On 08/18/2016 05:05 AM, James Hogan wrote: > commit 8985d50382359e5bf118fdbefc859d0dbf6cebc7 upstream. > > kvm_mips_handle_mapped_seg_tlb_fault() calculates the guest frame number > based on the guest TLB EntryLo values, however it is not range checked > to ensure it lies within the guest_pmap. If the physical memory the > guest refers to is out of range then dump the guest TLB and emit an > internal error. > > Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.") > Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx> > Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx> > Cc: "Radim Krčmář" <rkrcmar@xxxxxxxxxx> > Cc: Ralf Baechle <ralf@xxxxxxxxxxxxxx> > Cc: linux-mips@xxxxxxxxxxxxxx > Cc: kvm@xxxxxxxxxxxxxxx > Signed-off-by: Radim Krčmář <rkrcmar@xxxxxxxxxx> > [james.hogan@xxxxxxxxxx: Backport to v3.17.y - v4.4.y] > Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx> Hey James, Thanks for the backport! Applying this one seems to fail with: $ git apply --reject [PATCH BACKPORT 3.17-4.4 1_4] MIPS: KVM: Fix mapped fault broken commpage handling - James Hogan <james.hogan@xxxxxxxxxx> - 2016-08-18 0505.eml Checking patch arch/mips/kvm/tlb.c... error: while searching for: unsigned long entryhi = 0, entrylo0 = 0, entrylo1 = 0; struct kvm *kvm = vcpu->kvm; pfn_t pfn0, pfn1; long tlb_lo[2]; tlb_lo[0] = tlb->tlb_lo0; error: patch failed: arch/mips/kvm/tlb.c:361 error: while searching for: VPN2_MASK & (PAGE_MASK << 1))) tlb_lo[(KVM_GUEST_COMMPAGE_ADDR >> PAGE_SHIFT) & 1] = 0; if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT) < 0) return -1; if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT) < 0) return -1; pfn0 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT]; pfn1 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT]; if (hpa0) *hpa0 = pfn0 << PAGE_SHIFT; error: patch failed: arch/mips/kvm/tlb.c:374 Applying patch arch/mips/kvm/tlb.c with 2 rejects... Rejected hunk #1. Rejected hunk #2. Thanks, Sasha