[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.9] x86/mm: don't bypass preemption checks
commit c50b1f68ffb9b330d04031196bf1c3e8afc655d9 Author: Jan Beulich <jbeulich@xxxxxxxx> AuthorDate: Thu Jun 28 09:58:55 2018 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Thu Jun 28 09:58:55 2018 +0200 x86/mm: don't bypass preemption checks While unlikely, it is not impossible for a multi-vCPU guest to leverage bypasses of preemption checks to drive Xen into an unbounded loop. This is XSA-264. Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> master commit: 17608703c65bf080b0a9f024f9b370872b9f2c05 master date: 2018-06-28 09:03:09 +0200 --- xen/arch/x86/mm.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 5c6d1bf2ef..1f1dcb369e 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -2695,7 +2695,7 @@ static int _put_page_type(struct page_info *page, bool preemptible, nx = x & ~(PGT_validated|PGT_partial); if ( unlikely((y = cmpxchg(&page->u.inuse.type_info, x, nx)) != x) ) - continue; + goto maybe_preempt; /* We cleared the 'valid bit' so we do the clean up. */ rc = _put_final_page_type(page, x, preemptible, ptpg); ptpg = NULL; @@ -2731,12 +2731,13 @@ static int _put_page_type(struct page_info *page, bool preemptible, */ cpu_relax(); y = page->u.inuse.type_info; - continue; + goto maybe_preempt; } if ( likely((y = cmpxchg(&page->u.inuse.type_info, x, nx)) == x) ) break; + maybe_preempt: if ( preemptible && hypercall_preempt_check() ) return -EINTR; } @@ -2845,12 +2846,11 @@ static int __get_page_type(struct page_info *page, unsigned long type, if ( !(x & PGT_partial) ) { /* Someone else is updating validation of this page. Wait... */ - while ( (y = page->u.inuse.type_info) == x ) - { + do { if ( preemptible && hypercall_preempt_check() ) return -EINTR; cpu_relax(); - } + } while ( (y = page->u.inuse.type_info) == x ); continue; } /* Type ref count was left at 1 when PGT_partial got set. */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.9 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog |
Lists.xenproject.org is hosted with RackSpace, monitoring our |