From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Fri, 25 Nov 2016 17:23:04 +0000 (+0000)
Subject: x86/shadow: Fix #PFs from emulated writes crossing a page boundary
X-Git-Tag: archive/raspbian/4.11.1-1+rpi1~1^2~66^2~3367
X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=f600fa5345d008ec686bfe2c579bbb37b11c7972;p=xen.git

x86/shadow: Fix #PFs from emulated writes crossing a page boundary

When translating the second frame of a write crossing a page boundary, mask
the linear address down to the page boundary.

This causes the correct %cr2 being reported to the guest in the case that the
second frame suffers a pagefault during translation.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---

diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c
index 9f3bed9b05..1623a07bf9 100644
--- a/xen/arch/x86/mm/shadow/common.c
+++ b/xen/arch/x86/mm/shadow/common.c
@@ -1802,7 +1802,8 @@ void *sh_emulate_map_dest(struct vcpu *v, unsigned long vaddr,
     else
     {
         /* This write crosses a page boundary. Translate the second page. */
-        sh_ctxt->mfn[1] = emulate_gva_to_mfn(v, vaddr + bytes - 1, sh_ctxt);
+        sh_ctxt->mfn[1] = emulate_gva_to_mfn(
+            v, (vaddr + bytes - 1) & PAGE_MASK, sh_ctxt);
         if ( !mfn_valid(sh_ctxt->mfn[1]) )
             return ((mfn_x(sh_ctxt->mfn[1]) == BAD_GVA_TO_GFN) ?
                     MAPPING_EXCEPTION :