|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen stable-4.19] x86/p2m: issue a sync flush before freeing paging pages
commit b4993d7f97699457aae5262d1450c8be573e3daf
Author: Roger Pau Monne <roger.pau@xxxxxxxxxx>
AuthorDate: Tue Feb 17 09:33:43 2026 +0100
Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Mar 17 12:08:41 2026 +0000
x86/p2m: issue a sync flush before freeing paging pages
In the EPT implementation, the defer flushing logic is used
unconditionally, and that would lead to paging memory being returned to the
paging pool before its references had been flushed.
Issue any pending flushes before freeing the paging memory back to the
pool.
Note AMD (NPT) and Shadow paging are not affected, as they don't implement
the deferred flushing logic.
This is XSA-480 / CVE-2026-23554
Fixes: 4a59e6bb3a96 ("x86/EPT: squash meaningless TLB flush")
Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
(cherry picked from commit 4bc2e5333abb37b9a67e44d7d6c712247e5e5146)
---
xen/arch/x86/mm/p2m.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index 8d225d2d6c..a317f67ec0 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -464,6 +464,11 @@ void p2m_free_ptp(struct p2m_domain *p2m, struct page_info
*pg)
ASSERT(p2m->domain);
ASSERT(p2m->domain->arch.paging.free_page);
+ /*
+ * Issue any pending flush here, in case it was deferred before. The page
+ * will be returned to the paging pool now.
+ */
+ p2m_tlb_flush_sync(p2m);
page_list_del(pg, &p2m->pages);
p2m->domain->arch.paging.free_page(p2m->domain, pg);
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.19
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |