Re: [Xen-devel] [PATCH] xen: avoid writing to freed memory after race in p2m handling

[David Vrabel <david.vrabel@xxxxxxxxxx>]

On 14/10/14 10:00, Juergen Gross wrote:
> In case a race was detected during allocation of a new p2m tree
> element in alloc_p2m() the new allocated mid_mfn page is freed without
> updating the pointer to the found value in the tree. This will result
> in overwriting the just freed page with the mfn of the p2m leaf.

Can this race actually happen?  i.e., does this need tagging for stable?

David

> --- a/arch/x86/xen/p2m.c
> +++ b/arch/x86/xen/p2m.c
> @@ -566,6 +566,7 @@ static bool alloc_p2m(unsigned long pfn)
>               /* Separately check the mid mfn level */
>               unsigned long missing_mfn;
>               unsigned long mid_mfn_mfn;
> +             unsigned long old_mfn;
>  
>               mid_mfn = alloc_p2m_page();
>               if (!mid_mfn)
> @@ -575,10 +576,13 @@ static bool alloc_p2m(unsigned long pfn)
>  
>               missing_mfn = virt_to_mfn(p2m_mid_missing_mfn);
>               mid_mfn_mfn = virt_to_mfn(mid_mfn);
> -             if (cmpxchg(top_mfn_p, missing_mfn, mid_mfn_mfn) != missing_mfn)
> +             old_mfn = cmpxchg(top_mfn_p, missing_mfn, mid_mfn_mfn);
> +             if (old_mfn != missing_mfn) {
>                       free_p2m_page(mid_mfn);
> -             else
> +                     mid_mfn = mfn_to_virt(old_mfn);
> +             } else {
>                       p2m_top_mfn_p[topidx] = mid_mfn;
> +             }
>       }
>  
>       if (p2m_top[topidx][mididx] == p2m_identity ||
> 


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel