[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.13] x86/mm: correct TLB flush condition in _get_page_type()

commit c946524a65f3f7b795c48d304953be6d7672cfb6
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Jul 26 15:05:08 2022 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Jul 26 15:05:08 2022 +0200

    x86/mm: correct TLB flush condition in _get_page_type()
    
    When this logic was moved, it was moved across the point where nx is
    updated to hold the new type for the page. IOW originally it was
    equivalent to using x (and perhaps x would better have been used), but
    now it isn't anymore. Switch to using x, which then brings things in
    line again with the slightly earlier comment there (now) talking about
    transitions _from_ writable.
    
    I have to confess though that I cannot make a direct connection between
    the reported observed behavior of guests leaving several pages around
    with pending general references and the change here. Repeated testing,
    nevertheless, confirms the reported issue is no longer there.
    
    This is CVE-2022-33745 / XSA-408.
    
    Reported-by: Charles Arnold <carnold@xxxxxxxx>
    Fixes: 8cc5036bc385 ("x86/pv: Fix ABAC cmpxchg() race in _get_page_type()")
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    master commit: a9949efb288fd6e21bbaf9d5826207c7c41cda27
    master date: 2022-07-26 14:54:34 +0200
---
 xen/arch/x86/mm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 12531d3bff..2e63008570 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -3080,7 +3080,7 @@ static int _get_page_type(struct page_info *page, 
unsigned long type,
             if ( unlikely(!cpumask_empty(mask)) &&
                  /* Shadow mode: track only writable pages. */
                  (!shadow_mode_enabled(d) ||
-                  ((nx & PGT_type_mask) == PGT_writable_page)) )
+                  ((x & PGT_type_mask) == PGT_writable_page)) )
             {
                 perfc_incr(need_flush_tlb_flush);
                 flush_tlb_mask(mask);
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.13

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.