The implementation of the TLBWR instruction for Trap & Emulate does not
take the CP0_Wired register into account, allowing the guest's wired
entries to be easily overwritten during normal guest TLB refill
operation.
Offset the random TLB index by CP0_Wired and keep it in the range of
valid non-wired entries with a modulo operation instead of a mask. This
allows wired TLB entries to be properly preserved.
Fixes: e685c689f3a8 ("KVM/MIPS32: Privileged instruction/target ...")
Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Cc: "Radim Krčmář" <rkrcmar@xxxxxxxxxx>
Cc: Ralf Baechle <ralf@xxxxxxxxxxxxxx>
Cc: linux-mips@xxxxxxxxxxxxxx
Cc: kvm@xxxxxxxxxxxxxxx
Cc: <stable@xxxxxxxxxxxxxxx> # 3.10.x-
---
arch/mips/kvm/emulate.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c
index 4833ebad89d9..dd47f2bda01b 100644
--- a/arch/mips/kvm/emulate.c
+++ b/arch/mips/kvm/emulate.c
@@ -1094,10 +1094,12 @@ enum emulation_result kvm_mips_emul_tlbwr(struct kvm_vcpu *vcpu)
struct mips_coproc *cop0 = vcpu->arch.cop0;
struct kvm_mips_tlb *tlb = NULL;
unsigned long pc = vcpu->arch.pc;
+ unsigned int wired;
int index;
get_random_bytes(&index, sizeof(index));
- index &= (KVM_MIPS_GUEST_TLB_SIZE - 1);
+ wired = kvm_read_c0_guest_wired(cop0) & (KVM_MIPS_GUEST_TLB_SIZE - 1);
+ index = wired + index % (KVM_MIPS_GUEST_TLB_SIZE - wired);
tlb = &vcpu->arch.guest_tlb[index];
--
git-series 0.8.10
