diff options
| author | Paolo Bonzini <[email protected]> | 2022-05-20 17:48:11 +0000 |
|---|---|---|
| committer | Paolo Bonzini <[email protected]> | 2022-05-20 17:49:52 +0000 |
| commit | 9f46c187e2e680ecd9de7983e4d081c3391acc76 (patch) | |
| tree | e3802ce121cb1e7ec221015f989715145074df4c /fs/jbd2/commit.c | |
| parent | KVM: x86: hyper-v: fix type of valid_bank_mask (diff) | |
| download | kernel-9f46c187e2e680ecd9de7983e4d081c3391acc76.tar.gz kernel-9f46c187e2e680ecd9de7983e4d081c3391acc76.zip | |
KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID
With shadow paging enabled, the INVPCID instruction results in a call
to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the
invlpg callback is not set and the result is a NULL pointer dereference.
Fix it trivially by checking for mmu->invlpg before every call.
There are other possibilities:
- check for CR0.PG, because KVM (like all Intel processors after P5)
flushes guest TLB on CR0.PG changes so that INVPCID/INVLPG are a
nop with paging disabled
- check for EFER.LMA, because KVM syncs and flushes when switching
MMU contexts outside of 64-bit mode
All of these are tricky, go for the simple solution. This is CVE-2022-1789.
Reported-by: Yongkang Jia <[email protected]>
Cc: [email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Diffstat (limited to 'fs/jbd2/commit.c')
0 files changed, 0 insertions, 0 deletions