>
Currently, if the guest does an H_PROTECT hcall requesting that the
permissions on a HPT entry be changed to allow writing, we make the
requested change even if the page is marked read-only in the host
Linux page tables. This is a problem since it would for instance
allow a guest to modify a page that KSM has decided can be shared
between multiple guests.
To fix this, if the new permissions for the page allow writing, we need
to look up the memslot for the page, work out the host virtual address,
and look up the Linux page tables to get the PTE for the page. If that
PTE is read-only, we reduce the HPTE permissions to read-only.
Signed-off-by: Paul Mackerras <paulus@samba.org>
---
arch/powerpc/kvm/book3s_hv_rm_mmu.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/arch/powerpc/kvm/book3s_hv_rm_mmu.c b/arch/powerpc/kvm/book3s_hv_rm_mmu.c
index 7e1f7e2..19c93ba 100644
--- a/arch/powerpc/kvm/book3s_hv_rm_mmu.c
+++ b/arch/powerpc/kvm/book3s_hv_rm_mmu.c
@@ -629,6 +629,28 @@ long kvmppc_h_protect(struct kvm_vcpu *vcpu, unsigned long flags,
asm volatile("tlbiel %0" : : "r" (rb));
asm volatile("ptesync" : : : "memory");
}
+ /*
+ * If the host has this page as readonly but the guest
+ * wants to make it read/write, reduce the permissions.
+ * Checking the host permissions involves finding the
+ * memslot and then the Linux PTE for the page.
+ */
+ if (hpte_is_writable(r) && kvm->arch.using_mmu_notifiers) {
+ unsigned long psize, gfn, hva;
+ struct kvm_memory_slot *memslot;
+ pgd_t *pgdir = vcpu->arch.pgdir;
+ pte_t pte;
+
+ psize = hpte_page_size(v, r);
+ gfn = ((r & HPTE_R_RPN) & ~(psize - 1)) >> PAGE_SHIFT;
+ memslot = __gfn_to_memslot(kvm_memslots(kvm), gfn);
+ if (memslot) {
+ hva = __gfn_to_hva_memslot(memslot, gfn);
+ pte = lookup_linux_pte(pgdir, hva, 1, &psize);
+ if (pte_present(pte) && !pte_write(pte))
+ r = hpte_make_readonly(r);
+ }
+ }
}
hpte[1] = r;
eieio();
--
1.7.10.rc3.219.g53414
next prev parent reply other threads:[~2012-11-22 19:19 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-22 9:24 [PATCH 0/5] KVM: PPC: Fix various bugs and vulnerabilities in HV KVM Paul Mackerras
2012-11-22 9:24 ` Paul Mackerras
2012-11-22 9:25 ` [PATCH 1/5] KVM: PPC: Book3S HV: Handle guest-caused machine checks on POWER7 without panicking Paul Mackerras
2012-11-22 9:25 ` Paul Mackerras
2012-11-23 14:13 ` Alexander Graf
2012-11-23 14:13 ` Alexander Graf
2012-11-23 21:42 ` Paul Mackerras
2012-11-23 21:42 ` Paul Mackerras
2012-11-26 13:15 ` Alexander Graf
2012-11-26 13:15 ` Alexander Graf
2012-11-26 21:33 ` Paul Mackerras
2012-11-26 21:33 ` Paul Mackerras
2012-11-26 21:55 ` Alexander Graf
2012-11-26 21:55 ` Alexander Graf
2012-11-26 22:03 ` Alexander Graf
2012-11-26 22:03 ` Alexander Graf
2012-11-26 23:11 ` Paul Mackerras
2012-11-26 23:11 ` Paul Mackerras
2012-11-24 8:37 ` [PATCH v2] " Paul Mackerras
2012-11-24 8:37 ` Paul Mackerras
2012-11-26 23:16 ` Alexander Graf
2012-11-26 23:16 ` Alexander Graf
2012-11-26 23:18 ` Paul Mackerras
2012-11-26 23:18 ` Paul Mackerras
2012-11-26 23:20 ` Alexander Graf
2012-11-26 23:20 ` Alexander Graf
2012-11-27 0:20 ` Paul Mackerras
2012-11-27 0:20 ` Paul Mackerras
2012-12-22 14:09 ` [PATCH] KVM: PPC: Book3S HV: Fix compilation without CONFIG_PPC_POWERNV Andreas Schwab
2012-12-22 14:09 ` Andreas Schwab
2013-01-06 13:05 ` Alexander Graf
2013-01-06 13:05 ` Alexander Graf
2012-11-22 9:27 ` [PATCH 2/5] KVM: PPC: Book3S HV: Reset reverse-map chains when resetting the HPT Paul Mackerras
2012-11-22 9:27 ` Paul Mackerras
2012-11-22 9:28 ` [PATCH 3/5] KVM: PPC: Book3S HV: Improve handling of local vs. global TLB invalidations Paul Mackerras
2012-11-22 9:28 ` Paul Mackerras
2012-11-23 15:43 ` Alexander Graf
2012-11-23 15:43 ` Alexander Graf
2012-11-23 22:07 ` Paul Mackerras
2012-11-23 22:07 ` Paul Mackerras
2012-11-26 13:10 ` Alexander Graf
2012-11-26 13:10 ` Alexander Graf
2012-11-26 21:48 ` Paul Mackerras
2012-11-26 21:48 ` Paul Mackerras
2012-11-26 22:03 ` Alexander Graf
2012-11-26 22:03 ` Alexander Graf
2012-11-26 23:16 ` Paul Mackerras
2012-11-26 23:16 ` Paul Mackerras
2012-11-26 23:18 ` Alexander Graf
2012-11-26 23:18 ` Alexander Graf
2012-11-22 9:28 ` Paul Mackerras [this message]
2012-11-22 9:28 ` [PATCH 4/5] KVM: PPC: Book3S HV: Don't give the guest RW access to RO pages Paul Mackerras
2012-11-23 15:47 ` Alexander Graf
2012-11-23 15:47 ` Alexander Graf
2012-11-23 22:13 ` Paul Mackerras
2012-11-23 22:13 ` Paul Mackerras
2012-11-24 9:05 ` Alexander Graf
2012-11-24 9:05 ` Alexander Graf
2012-11-24 9:32 ` Paul Mackerras
2012-11-24 9:32 ` Paul Mackerras
2012-11-26 13:09 ` Alexander Graf
2012-11-26 13:09 ` Alexander Graf
2012-11-22 9:29 ` [PATCH 5/5] KVM: PPC: Book3S HV: Report correct HPT entry index when reading HPT Paul Mackerras
2012-11-22 9:29 ` Paul Mackerras
2012-11-23 15:48 ` [PATCH 0/5] KVM: PPC: Fix various bugs and vulnerabilities in HV KVM Alexander Graf
2012-11-23 15:48 ` Alexander Graf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121122092841.GE31117@bloggs.ozlabs.ibm.com \
--to=paulus@samba.org \
--cc=agraf@suse.de \
--cc=kvm-ppc@vger.kernel.org \
--cc=kvm@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.