[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.7] x86: discard type information when stealing pages

commit a7f041aa8a3df2829eba8650331a57bdd04c08f2
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue May 2 14:58:17 2017 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue May 2 14:58:17 2017 +0200

    x86: discard type information when stealing pages
    While a page having just a single general reference left necessarily
    has a zero type reference count too, its type may still be valid (and
    in validated state; at present this is only possible and relevant for
    PGT_seg_desc_page, as page tables have their type forcibly zapped when
    their type reference count drops to zero, and
    PGT_{writable,shared}_page pages don't require any validation). In
    such a case when the page is being re-used with the same type again,
    validation is being skipped. As validation criteria differ between
    32- and 64-bit guests, pages to be transferred between guests need to
    have their validation indicator zapped (and with it we zap all other
    type information at once).
    This is XSA-214.
    Reported-by: Jann Horn <jannh@xxxxxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    master commit: eaf537342c909875c10f49b06e17493655410681
    master date: 2017-05-02 14:46:58 +0200
 xen/arch/x86/mm.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 8162e52..d5e7004 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -4417,6 +4417,17 @@ int steal_page(
         y = cmpxchg(&page->count_info, x, x & ~PGC_count_mask);
     } while ( y != x );
+    /*
+     * With the sole reference dropped temporarily, no-one can update type
+     * information. Type count also needs to be zero in this case, but e.g.
+     * PGT_seg_desc_page may still have PGT_validated set, which we need to
+     * clear before transferring ownership (as validation criteria vary
+     * depending on domain type).
+     */
+    BUG_ON(page->u.inuse.type_info & (PGT_count_mask | PGT_locked |
+                                      PGT_pinned));
+    page->u.inuse.type_info = 0;
     /* Swizzle the owner then reinstate the PGC_allocated reference. */
     page_set_owner(page, NULL);
     y = page->count_info;
generated by git-patchbot for /home/xen/git/xen.git#stable-4.7

Xen-changelog mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.