On Wed, Nov 16, 2016 at 04:43:28PM +1100, Paul Mackerras wrote:
> The hashed page table MMU in POWER processors can update the R
> (reference) and C (change) bits in a HPTE at any time until the
> HPTE has been invalidated and the TLB invalidation sequence has
> completed. In kvmppc_h_protect, which implements the H_PROTECT
> hypercall, we read the HPTE, modify the second doubleword,
> invalidate the HPTE in memory, do the TLB invalidation sequence,
> and then write the modified value of the second doubleword back
> to memory. In doing so we could overwrite an R/C bit update done
> by hardware between when we read the HPTE and when the TLB
> invalidation completed. To fix this we re-read the second
> doubleword after the TLB invalidation and OR in the (possibly)
> new values of R and C. We can use an OR since hardware only ever
> sets R and C, never clears them.
>
> This race was found by code inspection. In principle this bug could
> cause occasional guest memory corruption under host memory pressure.
>
> Fixes: a8606e20e41a ("KVM: PPC: Handle some PAPR hcalls in the kernel", 2011-06-29)
> Cc: stable@xxxxxxxxxxxxxxx # v3.19+
> Signed-off-by: Paul Mackerras <paulus@xxxxxxxxxx>
Applied to kvm-ppc-next.
Paul.
--
To unsubscribe from this list: send the line "unsubscribe kvm-ppc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
