releases/4.4.19/mips-kvm-add-missing-gfn-range-check.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From james.hogan@imgtec.com  Thu Aug 18 11:44:38 2016
 From: James Hogan <james.hogan@imgtec.com>
 Date: Thu, 18 Aug 2016 10:05:30 +0100
 Subject: [PATCH BACKPORT 3.17-4.4 2/4] MIPS: KVM: Add missing gfn range check
 To: <stable@vger.kernel.org>
 Cc: James Hogan <james.hogan@imgtec.com>, Paolo Bonzini <pbonzini@redhat.com>, Radim Krčmář <rkrcmar@redhat.com>, Ralf Baechle <ralf@linux-mips.org>, <linux-mips@linux-mips.org>, <kvm@vger.kernel.org>
 Message-ID: <5ae3371dc11534460b722864ea8c6ef27e8506d1.1471018436.git-series.james.hogan@imgtec.com>

 From: James Hogan <james.hogan@imgtec.com>

 commit 8985d50382359e5bf118fdbefc859d0dbf6cebc7 upstream.

 kvm_mips_handle_mapped_seg_tlb_fault() calculates the guest frame number
 based on the guest TLB EntryLo values, however it is not range checked
 to ensure it lies within the guest_pmap. If the physical memory the
 guest refers to is out of range then dump the guest TLB and emit an
 internal error.

 Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
 Signed-off-by: James Hogan <james.hogan@imgtec.com>
 Cc: Paolo Bonzini <pbonzini@redhat.com>
 Cc: "Radim Krčmář" <rkrcmar@redhat.com>
 Cc: Ralf Baechle <ralf@linux-mips.org>
 Cc: linux-mips@linux-mips.org
 Cc: kvm@vger.kernel.org
 Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
 [james.hogan@imgtec.com: Backport to v3.17.y - v4.4.y]
 Signed-off-by: James Hogan <james.hogan@imgtec.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  arch/mips/kvm/tlb.c |   23 +++++++++++++++--------
  1 file changed, 15 insertions(+), 8 deletions(-)

 --- a/arch/mips/kvm/tlb.c
 +++ b/arch/mips/kvm/tlb.c
 @@ -361,6 +361,7 @@ int kvm_mips_handle_mapped_seg_tlb_fault
  	unsigned long entryhi = 0, entrylo0 = 0, entrylo1 = 0;
  	struct kvm *kvm = vcpu->kvm;
  	pfn_t pfn0, pfn1;
 +	gfn_t gfn0, gfn1;
  	long tlb_lo[2];

  	tlb_lo[0] = tlb->tlb_lo0;
 @@ -374,18 +375,24 @@ int kvm_mips_handle_mapped_seg_tlb_fault
  			VPN2_MASK & (PAGE_MASK << 1)))
  		tlb_lo[(KVM_GUEST_COMMPAGE_ADDR >> PAGE_SHIFT) & 1] = 0;

 -	if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[0])
 -				   >> PAGE_SHIFT) < 0)
 +	gfn0 = mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT;
 +	gfn1 = mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT;
 +	if (gfn0 >= kvm->arch.guest_pmap_npages ||
 +	    gfn1 >= kvm->arch.guest_pmap_npages) {
 +		kvm_err("%s: Invalid gfn: [%#llx, %#llx], EHi: %#lx\n",
 +			__func__, gfn0, gfn1, tlb->tlb_hi);
 +		kvm_mips_dump_guest_tlbs(vcpu);
  		return -1;
 +	}

 -	if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[1])
 -				   >> PAGE_SHIFT) < 0)
 +	if (kvm_mips_map_page(kvm, gfn0) < 0)
  		return -1;

 -	pfn0 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb_lo[0])
 -				    >> PAGE_SHIFT];
 -	pfn1 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb_lo[1])
 -				    >> PAGE_SHIFT];
 +	if (kvm_mips_map_page(kvm, gfn1) < 0)
 +		return -1;
 +
 +	pfn0 = kvm->arch.guest_pmap[gfn0];
 +	pfn1 = kvm->arch.guest_pmap[gfn1];

  	if (hpa0)
  		*hpa0 = pfn0 << PAGE_SHIFT;
	From james.hogan@imgtec.com Thu Aug 18 11:44:38 2016
	From: James Hogan <james.hogan@imgtec.com>
	Date: Thu, 18 Aug 2016 10:05:30 +0100
	Subject: [PATCH BACKPORT 3.17-4.4 2/4] MIPS: KVM: Add missing gfn range check
	To: <stable@vger.kernel.org>
	Cc: James Hogan <james.hogan@imgtec.com>, Paolo Bonzini <pbonzini@redhat.com>, Radim Krčmář <rkrcmar@redhat.com>, Ralf Baechle <ralf@linux-mips.org>, <linux-mips@linux-mips.org>, <kvm@vger.kernel.org>
	Message-ID: <5ae3371dc11534460b722864ea8c6ef27e8506d1.1471018436.git-series.james.hogan@imgtec.com>

	From: James Hogan <james.hogan@imgtec.com>

	commit 8985d50382359e5bf118fdbefc859d0dbf6cebc7 upstream.

	kvm_mips_handle_mapped_seg_tlb_fault() calculates the guest frame number
	based on the guest TLB EntryLo values, however it is not range checked
	to ensure it lies within the guest_pmap. If the physical memory the
	guest refers to is out of range then dump the guest TLB and emit an
	internal error.

	Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
	Signed-off-by: James Hogan <james.hogan@imgtec.com>
	Cc: Paolo Bonzini <pbonzini@redhat.com>
	Cc: "Radim Krčmář" <rkrcmar@redhat.com>
	Cc: Ralf Baechle <ralf@linux-mips.org>
	Cc: linux-mips@linux-mips.org
	Cc: kvm@vger.kernel.org
	Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
	[james.hogan@imgtec.com: Backport to v3.17.y - v4.4.y]
	Signed-off-by: James Hogan <james.hogan@imgtec.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	arch/mips/kvm/tlb.c \| 23 +++++++++++++++--------
	1 file changed, 15 insertions(+), 8 deletions(-)

	--- a/arch/mips/kvm/tlb.c
	+++ b/arch/mips/kvm/tlb.c
	@@ -361,6 +361,7 @@ int kvm_mips_handle_mapped_seg_tlb_fault
	unsigned long entryhi = 0, entrylo0 = 0, entrylo1 = 0;
	struct kvm *kvm = vcpu->kvm;
	pfn_t pfn0, pfn1;
	+ gfn_t gfn0, gfn1;
	long tlb_lo[2];

	tlb_lo[0] = tlb->tlb_lo0;
	@@ -374,18 +375,24 @@ int kvm_mips_handle_mapped_seg_tlb_fault
	VPN2_MASK & (PAGE_MASK << 1)))
	tlb_lo[(KVM_GUEST_COMMPAGE_ADDR >> PAGE_SHIFT) & 1] = 0;

	- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[0])
	- >> PAGE_SHIFT) < 0)
	+ gfn0 = mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT;
	+ gfn1 = mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT;
	+ if (gfn0 >= kvm->arch.guest_pmap_npages \|\|
	+ gfn1 >= kvm->arch.guest_pmap_npages) {
	+ kvm_err("%s: Invalid gfn: [%#llx, %#llx], EHi: %#lx\n",
	+ __func__, gfn0, gfn1, tlb->tlb_hi);
	+ kvm_mips_dump_guest_tlbs(vcpu);
	return -1;
	+ }

	- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[1])
	- >> PAGE_SHIFT) < 0)
	+ if (kvm_mips_map_page(kvm, gfn0) < 0)
	return -1;

	- pfn0 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb_lo[0])
	- >> PAGE_SHIFT];
	- pfn1 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb_lo[1])
	- >> PAGE_SHIFT];
	+ if (kvm_mips_map_page(kvm, gfn1) < 0)
	+ return -1;
	+
	+ pfn0 = kvm->arch.guest_pmap[gfn0];
	+ pfn1 = kvm->arch.guest_pmap[gfn1];

	if (hpa0)
	*hpa0 = pfn0 << PAGE_SHIFT;