[thirdparty/kernel/stable-queue.git] / releases / 3.19.2 / kvm-emulate-fix-cmpxchg8b-on-32-bit-hosts.patch

From 4ff6f8e61eb7f96d3ca535c6d240f863ccd6fb7d Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Thu, 12 Feb 2015 17:04:47 +0100
Subject: KVM: emulate: fix CMPXCHG8B on 32-bit hosts

From: Paolo Bonzini <pbonzini@redhat.com>

commit 4ff6f8e61eb7f96d3ca535c6d240f863ccd6fb7d upstream.

This has been broken for a long time: it broke first in 2.6.35, then was
almost fixed in 2.6.36 but this one-liner slipped through the cracks.
The bug shows up as an infinite loop in Windows 7 (and newer) boot on
32-bit hosts without EPT.

Windows uses CMPXCHG8B to write to page tables, which causes a
page fault if running without EPT; the emulator is then called from
kvm_mmu_page_fault.  The loop then happens if the higher 4 bytes are
not 0; the common case for this is that the NX bit (bit 63) is 1.

Fixes: 6550e1f165f384f3a46b60a1be9aba4bc3c2adad
Fixes: 16518d5ada690643453eb0aef3cc7841d3623c2d
Reported-by: Erik Rull <erik.rull@rdsoftware.de>
Tested-by: Erik Rull <erik.rull@rdsoftware.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/emulate.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -4863,7 +4863,8 @@ int x86_emulate_insn(struct x86_emulate_
 		if (rc != X86EMUL_CONTINUE)
 			goto done;
 	}
-	ctxt->dst.orig_val = ctxt->dst.val;
+	/* Copy full 64-bit value for CMPXCHG8B.  */
+	ctxt->dst.orig_val64 = ctxt->dst.val64;
 
 special_insn:
Commit	Line	Data
103e869f GKH	1	From 4ff6f8e61eb7f96d3ca535c6d240f863ccd6fb7d Mon Sep 17 00:00:00 2001
	2	From: Paolo Bonzini <pbonzini@redhat.com>
	3	Date: Thu, 12 Feb 2015 17:04:47 +0100
	4	Subject: KVM: emulate: fix CMPXCHG8B on 32-bit hosts
	5
	6	From: Paolo Bonzini <pbonzini@redhat.com>
	7
	8	commit 4ff6f8e61eb7f96d3ca535c6d240f863ccd6fb7d upstream.
	9
	10	This has been broken for a long time: it broke first in 2.6.35, then was
	11	almost fixed in 2.6.36 but this one-liner slipped through the cracks.
	12	The bug shows up as an infinite loop in Windows 7 (and newer) boot on
	13	32-bit hosts without EPT.
	14
	15	Windows uses CMPXCHG8B to write to page tables, which causes a
	16	page fault if running without EPT; the emulator is then called from
	17	kvm_mmu_page_fault. The loop then happens if the higher 4 bytes are
	18	not 0; the common case for this is that the NX bit (bit 63) is 1.
	19
	20	Fixes: 6550e1f165f384f3a46b60a1be9aba4bc3c2adad
	21	Fixes: 16518d5ada690643453eb0aef3cc7841d3623c2d
	22	Reported-by: Erik Rull <erik.rull@rdsoftware.de>
	23	Tested-by: Erik Rull <erik.rull@rdsoftware.de>
	24	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
	25	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	26
	27	---
	28	arch/x86/kvm/emulate.c \| 3 ++-
	29	1 file changed, 2 insertions(+), 1 deletion(-)
	30
	31	--- a/arch/x86/kvm/emulate.c
	32	+++ b/arch/x86/kvm/emulate.c
	33	@@ -4863,7 +4863,8 @@ int x86_emulate_insn(struct x86_emulate_
	34	if (rc != X86EMUL_CONTINUE)
	35	goto done;
	36	}
	37	- ctxt->dst.orig_val = ctxt->dst.val;
	38	+ /* Copy full 64-bit value for CMPXCHG8B. */
	39	+ ctxt->dst.orig_val64 = ctxt->dst.val64;
	40
	41	special_insn:
	42