From nobody Tue May 7 16:29:29 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org ARC-Seal: i=1; a=rsa-sha256; t=1564505124; cv=none; d=zoho.com; s=zohoarc; b=duGJ0nKtVc9a+OzCJRlosHYQKf3EHnUcb1zrRSvXDBcMZSacNjn9It74exxpl3H68MxeH80cd9Smr5SJ0Wxo8lrnfMRu5/sHMqA3li6aHK86yLngZnva20PAvPvwlhzDlCiXKBW931HKA/QEd4Ltju00O+l0GevePDQEEfYRoHk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1564505124; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To:ARC-Authentication-Results; bh=2ggxyxYtUlVBqgZ2ZZDiDR9C2rw3BA5pcQdmoZregHA=; b=KxqKKtMnhusOS9OHFfB3psX64mdogpBbzHJZXtDbm5y1X4oHRIxw5ijTj7qfqtTEfvX2H9VS+w4748TigGeQA4UdsSrXByHy9k7x0gYURvxydPuanKDr2O7A+ZugosJpYlWNb/1+DQ6RBdYcoDdXT3y7CCv8//nrrqO9aWBsOUQ= ARC-Authentication-Results: i=1; mx.zoho.com; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1564505124271814.311004213958; Tue, 30 Jul 2019 09:45:24 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1hsVEO-0003sD-MW; Tue, 30 Jul 2019 16:44:08 +0000 Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1hsVEN-0003s3-FB for xen-devel@lists.xenproject.org; Tue, 30 Jul 2019 16:44:07 +0000 Received: from esa6.hc3370-68.iphmx.com (unknown [216.71.155.175]) by us1-rack-dfw2.inumbo.com (Halon) with ESMTPS id 3e8d2704-b2e9-11e9-8980-bc764e045a96; Tue, 30 Jul 2019 16:44:06 +0000 (UTC) X-Inumbo-ID: 3e8d2704-b2e9-11e9-8980-bc764e045a96 Authentication-Results: esa6.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=paul.durrant@citrix.com; spf=Pass smtp.mailfrom=Paul.Durrant@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa6.hc3370-68.iphmx.com: no sender authenticity information available from domain of paul.durrant@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa6.hc3370-68.iphmx.com; envelope-from="Paul.Durrant@citrix.com"; x-sender="paul.durrant@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa6.hc3370-68.iphmx.com: domain of Paul.Durrant@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa6.hc3370-68.iphmx.com; envelope-from="Paul.Durrant@citrix.com"; x-sender="Paul.Durrant@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ~all" Received-SPF: None (esa6.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa6.hc3370-68.iphmx.com; envelope-from="Paul.Durrant@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: WHQGUY3xml/8j8VtVLAAQQUc4MHwxnztbkyHXElZfwuRaN40Yvf/fNcvu4jMf53nPXhtmnqbbC nxlqHS6ndwVvOzS2TI3Eh4LbfarBkts9XVxofKhWz+u7rBn22NNLQB3BgdFQYMANe3VCYFWAY7 rgkQ9X2u51adsEkQJ0iyySw1Q1/gUe1FCn5XllkQ0o/E5s7jrYpnVTb0He555Ns/d2g9a/fSWt sk7UibJWm5tQ8xSPZbvOyVVj4E9DO5QcTvJQu3Gmx/Kp9S9921hKDVnaRpjfZP3tQAtz2dUvzw qrc= X-SBRS: 2.7 X-MesageID: 3754868 X-Ironport-Server: esa6.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.64,327,1559534400"; d="scan'208";a="3754868" From: Paul Durrant To: Date: Tue, 30 Jul 2019 17:44:01 +0100 Message-ID: <20190730164401.34097-1-paul.durrant@citrix.com> X-Mailer: git-send-email 2.20.1.2.gb21ebb671 MIME-Version: 1.0 Subject: [Xen-devel] [PATCH] fix BUG in gnttab_unpopulate_status_frames() X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Stefano Stabellini , Wei Liu , Konrad Rzeszutek Wilk , George Dunlap , Andrew Cooper , Ian Jackson , Tim Deegan , Julien Grall , Paul Durrant , Jan Beulich Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" Since commit ec83f825627 "mm.h: add helper function to test-and-clear _PGC_allocated" (and subsequent fix-up 44a887d021d "mm.h: fix BUG_ON() condition in put_page_alloc_ref()") setting grant table version from 2 back to 1 has been vulnerable to hitting the BUG_ON in put_page_alloc_ref() during gnttab_unpopulate_status_frames() because that function does not acquire a local page reference. This patch fixes the problem by first acquiring a local page reference on a status frame (which should always succeed and so a failure results in a domain_crash()) before attempting to 'unassign' it from the guest by dropping the allocation reference. The local reference can then be dropped. Signed-off-by: Paul Durrant --- Cc: Andrew Cooper Cc: George Dunlap Cc: Ian Jackson Cc: Jan Beulich Cc: Julien Grall Cc: Konrad Rzeszutek Wilk Cc: Stefano Stabellini Cc: Tim Deegan Cc: Wei Liu --- xen/common/grant_table.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index 97695a221a..b9ca388051 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -1682,6 +1682,14 @@ gnttab_unpopulate_status_frames(struct domain *d, st= ruct grant_table *gt) struct page_info *pg =3D virt_to_page(gt->status[i]); gfn_t gfn =3D gnttab_get_frame_gfn(gt, true, i); =20 + if ( !get_page(pg, d) ) + { + gprintk(XENLOG_ERR, + "Could not get a reference to status frame %u\n", i); + domain_crash(d); + return -EINVAL; + } + /* * For translated domains, recovering from failure after partial * changes were made is more complicated than it seems worth @@ -1708,6 +1716,7 @@ gnttab_unpopulate_status_frames(struct domain *d, str= uct grant_table *gt) =20 BUG_ON(page_get_owner(pg) !=3D d); put_page_alloc_ref(pg); + put_page(pg); =20 if ( pg->count_info & ~PGC_xen_heap ) { --=20 2.20.1.2.gb21ebb671 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel