[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen staging-4.10] x86/mm: don't bypass preemption checks

To: xen-changelog@xxxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Thu, 28 Jun 2018 08:00:04 +0000
Delivery-date: Thu, 28 Jun 2018 08:02:16 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xenproject.org>

commit 1d5a9ecce1f84a539bcda6744309da648a02d445
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Thu Jun 28 09:45:42 2018 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Jun 28 09:45:42 2018 +0200

    x86/mm: don't bypass preemption checks
    
    While unlikely, it is not impossible for a multi-vCPU guest to leverage
    bypasses of preemption checks to drive Xen into an unbounded loop.
    
    This is XSA-264.
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    master commit: 17608703c65bf080b0a9f024f9b370872b9f2c05
    master date: 2018-06-28 09:03:09 +0200
---
 xen/arch/x86/mm.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 524e4efacd..97ff8d34ac 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -2526,7 +2526,7 @@ static int _put_page_type(struct page_info *page, bool 
preemptible,
                 nx = x & ~(PGT_validated|PGT_partial);
                 if ( unlikely((y = cmpxchg(&page->u.inuse.type_info,
                                            x, nx)) != x) )
-                    continue;
+                    goto maybe_preempt;
                 /* We cleared the 'valid bit' so we do the clean up. */
                 rc = _put_final_page_type(page, x, preemptible, ptpg);
                 ptpg = NULL;
@@ -2558,12 +2558,13 @@ static int _put_page_type(struct page_info *page, bool 
preemptible,
              */
             cpu_relax();
             y = page->u.inuse.type_info;
-            continue;
+            goto maybe_preempt;
         }
 
         if ( likely((y = cmpxchg(&page->u.inuse.type_info, x, nx)) == x) )
             break;
 
+    maybe_preempt:
         if ( preemptible && hypercall_preempt_check() )
             return -EINTR;
     }
@@ -2676,12 +2677,11 @@ static int __get_page_type(struct page_info *page, 
unsigned long type,
             if ( !(x & PGT_partial) )
             {
                 /* Someone else is updating validation of this page. Wait... */
-                while ( (y = page->u.inuse.type_info) == x )
-                {
+                do {
                     if ( preemptible && hypercall_preempt_check() )
                         return -EINTR;
                     cpu_relax();
-                }
+                } while ( (y = page->u.inuse.type_info) == x );
                 continue;
             }
             /* Type ref count was left at 1 when PGT_partial got set. */
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.10

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

Prev by Date: [Xen-changelog] [xen staging-4.10] x86: guard against #NM
Next by Date: [Xen-changelog] [xen staging-4.10] x86: Refine checks in #DB handler for faulting conditions
Previous by thread: [Xen-changelog] [xen staging-4.10] x86: guard against #NM
Next by thread: [Xen-changelog] [xen staging-4.10] x86: Refine checks in #DB handler for faulting conditions
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.