MFC r273356:

Fix a race in pmap_emulate_accessed_dirty() that could trigger a EPT misconfiguration VM-exit.
author: neel <neel@FreeBSD.org> 2014-10-24 03:48:54 +0000
committer: neel <neel@FreeBSD.org> 2014-10-24 03:48:54 +0000
commit: 295105e2bda13454d71f48645d885eeaf140c28a (patch)
tree: 4cb134ca55880f9a01e33fea5aa92b7b00259b5c /sys/amd64
parent: 8a1641d7862ee12fd3dd4c98e7057eacc0bfbdb6 (diff)
download: FreeBSD-src-295105e2bda13454d71f48645d885eeaf140c28a.zip
FreeBSD-src-295105e2bda13454d71f48645d885eeaf140c28a.tar.gz
1 files changed, 12 insertions, 2 deletions
diff --git a/sys/amd64/amd64/pmap.c b/sys/amd64/amd64/pmap.c
index 5ee64da..f77edcb 100644
--- a/sys/amd64/amd64/pmap.c
+++ b/sys/amd64/amd64/pmap.c
@@ -6791,9 +6791,19 @@ retry:
 	if (ftype == VM_PROT_WRITE) {
 		if ((*pte & PG_RW) == 0)
 			goto done;
-		*pte |= PG_M;
+		/*
+		 * Set the modified and accessed bits simultaneously.
+		 *
+		 * Intel EPT PTEs that do software emulation of A/D bits map
+		 * PG_A and PG_M to EPT_PG_READ and EPT_PG_WRITE respectively.
+		 * An EPT misconfiguration is triggered if the PTE is writable
+		 * but not readable (WR=10). This is avoided by setting PG_A
+		 * and PG_M simultaneously.
+		 */
+		*pte |= PG_M | PG_A;
+	} else {
+		*pte |= PG_A;
 	}
-	*pte |= PG_A;
 
 	/* try to promote the mapping */
 	if (va < VM_MAXUSER_ADDRESS)
author	neel <neel@FreeBSD.org>	2014-10-24 03:48:54 +0000
committer	neel <neel@FreeBSD.org>	2014-10-24 03:48:54 +0000
commit	295105e2bda13454d71f48645d885eeaf140c28a (patch)
tree	4cb134ca55880f9a01e33fea5aa92b7b00259b5c /sys/amd64
parent	8a1641d7862ee12fd3dd4c98e7057eacc0bfbdb6 (diff)
download	FreeBSD-src-295105e2bda13454d71f48645d885eeaf140c28a.zip FreeBSD-src-295105e2bda13454d71f48645d885eeaf140c28a.tar.gz