c608e23838
Turn off building the KMPs now that we are using the pvops kernel xen.spec - Upstream patches from Jan 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch 561d20a0-x86-hide-MWAITX-from-PV-domains.patch 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch 5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch 56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch 56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch 5632127b-x86-guard-against-undue-super-page-PTE-creation.patch 5632129c-free-domain-s-vcpu-array.patch (Replaces CVE-2015-7969-xsa149.patch) 563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch 563212e4-xenoprof-free-domain-s-vcpu-array.patch 563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch 56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch 56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch 5641ceec-x86-HVM-always-intercept-AC-and-DB.patch (Replaces CVE-2015-5307-xsa156.patch) 5644b756-x86-HVM-don-t-inject-DB-with-error-code.patch - Dropped 55b0a2db-x86-MSI-track-guest-masking.patch - Use upstream variants of block-iscsi and block-nbd - Remove xenalyze.hg, its part of xen-4.6 OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=389
41 lines
1.6 KiB
Diff
41 lines
1.6 KiB
Diff
# Commit 1ef01396fdff88b1c3331a09ca5c69619b90f4ea
|
|
# Date 2015-10-29 13:34:17 +0100
|
|
# Author Ian Campbell <ian.campbell@citrix.com>
|
|
# Committer Jan Beulich <jbeulich@suse.com>
|
|
arm: handle races between relinquish_memory and free_domheap_pages
|
|
|
|
Primarily this means XENMEM_decrease_reservation from a toolstack
|
|
domain.
|
|
|
|
Unlike x86 we have no requirement right now to queue such pages onto
|
|
a separate list, if we hit this race then the other code has already
|
|
fully accepted responsibility for freeing this page and therefore
|
|
there is no more for relinquish_memory to do.
|
|
|
|
This is CVE-2015-7814 / XSA-147.
|
|
|
|
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
|
|
Reviewed-by: Julien Grall <julien.grall@citrix.com>
|
|
Reviewed-by: Jan Beulich <jbeulich@suse.com>
|
|
|
|
--- a/xen/arch/arm/domain.c
|
|
+++ b/xen/arch/arm/domain.c
|
|
@@ -768,8 +768,15 @@ static int relinquish_memory(struct doma
|
|
{
|
|
/* Grab a reference to the page so it won't disappear from under us. */
|
|
if ( unlikely(!get_page(page, d)) )
|
|
- /* Couldn't get a reference -- someone is freeing this page. */
|
|
- BUG();
|
|
+ /*
|
|
+ * Couldn't get a reference -- someone is freeing this page and
|
|
+ * has already committed to doing so, so no more to do here.
|
|
+ *
|
|
+ * Note that the page must be left on the list, a list_del
|
|
+ * here will clash with the list_del done by the other
|
|
+ * party in the race and corrupt the list head.
|
|
+ */
|
|
+ continue;
|
|
|
|
if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
|
|
put_page(page);
|