Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=27aba76615eeb36af84118e8ea6d35ffa51fd1e3
Commit:     27aba76615eeb36af84118e8ea6d35ffa51fd1e3
Parent:     ac1b714e78c8f0b252f8d8872e6ce6f898a123b3
Author:     Avi Kivity <[EMAIL PROTECTED]>
AuthorDate: Fri Mar 9 13:04:31 2007 +0200
Committer:  Avi Kivity <[EMAIL PROTECTED]>
CommitDate: Sun Mar 18 10:49:09 2007 +0200

    KVM: MMU: Fix host memory corruption on i386 with >= 4GB ram
    
    PAGE_MASK is an unsigned long, so using it to mask physical addresses on
    i386 (which are 64-bit wide) leads to truncation.  This can result in
    page->private of unrelated memory pages being modified, with disasterous
    results.
    
    Fix by not using PAGE_MASK for physical addresses; instead calculate
    the correct value directly from PAGE_SIZE.  Also fix a similar BUG_ON().
    
    Acked-by: Ingo Molnar <[EMAIL PROTECTED]>
    Signed-off-by: Avi Kivity <[EMAIL PROTECTED]>
---
 drivers/kvm/mmu.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/kvm/mmu.c b/drivers/kvm/mmu.c
index 2cb4893..e85b4c7 100644
--- a/drivers/kvm/mmu.c
+++ b/drivers/kvm/mmu.c
@@ -131,7 +131,7 @@ static int dbg = 1;
        (((address) >> PT32_LEVEL_SHIFT(level)) & ((1 << PT32_LEVEL_BITS) - 1))
 
 
-#define PT64_BASE_ADDR_MASK (((1ULL << 52) - 1) & PAGE_MASK)
+#define PT64_BASE_ADDR_MASK (((1ULL << 52) - 1) & ~(u64)(PAGE_SIZE-1))
 #define PT64_DIR_BASE_ADDR_MASK \
        (PT64_BASE_ADDR_MASK & ~((1ULL << (PAGE_SHIFT + PT64_LEVEL_BITS)) - 1))
 
@@ -406,8 +406,8 @@ static void rmap_write_protect(struct kvm_vcpu *vcpu, u64 
gfn)
                        spte = desc->shadow_ptes[0];
                }
                BUG_ON(!spte);
-               BUG_ON((*spte & PT64_BASE_ADDR_MASK) !=
-                      page_to_pfn(page) << PAGE_SHIFT);
+               BUG_ON((*spte & PT64_BASE_ADDR_MASK) >> PAGE_SHIFT
+                      != page_to_pfn(page));
                BUG_ON(!(*spte & PT_PRESENT_MASK));
                BUG_ON(!(*spte & PT_WRITABLE_MASK));
                rmap_printk("rmap_write_protect: spte %p %llx\n", spte, *spte);
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to