On Wed, 2016-07-13 at 18:14 +0100, James Hogan wrote: > commit 797179bc4fe06c89e47a9f36f886f68640b423f8 upstream. > > Copy __kvm_mips_vcpu_run() into unmapped memory, so that we can never > get a TLB refill exception in it when KVM is built as a module. > > This was observed to happen with the host MIPS kernel running under > QEMU, due to a not entirely transparent optimisation in the QEMU TLB > handling where TLB entries replaced with TLBWR are copied to a separate > part of the TLB array. Code in those pages continue to be executable, > but those mappings persist only until the next ASID switch, even if they > are marked global. > > An ASID switch happens in __kvm_mips_vcpu_run() at exception level after > switching to the guest exception base. Subsequent TLB mapped kernel > instructions just prior to switching to the guest trigger a TLB refill > exception, which enters the guest exception handlers without updating > EPC. This appears as a guest triggered TLB refill on a host kernel > mapped (host KSeg2) address, which is not handled correctly as user > (guest) mode accesses to kernel (host) segments always generate address > error exceptions. > > Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx> > Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx> > Cc: Radim Krčmář <rkrcmar@xxxxxxxxxx> > Cc: Ralf Baechle <ralf@xxxxxxxxxxxxxx> > Cc: kvm@xxxxxxxxxxxxxxx > Cc: linux-mips@xxxxxxxxxxxxxx > Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx> > [james.hogan@xxxxxxxxxx: backported for stable 3.14] > Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx> [...] Belatedly queued this up for 3.16. Ben. -- Ben Hutchings compatible: Gracefully accepts erroneous data from any source
Attachment:
signature.asc
Description: This is a digitally signed message part
