763b78040d
config handling stack overflow CVE-2015-3259-xsa137.patch - Upstream patches from Jan 558bfaa0-x86-traps-avoid-using-current-too-early.patch 5592a116-nested-EPT-fix-the-handling-of-nested-EPT.patch 559b9dd6-x86-p2m-ept-don-t-unmap-in-use-EPT-pagetable.patch 559bdde5-pull-in-latest-linux-earlycpio.patch - Upstream patches from Jan pending review 552d0fd2-x86-hvm-don-t-include-asm-spinlock-h.patch 552d0fe8-x86-mtrr-include-asm-atomic.h.patch 552d293b-x86-vMSI-X-honor-all-mask-requests.patch 552d2966-x86-vMSI-X-add-valid-bits-for-read-acceleration.patch 554c7aee-x86-provide-arch_fetch_and_add.patch 554c7b00-arm-provide-arch_fetch_and_add.patch 55534b0a-x86-provide-add_sized.patch 55534b25-arm-provide-add_sized.patch 5555a4f8-use-ticket-locks-for-spin-locks.patch 5555a5b9-x86-arm-remove-asm-spinlock-h.patch 5555a8ec-introduce-non-contiguous-allocation.patch 55795a52-x86-vMSI-X-support-qword-MMIO-access.patch 557eb55f-gnttab-per-active-entry-locking.patch 557eb5b6-gnttab-introduce-maptrack-lock.patch 557eb620-gnttab-make-the-grant-table-lock-a-read-write-lock.patch 557ffab8-evtchn-factor-out-freeing-an-event-channel.patch 5582bf43-evtchn-simplify-port_is_valid.patch 5582bf81-evtchn-remove-the-locking-when-unmasking-an-event-channel.patch 5583d9c5-x86-MSI-X-cleanup.patch 5583da09-x86-MSI-track-host-and-guest-masking-separately.patch 5583da64-gnttab-use-per-VCPU-maptrack-free-lists.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=369
65 lines
2.4 KiB
Diff
65 lines
2.4 KiB
Diff
# Commit e4e9d2d4e76bd8fe229c124bd57fc6ba824271b3
|
|
# Date 2015-07-07 11:37:26 +0200
|
|
# Author Andrew Cooper <andrew.cooper3@citrix.com>
|
|
# Committer Jan Beulich <jbeulich@suse.com>
|
|
x86/p2m-ept: don't unmap the EPT pagetable while it is still in use
|
|
|
|
The call to iommu_pte_flush() between the two hunks uses &ept_entry->epte
|
|
which is a pointer into the mapped page.
|
|
|
|
It is eventually passed to `clflush` instruction which will suffer a pagefault
|
|
if the virtual mapping has fallen out of the TLB.
|
|
|
|
(XEN) ----[ Xen-4.5.0-xs102594-d x86_64 debug=y Not tainted ]----
|
|
(XEN) CPU: 7
|
|
(XEN) RIP: e008:[<ffff82d0801572f0>] cacheline_flush+0x4/0x9
|
|
<snip>
|
|
(XEN) Xen call trace:
|
|
(XEN) [<ffff82d0801572f0>] cacheline_flush+0x4/0x9
|
|
(XEN) [<ffff82d08014ffff>] __iommu_flush_cache+0x4a/0x6a
|
|
(XEN) [<ffff82d0801532e2>] iommu_pte_flush+0x2b/0xd5
|
|
(XEN) [<ffff82d0801f909a>] ept_set_entry+0x4bc/0x61f
|
|
(XEN) [<ffff82d0801f0c25>] p2m_set_entry+0xd1/0x112
|
|
(XEN) [<ffff82d0801f25b1>] clear_mmio_p2m_entry+0x1a0/0x200
|
|
(XEN) [<ffff82d0801f4aac>] unmap_mmio_regions+0x49/0x73
|
|
(XEN) [<ffff82d080106292>] do_domctl+0x15bd/0x1edb
|
|
(XEN) [<ffff82d080234fcb>] syscall_enter+0xeb/0x145
|
|
(XEN)
|
|
(XEN) Pagetable walk from ffff820040004ae0:
|
|
(XEN) L4[0x104] = 00000008668a5063 ffffffffffffffff
|
|
(XEN) L3[0x001] = 00000008668a3063 ffffffffffffffff
|
|
(XEN) L2[0x000] = 000000086689c063 ffffffffffffffff
|
|
(XEN) L1[0x004] = 000000056f078063 000000000007f678
|
|
(XEN)
|
|
(XEN) ****************************************
|
|
(XEN) Panic on CPU 7:
|
|
(XEN) FATAL PAGE FAULT
|
|
(XEN) [error_code=0000]
|
|
(XEN) Faulting linear address: ffff820040004ae0
|
|
(XEN) ****************************************
|
|
|
|
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
Reviewed-by: George Dunlap <george.dunlap@eu.citrix.com>
|
|
Reviewed-by: Jan Beulich <jbeulich@suse.com>
|
|
|
|
--- a/xen/arch/x86/mm/p2m-ept.c
|
|
+++ b/xen/arch/x86/mm/p2m-ept.c
|
|
@@ -764,8 +764,6 @@ ept_set_entry(struct p2m_domain *p2m, un
|
|
p2m->max_mapped_pfn = gfn + (1UL << order) - 1;
|
|
|
|
out:
|
|
- unmap_domain_page(table);
|
|
-
|
|
if ( needs_sync != sync_off )
|
|
ept_sync_domain(p2m);
|
|
|
|
@@ -788,6 +786,8 @@ out:
|
|
}
|
|
}
|
|
|
|
+ unmap_domain_page(table);
|
|
+
|
|
/* Release the old intermediate tables, if any. This has to be the
|
|
last thing we do, after the ept_sync_domain() and removal
|
|
from the iommu tables, so as to avoid a potential
|