|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen staging-4.18] x86/p2m: issue a sync flush before freeing paging pages
commit 8b8c324af669f1a350f0d6b6f84619d39b99d653
Author: Roger Pau Monne <roger.pau@xxxxxxxxxx>
AuthorDate: Tue Feb 17 09:33:43 2026 +0100
Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Mar 17 12:11:44 2026 +0000
x86/p2m: issue a sync flush before freeing paging pages
In the EPT implementation, the defer flushing logic is used
unconditionally, and that would lead to paging memory being returned to the
paging pool before its references had been flushed.
Issue any pending flushes before freeing the paging memory back to the
pool.
Note AMD (NPT) and Shadow paging are not affected, as they don't implement
the deferred flushing logic.
This is XSA-480 / CVE-2026-23554
Fixes: 4a59e6bb3a96 ("x86/EPT: squash meaningless TLB flush")
Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
(cherry picked from commit 4bc2e5333abb37b9a67e44d7d6c712247e5e5146)
---
xen/arch/x86/mm/p2m.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index ae37e1ec78..8197e9ad45 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -457,6 +457,11 @@ void p2m_free_ptp(struct p2m_domain *p2m, struct page_info
*pg)
ASSERT(p2m->domain);
ASSERT(p2m->domain->arch.paging.free_page);
+ /*
+ * Issue any pending flush here, in case it was deferred before. The page
+ * will be returned to the paging pool now.
+ */
+ p2m_tlb_flush_sync(p2m);
page_list_del(pg, &p2m->pages);
p2m->domain->arch.paging.free_page(p2m->domain, pg);
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.18
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |