Xen project Mailing List

[Xen-devel] [PATCH] viridian: make viridian_time_domain_freeze() safe to call...

From: Paul Durrant <paul.durrant@xxxxxxxxxx>

Date: Wed, 21 Aug 2019 09:22:58 +0100

Authentication-results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=paul.durrant@xxxxxxxxxx; spf=Pass smtp.mailfrom=Paul.Durrant@xxxxxxxxxx; spf=None smtp.helo=postmaster@xxxxxxxxxxxxxxx

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Paul Durrant <paul.durrant@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>

Delivery-date: Wed, 21 Aug 2019 08:23:09 +0000

Ironport-sdr: KLkfprOzVJjGwWkMXdCV6hNOk01tB8a0K74x/t5Moo4AUxwYiHZDRZhZTvOL8GSxjKgfGc5nrH ZPyVcwAE/Ba9yydcmuTndxonGiks6GMZ8I4TU6+8EW9MenRRULkGUtTIfA01ZruS5E2xo8V2jk 3j8Xs2qRc28wXWHlCcO7MBoRjz7eiHcUSKqrUUbv00yrlSyEN//FKx6K9AK/C4izK4bpnzOH1q IuxK/Zlz6mB9XtiNJCCGopcdgDxfqEiizl+CdM7ETM5ezlnwVlXvIrbtoc6XpCKC7ZVqJfjU1s Rbw=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

...on a partially destroyed domain. viridian_time_domain_freeze() and viridian_time_vcpu_freeze() rely (respectively) on the dynamically allocated per-domain and per-vcpu viridian areas [1], which are freed during domain_relinquish_resources(). Because arch_domain_pause() can call viridian_domain_time_freeze() this can lead to host crashes if e.g. a XEN_DOMCTL_pausedomain is issued after domain_relinquish_resources() has run. To prevent such crashes, this patch adds a check of is_dying into viridian_time_domain_freeze(), and viridian_time_domain_thaw() which is similarly vulnerable to indirection into freed memory. NOTE: The patch also makes viridian_time_vcpu_freeze/thaw() static, since they have no callers outside of the same source module. [1] See commit e7a9b5e72f26 "viridian: separately allocate domain and vcpu structures". Signed-off-by: Paul Durrant <paul.durrant@xxxxxxxxxx> --- Cc: Jan Beulich <jbeulich@xxxxxxxx> Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Cc: Wei Liu <wl@xxxxxxx> Cc: "Roger Pau Monné" <roger.pau@xxxxxxxxxx> --- xen/arch/x86/hvm/viridian/time.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/hvm/viridian/time.c b/xen/arch/x86/hvm/viridian/time.c index ac087383c8..e80330a6ae 100644 --- a/xen/arch/x86/hvm/viridian/time.c +++ b/xen/arch/x86/hvm/viridian/time.c @@ -296,7 +296,7 @@ void viridian_time_poll_timers(struct vcpu *v) poll_stimer(v, i); } -void viridian_time_vcpu_freeze(struct vcpu *v) +static void viridian_time_vcpu_freeze(struct vcpu *v) { struct viridian_vcpu *vv = v->arch.hvm.viridian; unsigned int i; @@ -314,7 +314,7 @@ void viridian_time_vcpu_freeze(struct vcpu *v) } } -void viridian_time_vcpu_thaw(struct vcpu *v) +static void viridian_time_vcpu_thaw(struct vcpu *v) { struct viridian_vcpu *vv = v->arch.hvm.viridian; unsigned int i; @@ -336,7 +336,7 @@ void viridian_time_domain_freeze(const struct domain *d) { struct vcpu *v; - if ( !is_viridian_domain(d) ) + if ( d->is_dying || !is_viridian_domain(d) ) return; for_each_vcpu ( d, v ) @@ -349,7 +349,7 @@ void viridian_time_domain_thaw(const struct domain *d) { struct vcpu *v; - if ( !is_viridian_domain(d) ) + if ( d->is_dying || !is_viridian_domain(d) ) return; time_ref_count_thaw(d); -- 2.20.1.2.gb21ebb671 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.