[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.6] x86/mm: don't bypass preemption checks

To: xen-changelog@xxxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Tue, 03 Jul 2018 05:11:13 +0000
Delivery-date: Tue, 03 Jul 2018 05:11:15 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xenproject.org>

commit 2642b56ea54917c43ac03cb95b53f7dadf5c2ad6
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Thu Jun 28 12:26:25 2018 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Jun 28 12:26:25 2018 +0200

    x86/mm: don't bypass preemption checks
    
    While unlikely, it is not impossible for a multi-vCPU guest to leverage
    bypasses of preemption checks to drive Xen into an unbounded loop.
    
    This is XSA-264.
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 xen/arch/x86/mm.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 48111f5fee..a430022595 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -2546,7 +2546,7 @@ static int _put_page_type(struct page_info *page, bool_t 
preemptible,
                 nx = x & ~(PGT_validated|PGT_partial);
                 if ( unlikely((y = cmpxchg(&page->u.inuse.type_info,
                                            x, nx)) != x) )
-                    continue;
+                    goto maybe_preempt;
                 /* We cleared the 'valid bit' so we do the clean up. */
                 rc = _put_final_page_type(page, x, preemptible, ptpg);
                 ptpg = NULL;
@@ -2581,12 +2581,13 @@ static int _put_page_type(struct page_info *page, 
bool_t preemptible,
              */
             cpu_relax();
             y = page->u.inuse.type_info;
-            continue;
+            goto maybe_preempt;
         }
 
         if ( likely((y = cmpxchg(&page->u.inuse.type_info, x, nx)) == x) )
             break;
 
+    maybe_preempt:
         if ( preemptible && hypercall_preempt_check() )
             return -EINTR;
     }
@@ -2690,12 +2691,11 @@ static int __get_page_type(struct page_info *page, 
unsigned long type,
             if ( !(x & PGT_partial) )
             {
                 /* Someone else is updating validation of this page. Wait... */
-                while ( (y = page->u.inuse.type_info) == x )
-                {
+                do {
                     if ( preemptible && hypercall_preempt_check() )
                         return -EINTR;
                     cpu_relax();
-                }
+                } while ( (y = page->u.inuse.type_info) == x );
                 continue;
             }
             /* Type ref count was left at 1 when PGT_partial got set. */
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.6

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

Prev by Date: [Xen-changelog] [xen stable-4.6] x86: correct default_xen_spec_ctrl calculation
Next by Date: [Xen-changelog] [xen stable-4.6] x86: Refine checks in #DB handler for faulting conditions
Previous by thread: [Xen-changelog] [xen stable-4.6] x86: correct default_xen_spec_ctrl calculation
Next by thread: [Xen-changelog] [xen stable-4.6] x86: Refine checks in #DB handler for faulting conditions
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.