xen/xsa159.patch

memory: fix XENMEM_exchange error handling

assign_pages() can fail due to the domain getting killed in parallel,
which should not result in a hypervisor crash.

Also delete a redundant put_gfn() - all relevant paths leading to the
"fail" label already do this (and there are also paths where it was
plain wrong). All of the put_gfn()-s got introduced by 51032ca058
("Modify naming of queries into the p2m"), including the otherwise
unneeded initializer for k (with even a kind of misleading comment -
the compiler warning could actually have served as a hint that the use
is wrong).

This is XSA-159.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

Index: xen-4.6.0-testing/xen/common/memory.c
===================================================================
--- xen-4.6.0-testing.orig/xen/common/memory.c
+++ xen-4.6.0-testing/xen/common/memory.c
@@ -328,7 +328,7 @@ static long memory_exchange(XEN_GUEST_HA
     PAGE_LIST_HEAD(out_chunk_list);
     unsigned long in_chunk_order, out_chunk_order;
     xen_pfn_t     gpfn, gmfn, mfn;
-    unsigned long i, j, k = 0; /* gcc ... */
+    unsigned long i, j, k;
     unsigned int  memflags = 0;
     long          rc = 0;
     struct domain *d;
@@ -566,11 +566,12 @@ static long memory_exchange(XEN_GUEST_HA
  fail:
     /* Reassign any input pages we managed to steal. */
     while ( (page = page_list_remove_head(&in_chunk_list)) )
-    {
-        put_gfn(d, gmfn + k--);
         if ( assign_pages(d, page, 0, MEMF_no_refcount) )
-            BUG();
-    }
+        {
+            BUG_ON(!d->is_dying);
+            if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
+                put_page(page);
+        }
 
  dying:
     rcu_unlock_domain(d);
- bsc#960093 - VUL-0: CVE-2015-8615: xen: x86: unintentional logging upon guest changing callback method (XSA-169) 5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch - bsc#959387 - VUL-0: CVE-2015-8568 CVE-2015-8567: xen: qemu: net: vmxnet3: host memory leakage CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch - bsc#957988 - VUL-0: CVE-2015-8550: xen: paravirtualized drivers incautious about shared memory contents (XSA-155) xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch xsa155-qemuu-qdisk-double-access.patch xsa155-qemut-qdisk-double-access.patch xsa155-qemuu-xenfb.patch xsa155-qemut-xenfb.patch - bsc#959006 - VUL-0: CVE-2015-8558: xen: qemu: usb: infinite loop in ehci_advance_state results in DoS CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch - bsc#958918 - VUL-0: CVE-2015-7549: xen: qemu pci: null pointer dereference issue CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch - bsc#958493 - VUL-0: CVE-2015-8504: xen: qemu: ui: vnc: avoid floating point exception CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch - bsc#958007 - VUL-0: CVE-2015-8554: xen: qemu-dm buffer overrun in MSI-X handling (XSA-164) xsa164.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=393 2016-01-04 23:25:00 +01:00			`memory: fix XENMEM_exchange error handling`

			`assign_pages() can fail due to the domain getting killed in parallel,`
			`which should not result in a hypervisor crash.`

			`Also delete a redundant put_gfn() - all relevant paths leading to the`
			`"fail" label already do this (and there are also paths where it was`
			`plain wrong). All of the put_gfn()-s got introduced by 51032ca058`
			`("Modify naming of queries into the p2m"), including the otherwise`
			`unneeded initializer for k (with even a kind of misleading comment -`
			`the compiler warning could actually have served as a hint that the use`
			`is wrong).`

			`This is XSA-159.`

			`Signed-off-by: Jan Beulich <jbeulich@suse.com>`
			`Acked-by: Ian Campbell <ian.campbell@citrix.com>`

			`Index: xen-4.6.0-testing/xen/common/memory.c`
			`===================================================================`
			`--- xen-4.6.0-testing.orig/xen/common/memory.c`
			`+++ xen-4.6.0-testing/xen/common/memory.c`
			`@@ -328,7 +328,7 @@ static long memory_exchange(XEN_GUEST_HA`
			`PAGE_LIST_HEAD(out_chunk_list);`
			`unsigned long in_chunk_order, out_chunk_order;`
			`xen_pfn_t gpfn, gmfn, mfn;`
			`- unsigned long i, j, k = 0; /* gcc ... */`
			`+ unsigned long i, j, k;`
			`unsigned int memflags = 0;`
			`long rc = 0;`
			`struct domain *d;`
			`@@ -566,11 +566,12 @@ static long memory_exchange(XEN_GUEST_HA`
			`fail:`
			`/* Reassign any input pages we managed to steal. */`
			`while ( (page = page_list_remove_head(&in_chunk_list)) )`
			`- {`
			`- put_gfn(d, gmfn + k--);`
			`if ( assign_pages(d, page, 0, MEMF_no_refcount) )`
			`- BUG();`
			`- }`
			`+ {`
			`+ BUG_ON(!d->is_dying);`
			`+ if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )`
			`+ put_page(page);`
			`+ }`

			`dying:`
			`rcu_unlock_domain(d);`