tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

lguest: Guest int3 fix

Ron Minnich noticed that guest userspace gets a GPF when it tries to int3:
we need to copy the privilege level from the guest-supplied IDT to the real
IDT. int3 is the only common case where guest userspace expects to invoke
an interrupt, so that's the symptom of failing to do this.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

Rusty Russell 0c12091d 5d006d8d

+17 -7
unified split
+17 -7
drivers/lguest/interrupts_and_traps.c
··· 406 406 * deliver_trap() to bounce it back into the Guest. */ 407 407 static void default_idt_entry(struct desc_struct *idt, 408 408 int trap, 409 - const unsigned long handler) 409 + const unsigned long handler, 410 + const struct desc_struct *base) 410 411 { 411 412 /* A present interrupt gate. */ 412 413 u32 flags = 0x8e00; ··· 416 415 * the Guest to use the "int" instruction to trigger it. */ 417 416 if (trap == LGUEST_TRAP_ENTRY) 418 417 flags |= (GUEST_PL << 13); 418 + else if (base) 419 + /* Copy priv. level from what Guest asked for. This allows 420 + * debug (int 3) traps from Guest userspace, for example. */ 421 + flags |= (base->b & 0x6000); 419 422 420 423 /* Now pack it into the IDT entry in its weird format. */ 421 424 idt->a = (LGUEST_CS<<16) | (handler&0x0000FFFF); ··· 433 428 unsigned int i; 434 429 435 430 for (i = 0; i < ARRAY_SIZE(state->guest_idt); i++) 436 - default_idt_entry(&state->guest_idt[i], i, def[i]); 431 + default_idt_entry(&state->guest_idt[i], i, def[i], NULL); 437 432 } 438 433 439 434 /*H:240 We don't use the IDT entries in the "struct lguest" directly, instead ··· 447 442 /* We can simply copy the direct traps, otherwise we use the default 448 443 * ones in the Switcher: they will return to the Host. */ 449 444 for (i = 0; i < ARRAY_SIZE(cpu->arch.idt); i++) { 445 + const struct desc_struct *gidt = &cpu->arch.idt[i]; 446 + 450 447 /* If no Guest can ever override this trap, leave it alone. */ 451 448 if (!direct_trap(i)) 452 449 continue; ··· 456 449 /* Only trap gates (type 15) can go direct to the Guest. 457 450 * Interrupt gates (type 14) disable interrupts as they are 458 451 * entered, which we never let the Guest do. Not present 459 - * entries (type 0x0) also can't go direct, of course. */ 460 - if (idt_type(cpu->arch.idt[i].a, cpu->arch.idt[i].b) == 0xF) 461 - idt[i] = cpu->arch.idt[i]; 452 + * entries (type 0x0) also can't go direct, of course. 453 + * 454 + * If it can't go direct, we still need to copy the priv. level: 455 + * they might want to give userspace access to a software 456 + * interrupt. */ 457 + if (idt_type(gidt->a, gidt->b) == 0xF) 458 + idt[i] = *gidt; 462 459 else 463 - /* Reset it to the default. */ 464 - default_idt_entry(&idt[i], i, def[i]); 460 + default_idt_entry(&idt[i], i, def[i], gidt); 465 461 } 466 462 } 467 463