On 30/11/20 18:41, Sean Christopherson wrote:
pmd1 and pmd2 point to the same pte table, so: ptr1 and ptr3 points to the same page. ptr2 and ptr4 points to the same page. The guess read-accesses to ptr1 first. So the hypervisor gets the shadow pte page table with role.access=u-- among other things. (Note the shadowed pmd1's access is uwx) And then the guest write-accesses to ptr2, and the hypervisor set up shadow page for ptr2. (Note the hypervisor silencely accepts the role.access=u-- shadow pte page table in FNAME(fetch)) After that, the guess read-accesses to ptr3, the hypervisor reused the same shadow pte page table as above. At last, the guest writes to ptr4 without vmexit nor pagefault, Which should cause vmexit as the guest expects.Hmm, yes, KVM would incorrectly handle this scenario. But, the proposed patch would not address the issue as KVM always maps non-leaf shadow pages with full access permissions.
Can we have a testcase in kvm-unit-tests? It's okay of course if it only fails with ept=0.
Paolo
