[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.9] x86/shadow: fix ref-counting error handling
commit d3db9e36f360c4008c31088481a42369b9999c96 Author: Jan Beulich <jbeulich@xxxxxxxx> AuthorDate: Tue Dec 12 14:40:26 2017 +0100 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Tue Dec 12 14:40:26 2017 +0100 x86/shadow: fix ref-counting error handling The old-Linux handling in shadow_set_l4e() mistakenly ORed together the results of sh_get_ref() and sh_pin(). As the latter failing is not a correctness problem, simply ignore its return value. In sh_set_toplevel_shadow() a failing sh_get_ref() must not be accompanied by installing the entry, despite the domain being crashed. This is XSA-250. Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Reviewed-by: Tim Deegan <tim@xxxxxxx> master commit: 10be8001de7d87be1f0ccdda75cc70e922e56d03 master date: 2017-12-12 14:29:45 +0100 --- xen/arch/x86/mm/shadow/multi.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c index 1f68f51..93771d9 100644 --- a/xen/arch/x86/mm/shadow/multi.c +++ b/xen/arch/x86/mm/shadow/multi.c @@ -922,7 +922,7 @@ static int shadow_set_l4e(struct domain *d, shadow_l4e_t new_sl4e, mfn_t sl4mfn) { - int flags = 0, ok; + int flags = 0; shadow_l4e_t old_sl4e; paddr_t paddr; ASSERT(sl4e != NULL); @@ -937,15 +937,16 @@ static int shadow_set_l4e(struct domain *d, { /* About to install a new reference */ mfn_t sl3mfn = shadow_l4e_get_mfn(new_sl4e); - ok = sh_get_ref(d, sl3mfn, paddr); - /* Are we pinning l3 shadows to handle wierd linux behaviour? */ - if ( sh_type_is_pinnable(d, SH_type_l3_64_shadow) ) - ok |= sh_pin(d, sl3mfn); - if ( !ok ) + + if ( !sh_get_ref(d, sl3mfn, paddr) ) { domain_crash(d); return SHADOW_SET_ERROR; } + + /* Are we pinning l3 shadows to handle weird Linux behaviour? */ + if ( sh_type_is_pinnable(d, SH_type_l3_64_shadow) ) + sh_pin(d, sl3mfn); } /* Write the new entry */ @@ -4030,14 +4031,15 @@ sh_set_toplevel_shadow(struct vcpu *v, /* Take a ref to this page: it will be released in sh_detach_old_tables() * or the next call to set_toplevel_shadow() */ - if ( !sh_get_ref(d, smfn, 0) ) + if ( sh_get_ref(d, smfn, 0) ) + new_entry = pagetable_from_mfn(smfn); + else { SHADOW_ERROR("can't install %#lx as toplevel shadow\n", mfn_x(smfn)); domain_crash(d); + new_entry = pagetable_null(); } - new_entry = pagetable_from_mfn(smfn); - install_new_entry: /* Done. Install it */ SHADOW_PRINTK("%u/%u [%u] gmfn %#"PRI_mfn" smfn %#"PRI_mfn"\n", -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.9 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |