[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH] x86/mm: fix a potential race condition in map_pages_to_xen().
In map_pages_to_xen(), a L2 page table entry may be reset to point to a superpage, and its corresponding L1 page table need be freed in such scenario, when these L1 page table entries are mapping to consecutive page frames and having the same mapping flags. However, variable `pl1e` is not protected by the lock before L1 page table is enumerated. A race condition may happen if this code path is invoked simultaneously on different CPUs. For example, `pl1e` value on CPU0 may hold an obsolete value, pointing to a page which has just been freed on CPU1. Besides, before this page is reused, it will still be holding the old PTEs, referencing consecutive page frames. Consequently the `free_xen_pagetable(l2e_to_l1e(ol2e))` will be triggered on CPU0, resulting the unexpected free of a normal page. Protecting the `pl1e` with the lock will fix this race condition. Signed-off-by: Min He <min.he@xxxxxxxxx> Signed-off-by: Yi Zhang <yi.z.zhang@xxxxxxxxx> Signed-off-by: Yu Zhang <yu.c.zhang@xxxxxxxxxxxxxxx> --- Cc: Jan Beulich <jbeulich@xxxxxxxx> Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> --- xen/arch/x86/mm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index a20fdca..9c9afa1 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -4844,9 +4844,10 @@ int map_pages_to_xen( { unsigned long base_mfn; - pl1e = l2e_to_l1e(*pl2e); if ( locking ) spin_lock(&map_pgdir_lock); + + pl1e = l2e_to_l1e(*pl2e); base_mfn = l1e_get_pfn(*pl1e) & ~(L1_PAGETABLE_ENTRIES - 1); for ( i = 0; i < L1_PAGETABLE_ENTRIES; i++, pl1e++ ) if ( (l1e_get_pfn(*pl1e) != (base_mfn + i)) || -- 2.5.0 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |