summaryrefslogtreecommitdiff
path: root/system/xen/xsa/xsa210.patch
diff options
context:
space:
mode:
Diffstat (limited to 'system/xen/xsa/xsa210.patch')
-rw-r--r--system/xen/xsa/xsa210.patch41
1 files changed, 41 insertions, 0 deletions
diff --git a/system/xen/xsa/xsa210.patch b/system/xen/xsa/xsa210.patch
new file mode 100644
index 0000000000..0696570c08
--- /dev/null
+++ b/system/xen/xsa/xsa210.patch
@@ -0,0 +1,41 @@
+From: Julien Grall <julien.grall@arm.com>
+Subject: arm/p2m: remove the page from p2m->pages list before freeing it
+
+The p2m code is using the page list field to link all the pages used
+for the stage-2 page tables. The page is added into the p2m->pages
+list just after the allocation but never removed from the list.
+
+The page list field is also used by the allocator, not removing may
+result a later Xen crash due to inconsistency (see [1]).
+
+This bug was introduced by the reworking of p2m code in commit 2ef3e36ec7
+"xen/arm: p2m: Introduce p2m_set_entry and __p2m_set_entry".
+
+[1] https://lists.xenproject.org/archives/html/xen-devel/2017-02/msg00524.html
+
+Reported-by: Vijaya Kumar K <Vijaya.Kumar@cavium.com>
+Signed-off-by: Julien Grall <julien.grall@arm.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+
+--- a/xen/arch/arm/p2m.c
++++ b/xen/arch/arm/p2m.c
+@@ -660,6 +660,7 @@ static void p2m_free_entry(struct p2m_domain *p2m,
+ unsigned int i;
+ lpae_t *table;
+ mfn_t mfn;
++ struct page_info *pg;
+
+ /* Nothing to do if the entry is invalid. */
+ if ( !p2m_valid(entry) )
+@@ -697,7 +698,10 @@ static void p2m_free_entry(struct p2m_domain *p2m,
+ mfn = _mfn(entry.p2m.base);
+ ASSERT(mfn_valid(mfn_x(mfn)));
+
+- free_domheap_page(mfn_to_page(mfn_x(mfn)));
++ pg = mfn_to_page(mfn_x(mfn));
++
++ page_list_del(pg, &p2m->pages);
++ free_domheap_page(pg);
+ }
+
+ static bool p2m_split_superpage(struct p2m_domain *p2m, lpae_t *entry,