Xen project Mailing List

[Xen-devel] [PATCH] fix BUG in gnttab_unpopulate_status_frames()

From: Paul Durrant <paul.durrant@xxxxxxxxxx>

Date: Tue, 30 Jul 2019 17:44:01 +0100

Authentication-results: esa6.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=paul.durrant@xxxxxxxxxx; spf=Pass smtp.mailfrom=Paul.Durrant@xxxxxxxxxx; spf=None smtp.helo=postmaster@xxxxxxxxxxxxxxx

Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Paul Durrant <paul.durrant@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>

Delivery-date: Tue, 30 Jul 2019 16:44:12 +0000

Ironport-sdr: WHQGUY3xml/8j8VtVLAAQQUc4MHwxnztbkyHXElZfwuRaN40Yvf/fNcvu4jMf53nPXhtmnqbbC nxlqHS6ndwVvOzS2TI3Eh4LbfarBkts9XVxofKhWz+u7rBn22NNLQB3BgdFQYMANe3VCYFWAY7 rgkQ9X2u51adsEkQJ0iyySw1Q1/gUe1FCn5XllkQ0o/E5s7jrYpnVTb0He555Ns/d2g9a/fSWt sk7UibJWm5tQ8xSPZbvOyVVj4E9DO5QcTvJQu3Gmx/Kp9S9921hKDVnaRpjfZP3tQAtz2dUvzw qrc=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Since commit ec83f825627 "mm.h: add helper function to test-and-clear _PGC_allocated" (and subsequent fix-up 44a887d021d "mm.h: fix BUG_ON() condition in put_page_alloc_ref()") setting grant table version from 2 back to 1 has been vulnerable to hitting the BUG_ON in put_page_alloc_ref() during gnttab_unpopulate_status_frames() because that function does not acquire a local page reference. This patch fixes the problem by first acquiring a local page reference on a status frame (which should always succeed and so a failure results in a domain_crash()) before attempting to 'unassign' it from the guest by dropping the allocation reference. The local reference can then be dropped. Signed-off-by: Paul Durrant <paul.durrant@xxxxxxxxxx> --- Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Cc: George Dunlap <George.Dunlap@xxxxxxxxxxxxx> Cc: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> Cc: Jan Beulich <jbeulich@xxxxxxxx> Cc: Julien Grall <julien.grall@xxxxxxx> Cc: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx> Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx> Cc: Tim Deegan <tim@xxxxxxx> Cc: Wei Liu <wl@xxxxxxx> --- xen/common/grant_table.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index 97695a221a..b9ca388051 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -1682,6 +1682,14 @@ gnttab_unpopulate_status_frames(struct domain *d, struct grant_table *gt) struct page_info *pg = virt_to_page(gt->status[i]); gfn_t gfn = gnttab_get_frame_gfn(gt, true, i); + if ( !get_page(pg, d) ) + { + gprintk(XENLOG_ERR, + "Could not get a reference to status frame %u\n", i); + domain_crash(d); + return -EINVAL; + } + /* * For translated domains, recovering from failure after partial * changes were made is more complicated than it seems worth @@ -1708,6 +1716,7 @@ gnttab_unpopulate_status_frames(struct domain *d, struct grant_table *gt) BUG_ON(page_get_owner(pg) != d); put_page_alloc_ref(pg); + put_page(pg); if ( pg->count_info & ~PGC_xen_heap ) { -- 2.20.1.2.gb21ebb671 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.