[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.17] Arm: adjust locking in p2m_get_page_from_gfn()

commit 267fdd429fc3b0a71aaac3f3651ef9382a5a58f5
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Sep 9 14:28:03 2025 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Sep 9 14:28:03 2025 +0200

    Arm: adjust locking in p2m_get_page_from_gfn()
    
    In order to safely acquire a reference for a foreign page mapping, the
    P2M lock needs to be held until we have the reference in hand (or
    getting one failed). Otherwise the page can change P2M type and
    ownership in between.
    
    This is CVE-2025-58145 / part of XSA-473.
    
    Fixes: 9486a8d07ba8 ("xen/arm: Handle remove foreign mapping")
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Julien Grall <jgrall@xxxxxxxxxx>
    master commit: 2275bf83a1db579661b27fc4b310a7d92594dbc0
    master date: 2025-09-09 14:12:57 +0200
---
 xen/arch/arm/p2m.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
index 3738fdf1a4..1e66da3eb8 100644
--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -597,18 +597,22 @@ mfn_t p2m_lookup(struct domain *d, gfn_t gfn, p2m_type_t 
*t)
 struct page_info *p2m_get_page_from_gfn(struct domain *d, gfn_t gfn,
                                         p2m_type_t *t)
 {
+    struct p2m_domain *p2m = p2m_get_hostp2m(d);
     struct page_info *page;
     p2m_type_t p2mt;
-    mfn_t mfn = p2m_lookup(d, gfn, &p2mt);
+    mfn_t mfn;
+
+    p2m_read_lock(p2m);
+    mfn = p2m_get_entry(p2m, gfn, &p2mt, NULL, NULL, NULL);
 
     if ( t )
         *t = p2mt;
 
-    if ( !p2m_is_any_ram(p2mt) )
-        return NULL;
-
-    if ( !mfn_valid(mfn) )
+    if ( !p2m_is_any_ram(p2mt) || !mfn_valid(mfn) )
+    {
+        p2m_read_unlock(p2m);
         return NULL;
+    }
 
     page = mfn_to_page(mfn);
 
@@ -620,6 +624,8 @@ struct page_info *p2m_get_page_from_gfn(struct domain *d, 
gfn_t gfn,
     {
         const struct domain *fdom = page_get_owner_and_reference(page);
 
+        p2m_read_unlock(p2m);
+
         if ( fdom )
         {
             if ( fdom != d )
@@ -630,6 +636,8 @@ struct page_info *p2m_get_page_from_gfn(struct domain *d, 
gfn_t gfn,
         return NULL;
     }
 
+    p2m_read_unlock(p2m);
+
     return get_page(page, d) ? page : NULL;
 }
 
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.17

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.