x86/p2m: Fix paging_gva_to_gfn() for nested virt

[PATCH] x86/p2m: Fix paging_gva_to_gfn() for nested virt

Posted by Andrew Cooper 5 years, 1 month ago

nestedhap_walk_L1_p2m() takes guest physical addresses, not frame numbers.
This means the l2 input is off-by-PAGE_SHIFT, as is the l1 value eventually
returned to the caller.

Delete the misleading comment as well.

Fixes: bab2bd8e222de ("xen/nested_p2m: Don't walk EPT tables with a regular PT walker")
Reported-by: Tamas K Lengyel <tamas@tklengyel.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Wei Liu <wl@xen.org>
CC: Tamas K Lengyel <tamas@tklengyel.com>
---
 xen/arch/x86/mm/p2m.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index 487959b121..89a2b55c66 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -1784,6 +1784,7 @@ unsigned long paging_gva_to_gfn(struct vcpu *v,
     if ( is_hvm_vcpu(v) && paging_mode_hap(v->domain) && nestedhvm_is_n2(v) )
     {
         unsigned long l2_gfn, l1_gfn;
+        paddr_t l1_gpa;
         struct p2m_domain *p2m;
         const struct paging_mode *mode;
         uint8_t l1_p2ma;
@@ -1798,8 +1799,8 @@ unsigned long paging_gva_to_gfn(struct vcpu *v,
         if ( l2_gfn == gfn_x(INVALID_GFN) )
             return gfn_x(INVALID_GFN);
 
-        /* translate l2 guest gfn into l1 guest gfn */
-        rv = nestedhap_walk_L1_p2m(v, l2_gfn, &l1_gfn, &l1_page_order, &l1_p2ma,
+        rv = nestedhap_walk_L1_p2m(v, pfn_to_paddr(l2_gfn), &l1_gpa,
+                                   &l1_page_order, &l1_p2ma,
                                    1,
                                    !!(*pfec & PFEC_write_access),
                                    !!(*pfec & PFEC_insn_fetch));
@@ -1807,6 +1808,8 @@ unsigned long paging_gva_to_gfn(struct vcpu *v,
         if ( rv != NESTEDHVM_PAGEFAULT_DONE )
             return gfn_x(INVALID_GFN);
 
+        l1_gfn = paddr_to_pfn(l1_gpa);
+
         /*
          * Sanity check that l1_gfn can be used properly as a 4K mapping, even
          * if it mapped by a nested superpage.
-- 
2.11.0

Re: [PATCH] x86/p2m: Fix paging_gva_to_gfn() for nested virt

Posted by Tamas K Lengyel 5 years, 1 month ago

On Thu, Dec 31, 2020 at 12:11 PM Andrew Cooper
<andrew.cooper3@citrix.com> wrote:
>
> nestedhap_walk_L1_p2m() takes guest physical addresses, not frame numbers.
> This means the l2 input is off-by-PAGE_SHIFT, as is the l1 value eventually
> returned to the caller.
>
> Delete the misleading comment as well.
>
> Fixes: bab2bd8e222de ("xen/nested_p2m: Don't walk EPT tables with a regular PT walker")
> Reported-by: Tamas K Lengyel <tamas@tklengyel.com>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> ---
> CC: Jan Beulich <JBeulich@suse.com>
> CC: Roger Pau Monné <roger.pau@citrix.com>
> CC: Wei Liu <wl@xen.org>
> CC: Tamas K Lengyel <tamas@tklengyel.com>

Thanks, issue is resolved with this patch applied.

Tested-by: Tamas K Lengyel <tamas@tklengyel.com>

Re: [PATCH] x86/p2m: Fix paging_gva_to_gfn() for nested virt

Posted by Roger Pau Monné 5 years, 1 month ago

On Thu, Dec 31, 2020 at 05:10:21PM +0000, Andrew Cooper wrote:
> nestedhap_walk_L1_p2m() takes guest physical addresses, not frame numbers.
> This means the l2 input is off-by-PAGE_SHIFT, as is the l1 value eventually
> returned to the caller.
> 
> Delete the misleading comment as well.
> 
> Fixes: bab2bd8e222de ("xen/nested_p2m: Don't walk EPT tables with a regular PT walker")
> Reported-by: Tamas K Lengyel <tamas@tklengyel.com>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Acked-by: Roger Pau Monné <roger.pau@citrix.com>

Thanks, Roger.