[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen master] evtchn: relax port_is_valid()



commit e59ce972d1280c6c55065da822e0860845582053
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Sep 22 15:48:52 2020 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Sep 22 15:48:52 2020 +0200

    evtchn: relax port_is_valid()
    
    To avoid ports potentially becoming invalid behind the back of certain
    other functions (due to ->max_evtchn shrinking) because of
    - a guest invoking evtchn_reset() and from a 2nd vCPU opening new
      channels in parallel (see also XSA-343),
    - alloc_unbound_xen_event_channel() produced channels living above the
      2-level range (see also XSA-342),
    drop the max_evtchns check from port_is_valid(). For a port for which
    the function once returned "true", the returned value may not turn into
    "false" later on. The function's result may only depend on bounds which
    can only ever grow (which is the case for d->valid_evtchns).
    
    This also eliminates a false sense of safety, utilized by some of the
    users (see again XSA-343): Without a suitable lock held, d->max_evtchns
    may change at any time, and hence deducing that certain other operations
    are safe when port_is_valid() returned true is not legitimate. The
    opportunities to abuse this may get widened by the change here
    (depending on guest and host configuration), but will be taken care of
    by the other XSA.
    
    This is XSA-338.
    
    Fixes: 48974e6ce52e ("evtchn: use a per-domain variable for the max number 
of event channels")
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
    Reviewed-by: Julien Grall <jgrall@xxxxxxxxxx>
---
 xen/include/xen/event.h | 2 --
 1 file changed, 2 deletions(-)

diff --git a/xen/include/xen/event.h b/xen/include/xen/event.h
index a7798f6765..ce45298377 100644
--- a/xen/include/xen/event.h
+++ b/xen/include/xen/event.h
@@ -107,8 +107,6 @@ void notify_via_xen_event_channel(struct domain *ld, int 
lport);
 
 static inline bool_t port_is_valid(struct domain *d, unsigned int p)
 {
-    if ( p >= d->max_evtchns )
-        return 0;
     return p < read_atomic(&d->valid_evtchns);
 }
 
--
generated by git-patchbot for /home/xen/git/xen.git#master



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.