On 12/12/2012 07:47 AM, Marcelo Tosatti wrote: >> + if (write_fault && !(walker.pte_access & ACC_WRITE_MASK) && >> + !is_write_protection(vcpu) && !user_fault) { >> + walker.pte_access |= ACC_WRITE_MASK; >> + walker.pte_access &= ~ACC_USER_MASK; >> + >> + /* >> + * If we converted a user page to a kernel page, >> + * so that the kernel can write to it when cr0.wp=0, >> + * then we should prevent the kernel from executing it >> + * if SMEP is enabled. >> + */ >> + if (kvm_read_cr4_bits(vcpu, X86_CR4_SMEP)) >> + walker.pte_access &= ~ACC_EXEC_MASK; >> + } > > Don't think you should modify walker.pte_access here, since it can be > used afterwards (eg for handle_abnormal_pfn). Yes, you're right. It will cache !U+W instead of U+!W into mmio spte. It causes the mmio access from userspace always fail. I will recheck it carefully. Hmm, the current code seems buggy if CR0.WP = 0. Say if two mappings map to the same gfn, both of them use large page and small page size is used on kvm. If guest write fault on the first mapping, kvm will create a writable spte(!U + W) in the readonly sp (sp.role.access = readonly). Then, read fault on the second mapping, it will establish shadow page table by using the readonly sp which is created by first mapping, so the second mapping has writable spte even if Dirty bit in the second mapping is not set. > > BTW, your patch is fixing a bug: > > host_writable is ignored for CR0.WP emulation: > > if (host_writable) > spte |= SPTE_HOST_WRITEABLE; > else > pte_access &= ~ACC_WRITE_MASK; > > spte |= (u64)pfn << PAGE_SHIFT; > > if ((pte_access & ACC_WRITE_MASK) > || (!vcpu->arch.mmu.direct_map && write_fault > && !is_write_protection(vcpu) && !user_fault)) { I noticed it too but it is not a bug, because the access is adjusted only if it is a write fault. For the write #PF, the pfn is always writeable on host. -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html