From nobody Tue Nov 11 06:55:37 2025
Delivered-To: importer@patchew.org
Received-SPF: none (zoho.com: 192.237.175.120 is neither permitted nor denied
 by domain of lists.xenproject.org) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain
 of lists.xenproject.org)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org
ARC-Seal: i=1; a=rsa-sha256; t=1569311003; cv=none;
	d=zoho.com; s=zohoarc;
	b=GzRbopcUfduFifFTvQS5NxMdvsuWLNkNiX9G1ptwaDjGyDYZWs9zpfBQeVobKtSGb1Ci//PSBWY3Y2SV1/AG85EbYO6HpBA5s4KBuLhuKeF75Li+XqpkiHQZpfkUraMdkJhxJ8nscW6ACNXtUpJB2qzUSlAcAIy46vSzS+bsOYk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com;
 s=zohoarc;
	t=1569311003;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To:ARC-Authentication-Results;
	bh=NSR1K3Py+vUQ2bRmv5Uydte3Bv0+9U0d9XvlG1azvKI=;
	b=EiEs+3neb/k94Top6uMmu7WB70sQ0sd3hCOKdYgZ+OfjnN5PDSSdImgan0T/Amt35ljMgLsgkU38mZ2S+4ETFnFVf3Rptkhibgj7C96wPTD6Eat7ehmvwFILeNTThTniVjCxJDaMPib3Ysrvg4cnbCirzuQYqVTqrlmktvM81bA=
ARC-Authentication-Results: i=1; mx.zoho.com;
	spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain
 of lists.xenproject.org)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 1569311003577163.7938976519422;
 Tue, 24 Sep 2019 00:43:23 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.89)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1iCfSb-0003Ei-Q7; Tue, 24 Sep 2019 07:42:09 +0000
Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]
 helo=us1-amaz-eas2.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.89)
 (envelope-from <SRS0=MVCM=XT=suse.com=jgross@srs-us1.protection.inumbo.net>)
 id 1iCfSb-0003Ed-7B
 for xen-devel@lists.xenproject.org; Tue, 24 Sep 2019 07:42:09 +0000
Received: from mx1.suse.de (unknown [195.135.220.15])
 by localhost (Halon) with ESMTPS
 id ce51fc7a-de9e-11e9-960d-12813bfff9fa;
 Tue, 24 Sep 2019 07:42:06 +0000 (UTC)
Received: from relay2.suse.de (unknown [195.135.220.254])
 by mx1.suse.de (Postfix) with ESMTP id 6C7E9AD07;
 Tue, 24 Sep 2019 07:42:05 +0000 (UTC)
X-Inumbo-ID: ce51fc7a-de9e-11e9-960d-12813bfff9fa
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
From: Juergen Gross <jgross@suse.com>
To: xen-devel@lists.xenproject.org
Date: Tue, 24 Sep 2019 09:42:02 +0200
Message-Id: <20190924074202.4064-1-jgross@suse.com>
X-Mailer: git-send-email 2.16.4
Subject: [Xen-devel] [PATCH] xen/sched: don't let XEN_RUNSTATE_UPDATE leak
 into vcpu_runstate_get()
X-BeenThere: xen-devel@lists.xenproject.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Cc: Juergen Gross <jgross@suse.com>,
 Andrew Cooper <andrew.cooper3@citrix.com>,
 Wei Liu <wl@xen.org>, Jan Beulich <jbeulich@suse.com>,
 =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Errors-To: xen-devel-bounces@lists.xenproject.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>

vcpu_runstate_get() should never return a state entry time with
XEN_RUNSTATE_UPDATE set. To avoid this let update_runstate_area()
operate on a local runstate copy.

This problem was introduced with commit 2529c850ea48f036 ("add update
indicator to vcpu_runstate_info").

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
 xen/arch/x86/domain.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
index dbdf6b1bc2..c4eceaab3f 100644
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -1600,21 +1600,24 @@ bool update_runstate_area(struct vcpu *v)
     bool rc;
     struct guest_memory_policy policy =3D { .nested_guest_mode =3D false };
     void __user *guest_handle =3D NULL;
+    struct vcpu_runstate_info runstate;
=20
     if ( guest_handle_is_null(runstate_guest(v)) )
         return true;
=20
     update_guest_memory_policy(v, &policy);
=20
+    memcpy(&runstate, &v->runstate, sizeof(runstate));
+
     if ( VM_ASSIST(v->domain, runstate_update_flag) )
     {
         guest_handle =3D has_32bit_shinfo(v->domain)
             ? &v->runstate_guest.compat.p->state_entry_time + 1
             : &v->runstate_guest.native.p->state_entry_time + 1;
         guest_handle--;
-        v->runstate.state_entry_time |=3D XEN_RUNSTATE_UPDATE;
+        runstate.state_entry_time |=3D XEN_RUNSTATE_UPDATE;
         __raw_copy_to_guest(guest_handle,
-                            (void *)(&v->runstate.state_entry_time + 1) - =
1, 1);
+                            (void *)(&runstate.state_entry_time + 1) - 1, =
1);
         smp_wmb();
     }
=20
@@ -1622,20 +1625,20 @@ bool update_runstate_area(struct vcpu *v)
     {
         struct compat_vcpu_runstate_info info;
=20
-        XLAT_vcpu_runstate_info(&info, &v->runstate);
+        XLAT_vcpu_runstate_info(&info, &runstate);
         __copy_to_guest(v->runstate_guest.compat, &info, 1);
         rc =3D true;
     }
     else
-        rc =3D __copy_to_guest(runstate_guest(v), &v->runstate, 1) !=3D
-             sizeof(v->runstate);
+        rc =3D __copy_to_guest(runstate_guest(v), &runstate, 1) !=3D
+             sizeof(runstate);
=20
     if ( guest_handle )
     {
-        v->runstate.state_entry_time &=3D ~XEN_RUNSTATE_UPDATE;
+        runstate.state_entry_time &=3D ~XEN_RUNSTATE_UPDATE;
         smp_wmb();
         __raw_copy_to_guest(guest_handle,
-                            (void *)(&v->runstate.state_entry_time + 1) - =
1, 1);
+                            (void *)(&runstate.state_entry_time + 1) - 1, =
1);
     }
=20
     update_guest_memory_policy(v, &policy);
--=20
2.16.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel