Setting the dirty bit without the write bit in vIOMMU creates a spoofed
shadow stack PTE that misleads the guest OS. This results in infinite
PRI requests from the device, as no actual write permission is ever
granted - the guest OS treats the PTE as a legitimate shadow stack entry
and considers the permissions already correct.
Fixes: 65c4f0999991 ("intel_iommu: Set accessed and dirty bits during stage-1
translation")
Signed-off-by: Clement Mathieu--Drif <[email protected]>
Reviewed-by: Yi Liu <[email protected]>
---
hw/i386/intel_iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index d24ba989bf..56146aafc1 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -2066,7 +2066,7 @@ static int vtd_iova_to_fspte(IntelIOMMUState *s,
VTDContextEntry *ce,
return -VTD_FR_FS_PAGING_ENTRY_RSVD;
}
- if (vtd_is_last_pte(fspte, *fspte_level) && is_write) {
+ if (vtd_is_last_pte(fspte, *fspte_level) && *writes && is_write) {
flag_ad |= VTD_FS_D;
}
--
2.53.0
