linux/Documentation/virtual/kvm
Paolo Bonzini 844a5fe219 KVM: MMU: fix ept=0/pte.u=1/pte.w=0/CR0.WP=0/CR4.SMEP=1/EFER.NX=0 combo
Yes, all of these are needed. :) This is admittedly a bit odd, but
kvm-unit-tests access.flat tests this if you run it with "-cpu host"
and of course ept=0.

KVM runs the guest with CR0.WP=1, so it must handle supervisor writes
specially when pte.u=1/pte.w=0/CR0.WP=0.  Such writes cause a fault
when U=1 and W=0 in the SPTE, but they must succeed because CR0.WP=0.
When KVM gets the fault, it sets U=0 and W=1 in the shadow PTE and
restarts execution.  This will still cause a user write to fault, while
supervisor writes will succeed.  User reads will fault spuriously now,
and KVM will then flip U and W again in the SPTE (U=1, W=0).  User reads
will be enabled and supervisor writes disabled, going back to the
originary situation where supervisor writes fault spuriously.

When SMEP is in effect, however, U=0 will enable kernel execution of
this page.  To avoid this, KVM also sets NX=1 in the shadow PTE together
with U=0.  If the guest has not enabled NX, the result is a continuous
stream of page faults due to the NX bit being reserved.

The fix is to force EFER.NX=1 even if the CPU is taking care of the EFER
switch.  (All machines with SMEP have the CPU_LOAD_IA32_EFER vm-entry
control, so they do not use user-return notifiers for EFER---if they did,
EFER.NX would be forced to the same value as the host).

There is another bug in the reserved bit check, which I've split to a
separate patch for easier application to stable kernels.

Cc: stable@vger.kernel.org
Cc: Andy Lutomirski <luto@amacapital.net>
Reviewed-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Fixes: f6577a5fa1
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-03-10 11:26:07 +01:00
..
arm arm/arm64: KVM: Add forwarded physical interrupts documentation 2015-10-22 23:01:43 +02:00
devices KVM: s390: fix mismatch between user and in-kernel guest limit 2015-12-15 17:08:21 +01:00
00-INDEX Documentation/: update 00-INDEX files 2014-02-10 16:01:40 -08:00
api.txt KVM doc: Fix KVM_SMI chapter number 2016-01-26 16:29:59 +01:00
cpuid.txt Documentation/kvm: Update cpuid documentation for steal time and pv eoi 2013-09-24 19:12:16 +02:00
hypercalls.txt KVM: doc: Fix typo in doc/virtual/kvm 2013-12-31 17:24:54 -02:00
locking.txt KVM: Update Posted-Interrupts Descriptor when vCPU is blocked 2015-10-01 15:06:53 +02:00
mmu.txt KVM: MMU: fix ept=0/pte.u=1/pte.w=0/CR0.WP=0/CR4.SMEP=1/EFER.NX=0 combo 2016-03-10 11:26:07 +01:00
msr.txt Documentation: virtual: kvm: correct one bit description in APF case 2014-11-03 12:07:27 +01:00
nested-vmx.txt KVM: nVMX: Documentation 2011-07-12 13:15:22 +03:00
ppc-pv.txt Doc:kvm: Fix typo in Doc/virtual/kvm 2015-10-11 15:35:23 -06:00
review-checklist.txt
s390-diag.txt KVM: s390: add documentation for diag 501 2014-04-22 13:24:51 +02:00
timekeeping.txt KVM: doc: Fix typo in doc/virtual/kvm 2013-12-31 17:24:54 -02:00