[v1] x86/p2m: tighten old-MFN check in p2m_add_page()

[PATCH] x86/p2m: tighten old-MFN check in p2m_add_page()
Posted by Jan Beulich 1 year, 2 months ago
Just ahead of the logic in question we've translated the subject MFN to
a valid original GFN, in order to then translate that GFN back to an
MFN. Restricting the call to p2m_remove_page() to the case where these
two MFNs match is too weak. Instead refuse the operation altogether when
there's a mismatch (which likely indicates a bug elsewhere in Xen).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
If we were certain that a mismatch indicates a bug elsewhere, we might
want to consider crashing the domain instead, to limit damage as well as
to make sure the issue is actually noticed.

--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -714,13 +714,19 @@ p2m_add_page(struct domain *d, gfn_t gfn
                       mfn_x(mfn_add(mfn, i)), gfn_x(ogfn),
                       gfn_x(gfn_add(gfn, i)));
             omfn = p2m->get_entry(p2m, ogfn, &ot, &a, 0, NULL, NULL);
+            if ( !mfn_eq(omfn, mfn_add(mfn, i)) )
+            {
+                P2M_DEBUG("old gfn %#lx -> mfn %#lx != mfn %#lx\n",
+                          gfn_x(ogfn), mfn_x(omfn), mfn_x(mfn) + i);
+                rc = -EXDEV;
+                goto out;
+            }
             if ( p2m_is_ram(ot) && !p2m_is_paged(ot) )
             {
                 ASSERT(mfn_valid(omfn));
                 P2M_DEBUG("old gfn=%#lx -> mfn %#lx\n",
                           gfn_x(ogfn) , mfn_x(omfn));
-                if ( mfn_eq(omfn, mfn_add(mfn, i)) &&
-                     (rc = p2m_remove_entry(p2m, ogfn, omfn, 0)) )
+                if ( (rc = p2m_remove_entry(p2m, ogfn, omfn, 0)) )
                     goto out;
             }
         }