Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:Update
xen.26341
xsa410-02.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xsa410-02.patch of Package xen.26341
From: Julien Grall <jgrall@amazon.com> Subject: xen/arm: p2m: Handle preemption when freeing intermediate page tables At the moment the P2M page tables will be freed when the domain structure is freed without any preemption. As the P2M is quite large, iterating through this may take more time than it is reasonable without intermediate preemption (to run softirqs and perhaps scheduler). Split p2m_teardown() in two parts: one preemptible and called when relinquishing the resources, the other one non-preemptible and called when freeing the domain structure. As we are now freeing the P2M pages early, we also need to prevent further allocation if someone call p2m_set_entry() past p2m_teardown() (I wasn't able to prove this will never happen). This is done by the checking domain->is_dying from previous patch in p2m_set_entry(). Similarly, we want to make sure that no-one can accessed the free pages. Therefore the root is cleared before freeing pages. This is part of CVE-2022-33746 / XSA-410. Signed-off-by: Julien Grall <jgrall@amazon.com> Signed-off-by: Henry Wang <Henry.Wang@arm.com> Tested-by: Henry Wang <Henry.Wang@arm.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> --- a/xen/arch/arm/domain.c +++ b/xen/arch/arm/domain.c @@ -774,10 +774,10 @@ fail: void arch_domain_destroy(struct domain *d) { /* IOMMU page table is shared with P2M, always call - * iommu_domain_destroy() before p2m_teardown(). + * iommu_domain_destroy() before p2m_final_teardown(). */ iommu_domain_destroy(d); - p2m_teardown(d); + p2m_final_teardown(d); domain_vgic_free(d); domain_vuart_free(d); free_xenheap_page(d->shared_info); @@ -979,6 +979,7 @@ enum { PROG_xen, PROG_page, PROG_mapping, + PROG_p2m, PROG_done, }; @@ -1029,6 +1030,11 @@ int domain_relinquish_resources(struct d if ( ret ) return ret; + PROGRESS(p2m): + ret = p2m_teardown(d); + if ( ret ) + return ret; + PROGRESS(done): break; --- a/xen/include/asm-arm/p2m.h +++ b/xen/include/asm-arm/p2m.h @@ -183,8 +183,17 @@ void setup_virt_paging(void); /* Init the datastructures for later use by the p2m code */ int p2m_init(struct domain *d); -/* Return all the p2m resources to Xen. */ -void p2m_teardown(struct domain *d); +/* + * The P2M resources are freed in two parts: + * - p2m_teardown() will be called when relinquish the resources. It + * will free large resources (e.g. intermediate page-tables) that + * requires preemption. + * - p2m_final_teardown() will be called when domain struct is been + * freed. This *cannot* be preempted and therefore one small + * resources should be freed here. + */ +int p2m_teardown(struct domain *d); +void p2m_final_teardown(struct domain *d); /* * Remove mapping refcount on each mapping page in the p2m --- a/xen/arch/arm/p2m.c +++ b/xen/arch/arm/p2m.c @@ -1496,17 +1496,58 @@ static void p2m_free_vmid(struct domain spin_unlock(&vmid_alloc_lock); } -void p2m_teardown(struct domain *d) +int p2m_teardown(struct domain *d) { struct p2m_domain *p2m = p2m_get_hostp2m(d); + unsigned long count = 0; struct page_info *pg; + unsigned int i; + int rc = 0; + + p2m_write_lock(p2m); + + /* + * We are about to free the intermediate page-tables, so clear the + * root to prevent any walk to use them. + */ + for ( i = 0; i < P2M_ROOT_PAGES; i++ ) + clear_and_clean_page(p2m->root + i); + + /* + * The domain will not be scheduled anymore, so in theory we should + * not need to flush the TLBs. Do it for safety purpose. + * + * Note that all the devices have already been de-assigned. So we don't + * need to flush the IOMMU TLB here. + */ + p2m_force_tlb_flush_sync(p2m); + + while ( (pg = page_list_remove_head(&p2m->pages)) ) + { + free_domheap_page(pg); + count++; + /* Arbitrarily preempt every 512 iterations */ + if ( !(count % 512) && hypercall_preempt_check() ) + { + rc = -ERESTART; + break; + } + } + + p2m_write_unlock(p2m); + + return rc; +} + +void p2m_final_teardown(struct domain *d) +{ + struct p2m_domain *p2m = p2m_get_hostp2m(d); /* p2m not actually initialized */ if ( !p2m->domain ) return; - while ( (pg = page_list_remove_head(&p2m->pages)) ) - free_domheap_page(pg); + ASSERT(page_list_empty(&p2m->pages)); if ( p2m->root ) free_domheap_pages(p2m->root, P2M_ROOT_ORDER);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor