From owner-svn-src-releng@FreeBSD.ORG  Wed Oct 29 16:49:30 2014
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id DDCF79EE;
 Wed, 29 Oct 2014 16:49:29 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id C9DB338E;
 Wed, 29 Oct 2014 16:49:29 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9TGnTiM034402;
 Wed, 29 Oct 2014 16:49:29 GMT (envelope-from neel@FreeBSD.org)
Received: (from neel@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9TGnTkH034400;
 Wed, 29 Oct 2014 16:49:29 GMT (envelope-from neel@FreeBSD.org)
Message-Id: <201410291649.s9TGnTkH034400@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: neel set sender to neel@FreeBSD.org
 using -f
From: Neel Natu <neel@FreeBSD.org>
Date: Wed, 29 Oct 2014 16:49:29 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r273832 - in releng/10.1/sys/amd64: amd64 vmm
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Oct 2014 16:49:30 -0000

Author: neel
Date: Wed Oct 29 16:49:28 2014
New Revision: 273832
URL: https://svnweb.freebsd.org/changeset/base/273832

Log:
  MFS10 r273573, MFC r273356:
  Fix a race in pmap_emulate_accessed_dirty() that could trigger a EPT
  misconfiguration VM-exit.
  
  MFS10 r273807, MFC r273666:
  Don't pass the 'error' return from an I/O port handler directly to vm_run().
  
  Approved by:	re (kib)

Modified:
  releng/10.1/sys/amd64/amd64/pmap.c
  releng/10.1/sys/amd64/vmm/vmm_ioport.c
Directory Properties:
  releng/10.1/   (props changed)

Modified: releng/10.1/sys/amd64/amd64/pmap.c
==============================================================================
--- releng/10.1/sys/amd64/amd64/pmap.c	Wed Oct 29 16:48:18 2014	(r273831)
+++ releng/10.1/sys/amd64/amd64/pmap.c	Wed Oct 29 16:49:28 2014	(r273832)
@@ -6787,9 +6787,19 @@ retry:
 	if (ftype == VM_PROT_WRITE) {
 		if ((*pte & PG_RW) == 0)
 			goto done;
-		*pte |= PG_M;
+		/*
+		 * Set the modified and accessed bits simultaneously.
+		 *
+		 * Intel EPT PTEs that do software emulation of A/D bits map
+		 * PG_A and PG_M to EPT_PG_READ and EPT_PG_WRITE respectively.
+		 * An EPT misconfiguration is triggered if the PTE is writable
+		 * but not readable (WR=10). This is avoided by setting PG_A
+		 * and PG_M simultaneously.
+		 */
+		*pte |= PG_M | PG_A;
+	} else {
+		*pte |= PG_A;
 	}
-	*pte |= PG_A;
 
 	/* try to promote the mapping */
 	if (va < VM_MAXUSER_ADDRESS)

Modified: releng/10.1/sys/amd64/vmm/vmm_ioport.c
==============================================================================
--- releng/10.1/sys/amd64/vmm/vmm_ioport.c	Wed Oct 29 16:48:18 2014	(r273831)
+++ releng/10.1/sys/amd64/vmm/vmm_ioport.c	Wed Oct 29 16:49:28 2014	(r273832)
@@ -106,15 +106,14 @@ emulate_inout_port(struct vm *vm, int vc
 	uint32_t mask, val;
 	int error;
 
-	error = 0;
-	*retu = true;
-
-	if (vmexit->u.inout.port >= MAX_IOPORTS)
-		goto done;
-
-	handler = ioport_handler[vmexit->u.inout.port];
-	if (handler == NULL)
-		goto done;
+	/*
+	 * If there is no handler for the I/O port then punt to userspace.
+	 */
+	if (vmexit->u.inout.port >= MAX_IOPORTS ||
+	    (handler = ioport_handler[vmexit->u.inout.port]) == NULL) {
+		*retu = true;
+		return (0);
+	}
 
 	mask = vie_size2mask(vmexit->u.inout.bytes);
 
@@ -124,20 +123,27 @@ emulate_inout_port(struct vm *vm, int vc
 
 	error = (*handler)(vm, vcpuid, vmexit->u.inout.in,
 	    vmexit->u.inout.port, vmexit->u.inout.bytes, &val);
+	if (error) {
+		/*
+		 * The value returned by this function is also the return value
+		 * of vm_run(). This needs to be a positive number otherwise it
+		 * can be interpreted as a "pseudo-error" like ERESTART.
+		 *
+		 * Enforce this by mapping all errors to EIO.
+		 */
+		return (EIO);
+	}
 
-	if (!error) {
-		*retu = false;
-		if (vmexit->u.inout.in) {
-			vmexit->u.inout.eax &= ~mask;
-			vmexit->u.inout.eax |= val & mask;
-			error = vm_set_register(vm, vcpuid,
-			    VM_REG_GUEST_RAX, vmexit->u.inout.eax);
-			KASSERT(error == 0, ("emulate_ioport: error %d "
-			    "setting guest rax register", error));
-		}
+	if (vmexit->u.inout.in) {
+		vmexit->u.inout.eax &= ~mask;
+		vmexit->u.inout.eax |= val & mask;
+		error = vm_set_register(vm, vcpuid, VM_REG_GUEST_RAX,
+		    vmexit->u.inout.eax);
+		KASSERT(error == 0, ("emulate_ioport: error %d setting guest "
+		    "rax register", error));
 	}
-done:
-	return (error);
+	*retu = false;
+	return (0);
 }
 
 static int