From patchwork Thu Nov 9 15:29:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yu Zhang X-Patchwork-Id: 10050331 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 0725B601EB for ; Thu, 9 Nov 2017 07:40:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ED7592AAED for ; Thu, 9 Nov 2017 07:40:47 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E086A2AB53; Thu, 9 Nov 2017 07:40:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.3 required=2.0 tests=BAYES_00, DATE_IN_FUTURE_06_12, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 715972AAED for ; Thu, 9 Nov 2017 07:40:46 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eChOr-0002ZY-Iw; Thu, 09 Nov 2017 07:37:21 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eChOq-0002ZS-Rt for xen-devel@lists.xen.org; Thu, 09 Nov 2017 07:37:20 +0000 Received: from [85.158.139.211] by server-16.bemta-5.messagelabs.com id DC/9A-01788-0B5040A5; Thu, 09 Nov 2017 07:37:20 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrKLMWRWlGSWpSXmKPExsVywNwkVnc9K0u UwcVNahZLPi5mcWD0OLr7N1MAYxRrZl5SfkUCa8aLPTcZC3r4Kjpv6jYw/uLqYuTkEBKYxijR vLgYxJYQ4JU4smwGK4TtL/Hu3Xb2LkYuoJp2Ronui41sIAk2AW2JH6t/M4LYIgLSEtc+Xwazm QUqJX79P8sMYgsL+ElsvvGOHcRmEVCV6Jy/F6yXV8BL4uzD/0ALOIAWyEksuJA+gZF7ASPDKk b14tSistQiXUO9pKLM9IyS3MTMHF1DA1O93NTi4sT01JzEpGK95PzcTYxAz9YzMDDuYGzqdT7 EKMnBpCTK++AVU5QQX1J+SmVGYnFGfFFpTmrxIUYZDg4lCV53FpYoIcGi1PTUirTMHGCIwaQl OHiURHingaR5iwsSc4sz0yFSpxiNOZ7NfN3AzDHtamsTsxBLXn5eqpQ4bzJIqQBIaUZpHtwgW OhfYpSVEuZlZGBgEOIpSC3KzSxBlX/FKM7BqCTMWwoyhSczrwRu3yugU5iATnn+iRnklJJEhJ RUA6NO0l6m90L+jUHBk25G5f2+nbdS7imvsXod4/H2GZd+ibV/nvRkW88cr9jTS25K9bfYLJn i92D9V4ndp/Ycvru/74//x0NiZU7W+zJUtrld7dGpOMsqJs/RuJUvjvET++b5SlHtnk5R9+v0 pnz7Lvi+0symyv3AklVHhU6kqUu3zfi/ed3vB4JKLMUZiYZazEXFiQBaF0MOeAIAAA== X-Env-Sender: yu.c.zhang@linux.intel.com X-Msg-Ref: server-16.tower-206.messagelabs.com!1510213037!90530414!1 X-Originating-IP: [192.55.52.93] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogMTkyLjU1LjUyLjkzID0+IDMyNDY2NQ==\n X-StarScan-Received: X-StarScan-Version: 9.4.45; banners=-,-,- X-VirusChecked: Checked Received: (qmail 61126 invoked from network); 9 Nov 2017 07:37:19 -0000 Received: from mga11.intel.com (HELO mga11.intel.com) (192.55.52.93) by server-16.tower-206.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 9 Nov 2017 07:37:19 -0000 Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 08 Nov 2017 23:37:17 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.44,368,1505804400"; d="scan'208";a="147810185" Received: from zhangyu-optiplex-7040.bj.intel.com ([10.238.154.163]) by orsmga004.jf.intel.com with ESMTP; 08 Nov 2017 23:37:15 -0800 From: Yu Zhang To: xen-devel@lists.xen.org Date: Thu, 9 Nov 2017 23:29:58 +0800 Message-Id: <1510241398-25793-1-git-send-email-yu.c.zhang@linux.intel.com> X-Mailer: git-send-email 2.5.0 Cc: Andrew Cooper , min.he@intel.com, Jan Beulich , yi.z.zhang@intel.com Subject: [Xen-devel] [PATCH] x86/mm: fix a potential race condition in map_pages_to_xen(). X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP In map_pages_to_xen(), a L2 page table entry may be reset to point to a superpage, and its corresponding L1 page table need be freed in such scenario, when these L1 page table entries are mapping to consecutive page frames and having the same mapping flags. However, variable `pl1e` is not protected by the lock before L1 page table is enumerated. A race condition may happen if this code path is invoked simultaneously on different CPUs. For example, `pl1e` value on CPU0 may hold an obsolete value, pointing to a page which has just been freed on CPU1. Besides, before this page is reused, it will still be holding the old PTEs, referencing consecutive page frames. Consequently the `free_xen_pagetable(l2e_to_l1e(ol2e))` will be triggered on CPU0, resulting the unexpected free of a normal page. Protecting the `pl1e` with the lock will fix this race condition. Signed-off-by: Min He Signed-off-by: Yi Zhang Signed-off-by: Yu Zhang --- Cc: Jan Beulich Cc: Andrew Cooper --- xen/arch/x86/mm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index a20fdca..9c9afa1 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -4844,9 +4844,10 @@ int map_pages_to_xen( { unsigned long base_mfn; - pl1e = l2e_to_l1e(*pl2e); if ( locking ) spin_lock(&map_pgdir_lock); + + pl1e = l2e_to_l1e(*pl2e); base_mfn = l1e_get_pfn(*pl1e) & ~(L1_PAGETABLE_ENTRIES - 1); for ( i = 0; i < L1_PAGETABLE_ENTRIES; i++, pl1e++ ) if ( (l1e_get_pfn(*pl1e) != (base_mfn + i)) ||