Xen project Mailing List

[PATCH] x86/p2m: clarify foreign map handling in p2m_entry_modify()

From: Roger Pau Monne <roger.pau@xxxxxxxxxx>

Date: Fri, 20 Feb 2026 11:05:09 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WyAS27eQNRwQ8J599vmW4Ox6jx0UwNKLDJ6E1izmSqo=; b=MDAJVTDyYFy55KZ1Sqkmup4kf2Ye7gD73SIsAtHQxQaUi0iG0p3dYvPTgVn41nm2Xi30fUhH+gkUrxrEyGUFmvPwplJcwP9K1ObbScoRd9GISQIVD2AEylQMJRoSROpCTUH21rM1kzfBvTTWKQ32jxSmScLNQmjWSfBPbprUf/+x/wa2mRqgETN4hD00MoBS8G4uDibDrOjY/Hgj1vtc8p3vzb+7WlJGRWVW/CcKRa/XyKM2FPOiOhpewQCHJ7U3FFOTw8QNqkBFwX6/Y+Izbfsaezuw1iI2+mTpi1Avnt5HnkCVwKBAoxYk9BrDXjmm7BUZ89ScH6uN3vewa/RQFA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=RNJWQ3Np4K/cgpJQuOrW4wuKGGzELItkOx05Yr81Upm9CPrfZ0NNf2T5TCAPT44As0r5KP5VP7MHUXHW3L+gaMJic7iIhlmhw9DmYwY8X5xH8z/4FFA1Erto5ctmJhp79s0mpSFBRmiZNS2Um8pjQGj34gqaugj66uZKJ5Sh3NVdCMpLm+mNTeX+7GJfSWGPn784oKEfDOMw6sFE1wltghfF6chjX8YDsQAqvVgYiptxtiIFh/147xMK00sI3q0hero9rUqTD9KuTfnN39AiiAv5ctGpUToMS5oRQfdPjWR/lhlp7oJX8+x0BjcfPLUVmN1cnLvC2IwGEuKGJbu4iA==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Delivery-date: Fri, 20 Feb 2026 10:05:50 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Introduce an extra check and comment to ensure the outer caller has possibly taken an extra reference on the foreign page that's about to be removed from the p2m. Otherwise the put_page() in p2m_entry_modify() won't be safe to do ahead of the entry being removed form the p2m and any cached states purged. While there also replace the error codes for unreachable paths to use EILSEQ. No functional change intended. Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> --- xen/arch/x86/include/asm/p2m.h | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/include/asm/p2m.h b/xen/arch/x86/include/asm/p2m.h index ef6b02ff0bb6..1ceb248b9da6 100644 --- a/xen/arch/x86/include/asm/p2m.h +++ b/xen/arch/x86/include/asm/p2m.h @@ -1066,7 +1066,7 @@ static inline int p2m_entry_modify(struct p2m_domain *p2m, p2m_type_t nt, if ( !mfn_valid(nfn) || p2m != p2m_get_hostp2m(p2m->domain) ) { ASSERT_UNREACHABLE(); - return -EINVAL; + return -EILSEQ; } if ( !page_get_owner_and_reference(mfn_to_page(nfn)) ) @@ -1088,14 +1088,26 @@ static inline int p2m_entry_modify(struct p2m_domain *p2m, p2m_type_t nt, break; case p2m_map_foreign: - if ( !mfn_valid(ofn) || p2m != p2m_get_hostp2m(p2m->domain) ) + { + struct page_info *pg = mfn_valid(ofn) ? mfn_to_page(ofn) : NULL; + unsigned long ci = pg ? ACCESS_ONCE(pg->count_info) : 0; + + if ( !pg || p2m != p2m_get_hostp2m(p2m->domain) || + /* + * Rely on the caller also holding a reference to the page, so + * that the put_page() below doesn't cause the page to be + * freed, as it still has to be removed from the p2m. + */ + (ci & PGC_count_mask) <= (ci & PGC_allocated ? 2 : 1) || + !p2m->nr_foreign ) { ASSERT_UNREACHABLE(); - return -EINVAL; + return -EILSEQ; } - put_page(mfn_to_page(ofn)); + put_page(pg); p2m->nr_foreign--; break; + } default: break; -- 2.51.0

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.