On Thu, Feb 06, 2020 at 02:08:31PM -0800, Sean Christopherson wrote:
> Define PT_MAX_FULL_LEVELS as PT64_ROOT_MAX_LEVEL, i.e. 5, to fix shadow
> paging for 5-level guest page tables. PT_MAX_FULL_LEVELS is used to
> size the arrays that track guest pages table information, i.e. using a
> "max levels" of 4 causes KVM to access garbage beyond the end of an
> array when querying state for level 5 entries. E.g. FNAME(gpte_changed)
> will read garbage and most likely return %true for a level 5 entry,
> soft-hanging the guest because FNAME(fetch) will restart the guest
> instead of creating SPTEs because it thinks the guest PTE has changed.
>
> Fixes: 855feb673640 ("KVM: MMU: Add 5 level EPT & Shadow page table support.")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>
> ---
> arch/x86/kvm/mmu/paging_tmpl.h | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h
> index 4e1ef0473663..6b15b58f3ecc 100644
> --- a/arch/x86/kvm/mmu/paging_tmpl.h
> +++ b/arch/x86/kvm/mmu/paging_tmpl.h
> @@ -33,7 +33,7 @@
> #define PT_GUEST_ACCESSED_SHIFT PT_ACCESSED_SHIFT
> #define PT_HAVE_ACCESSED_DIRTY(mmu) true
> #ifdef CONFIG_X86_64
> - #define PT_MAX_FULL_LEVELS 4
> + #define PT_MAX_FULL_LEVELS PT64_ROOT_MAX_LEVEL
> #define CMPXCHG cmpxchg
> #else
> #define CMPXCHG cmpxchg64
> @@ -66,7 +66,7 @@
> #define PT_GUEST_ACCESSED_SHIFT 8
> #define PT_HAVE_ACCESSED_DIRTY(mmu) ((mmu)->ept_ad)
> #define CMPXCHG cmpxchg64
> - #define PT_MAX_FULL_LEVELS 4
> + #define PT_MAX_FULL_LEVELS PT64_ROOT_MAX_LEVEL
Doh, the nested EPT change belongs in the next patch. I'll retest tomorrow
and send a v2 when by brain is less mushy.
> #else
> #error Invalid PTTYPE value
> #endif
> --
> 2.24.1
>
