From f3149d8d8db5ecd73c4c4395922a2d9f674adbd3 Mon Sep 17 00:00:00 2001 From: Michael Young Date: Apr 18 2016 20:52:02 +0000 Subject: x86 shadow pagetables: address width overflow [XSA-173, CVE-2016-3960] (#1328118) Qemu: net: buffer overflow in stellaris_enet emulator [CVE-2016-4001] (#1325886) Qemu: net: buffer overflow in MIPSnet emulator [CVE-2016-4002] (#1326084) qemu: Infinite loop vulnerability in usb_ehci using siTD process [CVE-2016-4037] (#1328081) --- diff --git a/qemu.CVE-2016-4002.patch b/qemu.CVE-2016-4002.patch new file mode 100644 index 0000000..617f1d6 --- /dev/null +++ b/qemu.CVE-2016-4002.patch @@ -0,0 +1,31 @@ +From: Prasad J Pandit + +When receiving packets over MIPSnet network device, it uses + receive buffer of size 1514 bytes. In case the controller +accepts large(MTU) packets, it could lead to memory corruption. +Add check to avoid it. + +Reported by: Oleksandr Bazhaniuk + +Signed-off-by: Prasad J Pandit +--- + tools/qemu-xen/hw/net/mipsnet.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/qemu-xen/hw/net/mipsnet.c b/tools/qemu-xen/hw/net/mipsnet.c +index f261011..e134b31 100644 +--- a/tools/qemu-xen/hw/net/mipsnet.c ++++ b/tools/qemu-xen/hw/net/mipsnet.c +@@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si + if (!mipsnet_can_receive(nc)) + return -1; + ++ if (size >= sizeof(s->rx_buffer)) { ++ return -1; ++ } + s->busy = 1; + + /* Just accept everything. */ +-- +2.5.5 + diff --git a/qemu.CVE-2016-4037.patch b/qemu.CVE-2016-4037.patch new file mode 100644 index 0000000..b19df5f --- /dev/null +++ b/qemu.CVE-2016-4037.patch @@ -0,0 +1,63 @@ +------------------------------------------------------------------------ +*From*: Gerd Hoffmann +*Subject*: [Qemu-devel] [PATCH 1/2] ehci: apply limit to itd/sidt +descriptors +*Date*: Mon, 18 Apr 2016 11:27:22 +0200 + +------------------------------------------------------------------------ + +Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a +DoS by the guest (create a circular itd queue and let qemu ehci +emulation run in circles forever). Unfortunaly this has two problems: +First it misses the case of sitds, and second it reportly breaks +freebsd. + +So lets go for a different approach: just count the number of itds and +sitds we have seen per frame and apply a limit. That should really +catch all cases now. + +Signed-off-by: Gerd Hoffmann +--- + hw/usb/hcd-ehci.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tools/qemu-xen/hw/usb/hcd-ehci.c b/tools/qemu-xen/hw/usb/hcd-ehci.c +index 159f58d..923f110 100644 +--- a/tools/qemu-xen/hw/usb/hcd-ehci.c ++++ b/tools/qemu-xen/hw/usb/hcd-ehci.c +@@ -2011,6 +2011,7 @@ static int ehci_state_writeback(EHCIQueue *q) + static void ehci_advance_state(EHCIState *ehci, int async) + { + EHCIQueue *q = NULL; ++ int idt_count = 0; + int again; + + do { +@@ -2035,10 +2036,12 @@ static void ehci_advance_state(EHCIState *ehci, int async) + + case EST_FETCHITD: + again = ehci_state_fetchitd(ehci, async); ++ idt_count++; + break; + + case EST_FETCHSITD: + again = ehci_state_fetchsitd(ehci, async); ++ idt_count++; + break; + + case EST_ADVANCEQUEUE: +@@ -2092,6 +2095,11 @@ static void ehci_advance_state(EHCIState *ehci, int async) + ehci_reset(ehci); + again = 0; + } ++ ++ /* limit the amout of idts we are willing to process each frame */ ++ if (idt_count > 16) { ++ again = 0; ++ } + } + while (again); + } +-- +1.8.3.1 + diff --git a/qemu.git-156a2e4dbffa85997636a7a39ef12da6f1b40254.patch b/qemu.git-156a2e4dbffa85997636a7a39ef12da6f1b40254.patch deleted file mode 100644 index 6cd271d..0000000 --- a/qemu.git-156a2e4dbffa85997636a7a39ef12da6f1b40254.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 156a2e4dbffa85997636a7a39ef12da6f1b40254 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Mon, 14 Dec 2015 09:21:23 +0100 -Subject: [PATCH] ehci: make idt processing more robust - -Make ehci_process_itd return an error in case we didn't do any actual -iso transfer because we've found no active transaction. That'll avoid -ehci happily run in circles forever if the guest builds a loop out of -idts. - -This is CVE-2015-8558. - -Cc: qemu-stable@nongnu.org -Reported-by: Qinghao Tang -Tested-by: P J P -Signed-off-by: Gerd Hoffmann ---- - hw/usb/hcd-ehci.c | 5 +++-- - 1 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/tools/qemu-xen/hw/usb/hcd-ehci.c b/tools/qemu-xen/hw/usb/hcd-ehci.c -index 4e2161b..d07f228 100644 ---- a/tools/qemu-xen/hw/usb/hcd-ehci.c -+++ b/tools/qemu-xen/hw/usb/hcd-ehci.c -@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci, - { - USBDevice *dev; - USBEndpoint *ep; -- uint32_t i, len, pid, dir, devaddr, endp; -+ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; - uint32_t pg, off, ptr1, ptr2, max, mult; - - ehci->periodic_sched_active = PERIODIC_ACTIVE; -@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci, - ehci_raise_irq(ehci, USBSTS_INT); - } - itd->transact[i] &= ~ITD_XACT_ACTIVE; -+ xfers++; - } - } -- return 0; -+ return xfers ? 0 : -1; - } - - --- -1.7.0.4 - diff --git a/qemu.git-3a15cc0e1ee7168db0782133d2607a6bfa422d66.patch b/qemu.git-3a15cc0e1ee7168db0782133d2607a6bfa422d66.patch new file mode 100644 index 0000000..0373190 --- /dev/null +++ b/qemu.git-3a15cc0e1ee7168db0782133d2607a6bfa422d66.patch @@ -0,0 +1,46 @@ +From 3a15cc0e1ee7168db0782133d2607a6bfa422d66 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 8 Apr 2016 11:33:48 +0530 +Subject: [PATCH] net: stellaris_enet: check packet length against receive buffer + +When receiving packets over Stellaris ethernet controller, it +uses receive buffer of size 2048 bytes. In case the controller +accepts large(MTU) packets, it could lead to memory corruption. +Add check to avoid it. + +Reported-by: Oleksandr Bazhaniuk +Signed-off-by: Prasad J Pandit +Message-id: 1460095428-22698-1-git-send-email-ppandit@redhat.com +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell +--- + tools/qemu-xen/hw/net/stellaris_enet.c | 12 +++++++++++- + 1 files changed, 11 insertions(+), 1 deletions(-) + +diff --git a/tools/qemu-xen/hw/net/stellaris_enet.c b/tools/qemu-xen/hw/net/stellaris_enet.c +index 84cf60b..6880894 100644 +--- a/tools/qemu-xen/hw/net/stellaris_enet.c ++++ b/tools/qemu-xen/hw/net/stellaris_enet.c +@@ -236,8 +236,18 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, si + n = s->next_packet + s->np; + if (n >= 31) + n -= 31; +- s->np++; + ++ if (size >= sizeof(s->rx[n].data) - 6) { ++ /* If the packet won't fit into the ++ * emulated 2K RAM, this is reported ++ * as a FIFO overrun error. ++ */ ++ s->ris |= SE_INT_FOV; ++ stellaris_enet_update(s); ++ return -1; ++ } ++ ++ s->np++; + s->rx[n].len = size + 6; + p = s->rx[n].data; + *(p++) = (size + 6); +-- +1.7.0.4 + diff --git a/qemu.trad.CVE-2016-4001.patch b/qemu.trad.CVE-2016-4001.patch new file mode 100644 index 0000000..9ca362f --- /dev/null +++ b/qemu.trad.CVE-2016-4001.patch @@ -0,0 +1,46 @@ +From 3a15cc0e1ee7168db0782133d2607a6bfa422d66 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 8 Apr 2016 11:33:48 +0530 +Subject: [PATCH] net: stellaris_enet: check packet length against receive buffer + +When receiving packets over Stellaris ethernet controller, it +uses receive buffer of size 2048 bytes. In case the controller +accepts large(MTU) packets, it could lead to memory corruption. +Add check to avoid it. + +Reported-by: Oleksandr Bazhaniuk +Signed-off-by: Prasad J Pandit +Message-id: 1460095428-22698-1-git-send-email-ppandit@redhat.com +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell +--- + tools/qemu-xen-traditional/hw/stellaris_enet.c | 12 +++++++++++- + 1 files changed, 11 insertions(+), 1 deletions(-) + +diff --git a/tools/qemu-xen-traditional/hw/stellaris_enet.c b/tools/qemu-xen-traditional/hw/stellaris_enet.c +index 84cf60b..6880894 100644 +--- a/tools/qemu-xen-traditional/hw/stellaris_enet.c ++++ b/tools/qemu-xen-traditional/hw/stellaris_enet.c +@@ -236,8 +236,18 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, si + n = s->next_packet + s->np; + if (n >= 31) + n -= 31; +- s->np++; + ++ if (size >= sizeof(s->rx[n].data) - 6) { ++ /* If the packet won't fit into the ++ * emulated 2K RAM, this is reported ++ * as a FIFO overrun error. ++ */ ++ s->ris |= SE_INT_FOV; ++ stellaris_enet_update(s); ++ return -1; ++ } ++ ++ s->np++; + s->rx[n].len = size + 6; + p = s->rx[n].data; + *(p++) = (size + 6); +-- +1.7.0.4 + diff --git a/qemu.trad.CVE-2016-4002.patch b/qemu.trad.CVE-2016-4002.patch new file mode 100644 index 0000000..e122297 --- /dev/null +++ b/qemu.trad.CVE-2016-4002.patch @@ -0,0 +1,31 @@ +From: Prasad J Pandit + +When receiving packets over MIPSnet network device, it uses + receive buffer of size 1514 bytes. In case the controller +accepts large(MTU) packets, it could lead to memory corruption. +Add check to avoid it. + +Reported by: Oleksandr Bazhaniuk + +Signed-off-by: Prasad J Pandit +--- + tools/qemu-xen-traditional/hw/mipsnet.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/qemu-xen-traditional/hw/mipsnet.c b/tools/qemu-xen-traditional/hw/mipsnet.c +index f261011..e134b31 100644 +--- a/tools/qemu-xen-traditional/hw/mipsnet.c ++++ b/tools/qemu-xen-traditional/hw/mipsnet.c +@@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si + if (!mipsnet_can_receive(opaque)) + return; + ++ if (size >= sizeof(s->rx_buffer)) { ++ return; ++ } + s->busy = 1; + + /* Just accept everything. */ +-- +2.5.5 + diff --git a/xen.spec b/xen.spec index 88a3e6c..fa59e93 100644 --- a/xen.spec +++ b/xen.spec @@ -51,7 +51,7 @@ Summary: Xen is a virtual machine monitor Name: xen Version: 4.6.1 -Release: 5%{?dist} +Release: 6%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ @@ -106,7 +106,6 @@ Patch54: xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch Patch55: xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch Patch60: xsa164.patch Patch66: qemu.git-43b11a91dd861a946b231b89b754285.patch -Patch67: qemu.git-156a2e4dbffa85997636a7a39ef12da6f1b40254.patch Patch68: qemu.git-d9a3b33d2c9f996537b7f1d0246dee2d0120cefb.patch Patch69: qemu.git-a7278b36fcab9af469563bd7b.patch Patch70: qemu.git-c6048f849c7e3f009786df76206e895.patch @@ -134,6 +133,12 @@ Patch91: qemu.CVE-2015-8817+8.patch Patch92: qemu.git-60253ed1e6ec6d8e5ef2efe7bf755f475.patch Patch93: xen.glibc.fix.patch Patch94: xsa172.patch +Patch95: xsa173-4.6.patch +Patch96: qemu.git-3a15cc0e1ee7168db0782133d2607a6bfa422d66.patch +Patch97: qemu.trad.CVE-2016-4001.patch +Patch98: qemu.CVE-2016-4002.patch +Patch99: qemu.trad.CVE-2016-4002.patch +Patch100: qemu.CVE-2016-4037.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -341,7 +346,6 @@ manage Xen virtual machines. %patch55 -p1 %patch60 -p1 %patch66 -p1 -%patch67 -p1 %patch68 -p1 %patch69 -p1 %patch70 -p1 @@ -369,6 +373,12 @@ manage Xen virtual machines. %patch92 -p1 %patch93 -p1 %patch94 -p1 +%patch95 -p1 +%patch96 -p1 +%patch97 -p1 +%patch98 -p1 +%patch99 -p1 +%patch100 -p1 # stubdom sources cp -v %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} stubdom @@ -895,6 +905,15 @@ rm -rf %{buildroot} %endif %changelog +* Mon Apr 18 2016 Michael Young - 4.6.1-6 +- x86 shadow pagetables: address width overflow [XSA-173, CVE-2016-3960] + (#1328118) +- Qemu: net: buffer overflow in stellaris_enet emulator [CVE-2016-4001] + (#1325886) +- Qemu: net: buffer overflow in MIPSnet emulator [CVE-2016-4002] (#1326084) +- qemu: Infinite loop vulnerability in usb_ehci using siTD process + [CVE-2016-4037] (#1328081) (supercedes CVE-2015-8558 patch) + * Sun Apr 03 2016 Michael Young - 4.6.1-5 - build with -fno-tree-coalesce-vars to avoid a crash on boot diff --git a/xsa173-4.6.patch b/xsa173-4.6.patch new file mode 100644 index 0000000..aecf120 --- /dev/null +++ b/xsa173-4.6.patch @@ -0,0 +1,244 @@ +commit 54a4651cb4e744960fb375ed99909d7dfb943caf +Author: Tim Deegan +Date: Wed Mar 16 16:51:27 2016 +0000 + + x86: limit GFNs to 32 bits for shadowed superpages. + + Superpage shadows store the shadowed GFN in the backpointer field, + which for non-BIGMEM builds is 32 bits wide. Shadowing a superpage + mapping of a guest-physical address above 2^44 would lead to the GFN + being truncated there, and a crash when we come to remove the shadow + from the hash table. + + Track the valid width of a GFN for each guest, including reporting it + through CPUID, and enforce it in the shadow pagetables. Set the + maximum witth to 32 for guests where this truncation could occur. + + This is XSA-173. + + Signed-off-by: Tim Deegan + Signed-off-by: Jan Beulich + +Reported-by: Ling Liu +diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c +index 35ef21b..528c283 100644 +--- a/xen/arch/x86/cpu/common.c ++++ b/xen/arch/x86/cpu/common.c +@@ -38,6 +38,7 @@ integer_param("cpuid_mask_ext_edx", opt_cpuid_mask_ext_edx); + const struct cpu_dev *__read_mostly cpu_devs[X86_VENDOR_NUM] = {}; + + unsigned int paddr_bits __read_mostly = 36; ++unsigned int hap_paddr_bits __read_mostly = 36; + + /* + * Default host IA32_CR_PAT value to cover all memory types. +@@ -211,7 +212,7 @@ static void __init early_cpu_detect(void) + + static void __cpuinit generic_identify(struct cpuinfo_x86 *c) + { +- u32 tfms, capability, excap, ebx; ++ u32 tfms, capability, excap, ebx, eax; + + /* Get vendor name */ + cpuid(0x00000000, &c->cpuid_level, +@@ -248,8 +249,11 @@ static void __cpuinit generic_identify(struct cpuinfo_x86 *c) + } + if ( c->extended_cpuid_level >= 0x80000004 ) + get_model_name(c); /* Default name */ +- if ( c->extended_cpuid_level >= 0x80000008 ) +- paddr_bits = cpuid_eax(0x80000008) & 0xff; ++ if ( c->extended_cpuid_level >= 0x80000008 ) { ++ eax = cpuid_eax(0x80000008); ++ paddr_bits = eax & 0xff; ++ hap_paddr_bits = ((eax >> 16) & 0xff) ?: paddr_bits; ++ } + } + + /* Might lift BIOS max_leaf=3 limit. */ +diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c +index e200aab..0b4d9f0 100644 +--- a/xen/arch/x86/hvm/hvm.c ++++ b/xen/arch/x86/hvm/hvm.c +@@ -4567,8 +4567,7 @@ void hvm_cpuid(unsigned int input, unsigned int *eax, unsigned int *ebx, + break; + + case 0x80000008: +- count = cpuid_eax(0x80000008); +- count = (count >> 16) & 0xff ?: count & 0xff; ++ count = d->arch.paging.gfn_bits + PAGE_SHIFT; + if ( (*eax & 0xff) > count ) + *eax = (*eax & ~0xff) | count; + +diff --git a/xen/arch/x86/mm/guest_walk.c b/xen/arch/x86/mm/guest_walk.c +index 773454d..06543d3 100644 +--- a/xen/arch/x86/mm/guest_walk.c ++++ b/xen/arch/x86/mm/guest_walk.c +@@ -93,6 +93,12 @@ void *map_domain_gfn(struct p2m_domain *p2m, gfn_t gfn, mfn_t *mfn, + struct page_info *page; + void *map; + ++ if ( gfn_x(gfn) >> p2m->domain->arch.paging.gfn_bits ) ++ { ++ *rc = _PAGE_INVALID_BIT; ++ return NULL; ++ } ++ + /* Translate the gfn, unsharing if shared */ + page = get_page_from_gfn_p2m(p2m->domain, p2m, gfn_x(gfn), p2mt, NULL, + q); +@@ -326,20 +332,8 @@ guest_walk_tables(struct vcpu *v, struct p2m_domain *p2m, + flags &= ~_PAGE_PAT; + + if ( gfn_x(start) & GUEST_L2_GFN_MASK & ~0x1 ) +- { +-#if GUEST_PAGING_LEVELS == 2 +- /* +- * Note that _PAGE_INVALID_BITS is zero in this case, yielding a +- * no-op here. +- * +- * Architecturally, the walk should fail if bit 21 is set (others +- * aren't being checked at least in PSE36 mode), but we'll ignore +- * this here in order to avoid specifying a non-natural, non-zero +- * _PAGE_INVALID_BITS value just for that case. +- */ +-#endif + rc |= _PAGE_INVALID_BITS; +- } ++ + /* Increment the pfn by the right number of 4k pages. + * Mask out PAT and invalid bits. */ + start = _gfn((gfn_x(start) & ~GUEST_L2_GFN_MASK) + +@@ -422,5 +416,11 @@ set_ad: + put_page(mfn_to_page(mfn_x(gw->l1mfn))); + } + ++ /* If this guest has a restricted physical address space then the ++ * target GFN must fit within it. */ ++ if ( !(rc & _PAGE_PRESENT) ++ && gfn_x(guest_l1e_get_gfn(gw->l1e)) >> d->arch.paging.gfn_bits ) ++ rc |= _PAGE_INVALID_BITS; ++ + return rc; + } +diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c +index 6eb2167..f3475c6 100644 +--- a/xen/arch/x86/mm/hap/hap.c ++++ b/xen/arch/x86/mm/hap/hap.c +@@ -448,6 +448,8 @@ void hap_domain_init(struct domain *d) + { + INIT_PAGE_LIST_HEAD(&d->arch.paging.hap.freelist); + ++ d->arch.paging.gfn_bits = hap_paddr_bits - PAGE_SHIFT; ++ + /* Use HAP logdirty mechanism. */ + paging_log_dirty_init(d, hap_enable_log_dirty, + hap_disable_log_dirty, +diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c +index bad8360..98d0d2c 100644 +--- a/xen/arch/x86/mm/shadow/common.c ++++ b/xen/arch/x86/mm/shadow/common.c +@@ -51,6 +51,16 @@ int shadow_domain_init(struct domain *d, unsigned int domcr_flags) + INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.freelist); + INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.pinned_shadows); + ++ d->arch.paging.gfn_bits = paddr_bits - PAGE_SHIFT; ++#ifndef CONFIG_BIGMEM ++ /* ++ * Shadowed superpages store GFNs in 32-bit page_info fields. ++ * Note that we cannot use guest_supports_superpages() here. ++ */ ++ if ( !is_pv_domain(d) || opt_allow_superpage ) ++ d->arch.paging.gfn_bits = 32; ++#endif ++ + /* Use shadow pagetables for log-dirty support */ + paging_log_dirty_init(d, sh_enable_log_dirty, + sh_disable_log_dirty, sh_clean_dirty_bitmap); +diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c +index 43c9488..71477fe 100644 +--- a/xen/arch/x86/mm/shadow/multi.c ++++ b/xen/arch/x86/mm/shadow/multi.c +@@ -525,7 +525,8 @@ _sh_propagate(struct vcpu *v, + ASSERT(GUEST_PAGING_LEVELS > 3 || level != 3); + + /* Check there's something for the shadows to map to */ +- if ( !p2m_is_valid(p2mt) && !p2m_is_grant(p2mt) ) ++ if ( (!p2m_is_valid(p2mt) && !p2m_is_grant(p2mt)) ++ || gfn_x(target_gfn) >> d->arch.paging.gfn_bits ) + { + *sp = shadow_l1e_empty(); + goto done; +diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h +index c6c6e71..74c3a52 100644 +--- a/xen/include/asm-x86/domain.h ++++ b/xen/include/asm-x86/domain.h +@@ -193,6 +193,9 @@ struct paging_domain { + /* log dirty support */ + struct log_dirty_domain log_dirty; + ++ /* Number of valid bits in a gfn. */ ++ unsigned int gfn_bits; ++ + /* preemption handling */ + struct { + const struct domain *dom; +diff --git a/xen/include/asm-x86/guest_pt.h b/xen/include/asm-x86/guest_pt.h +index f8a0d76..b5db401 100644 +--- a/xen/include/asm-x86/guest_pt.h ++++ b/xen/include/asm-x86/guest_pt.h +@@ -210,15 +210,17 @@ guest_supports_nx(struct vcpu *v) + } + + +-/* Some bits are invalid in any pagetable entry. */ +-#if GUEST_PAGING_LEVELS == 2 +-#define _PAGE_INVALID_BITS (0) +-#elif GUEST_PAGING_LEVELS == 3 +-#define _PAGE_INVALID_BITS \ +- get_pte_flags(((1ull<<63) - 1) & ~((1ull<