| commit | e3c4e3ee03b002a8e2c8dfd85d6acaf21ea6bae5 | [log] [tgz] |
|---|---|---|
| author | Sean Christopherson <[email protected]> | Wed Feb 02 00:49:43 2022 +0000 |
| committer | COS Cherry Picker <[email protected]> | Thu Aug 25 16:34:55 2022 -0700 |
| tree | 1a16ff980ec347e08757ab3ae8050a47f3f46045 | |
| parent | 30e4756a0a1122a53e663e99130dbd560163db94 [diff] |
KVM: x86: Use __try_cmpxchg_user() to update guest PTE A/D bits Use the recently introduced __try_cmpxchg_user() to update guest PTE A/D bits instead of mapping the PTE into kernel address space. The VM_PFNMAP path is broken as it assumes that vm_pgoff is the base pfn of the mapped VMA range, which is conceptually wrong as vm_pgoff is the offset relative to the file and has nothing to do with the pfn. The horrific hack worked for the original use case (backing guest memory with /dev/mem), but leads to accessing "random" pfns for pretty much any other VM_PFNMAP case. BUG=b/242694075 TEST=http://sponge2/5746147e-f595-4b7e-a4d3-709a5d307e2b RELEASE_NOTE=Fixed CVE-2022-1158 in Linux Kernel SOURCE=UPSTREAM(f122dfe4476890d60b8c679128cd2259ec96a24c) cos-patch: security-high Fixes: bd53cb35a3e9 ("X86/KVM: Handle PFNs outside of kernel reach when touching GPTEs") Debugged-by: Tadeusz Struk <[email protected]> Tested-by: Tadeusz Struk <[email protected]> Reported-by: [email protected] Cc: [email protected] Signed-off-by: Sean Christopherson <[email protected]> Message-Id: <[email protected]> Signed-off-by: Paolo Bonzini <[email protected]> Change-Id: I8eab2801d2a6c322f5530f2e14214d5623d85010 Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/36294 Tested-by: Cusky Presubmit Bot <[email protected]> Main-Branch-Verified: Cusky Presubmit Bot <[email protected]> Reviewed-by: Meena Shanmugam <[email protected]>