[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] xen/arm: mm: Protect Xen page-table update with a spinlock



commit 36a1c7c213e13eb64d2c2d8aa9c5c805fe19020a
Author:     Julien Grall <julien.grall@xxxxxxx>
AuthorDate: Mon Mar 18 18:06:55 2019 +0000
Commit:     Julien Grall <julien.grall@xxxxxxx>
CommitDate: Thu Jun 13 13:07:58 2019 +0100

    xen/arm: mm: Protect Xen page-table update with a spinlock
    
    The function create_xen_entries() may be called concurrently. For
    instance, while the vmap allocation is protected by a spinlock, the
    mapping is not.
    
    The implementation create_xen_entries() contains quite a few TOCTOU
    races such as when allocating the 3rd-level page-tables.
    
    Thankfully, they are pretty hard to reach as page-tables are allocated
    once and never released. Yet it is possible, so we need to protect with
    a spinlock to avoid corrupting the page-tables.
    
    Signed-off-by: Julien Grall <julien.grall@xxxxxxx>
    Reviewed-by: Andrii Anisov <andrii.anisov@xxxxxxxx>
    Reviewed-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
---
 xen/arch/arm/mm.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c
index 7ed8400993..6d69d7abf4 100644
--- a/xen/arch/arm/mm.c
+++ b/xen/arch/arm/mm.c
@@ -939,6 +939,8 @@ enum xenmap_operation {
     RESERVE
 };
 
+static DEFINE_SPINLOCK(xen_pt_lock);
+
 static int create_xen_entries(enum xenmap_operation op,
                               unsigned long virt,
                               mfn_t mfn,
@@ -950,6 +952,8 @@ static int create_xen_entries(enum xenmap_operation op,
     lpae_t pte, *entry;
     lpae_t *third = NULL;
 
+    spin_lock(&xen_pt_lock);
+
     for(; addr < addr_end; addr += PAGE_SIZE, mfn = mfn_add(mfn, 1))
     {
         entry = &xen_second[second_linear_offset(addr)];
@@ -1024,6 +1028,8 @@ out:
      */
     flush_xen_tlb_range_va(virt, PAGE_SIZE * nr_mfns);
 
+    spin_unlock(&xen_pt_lock);
+
     return rc;
 }
 
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.