diff options
Diffstat (limited to 'system/xen/xsa/xsa210.patch')
-rw-r--r-- | system/xen/xsa/xsa210.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/system/xen/xsa/xsa210.patch b/system/xen/xsa/xsa210.patch new file mode 100644 index 0000000000..0696570c08 --- /dev/null +++ b/system/xen/xsa/xsa210.patch @@ -0,0 +1,41 @@ +From: Julien Grall <julien.grall@arm.com> +Subject: arm/p2m: remove the page from p2m->pages list before freeing it + +The p2m code is using the page list field to link all the pages used +for the stage-2 page tables. The page is added into the p2m->pages +list just after the allocation but never removed from the list. + +The page list field is also used by the allocator, not removing may +result a later Xen crash due to inconsistency (see [1]). + +This bug was introduced by the reworking of p2m code in commit 2ef3e36ec7 +"xen/arm: p2m: Introduce p2m_set_entry and __p2m_set_entry". + +[1] https://lists.xenproject.org/archives/html/xen-devel/2017-02/msg00524.html + +Reported-by: Vijaya Kumar K <Vijaya.Kumar@cavium.com> +Signed-off-by: Julien Grall <julien.grall@arm.com> +Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> + +--- a/xen/arch/arm/p2m.c ++++ b/xen/arch/arm/p2m.c +@@ -660,6 +660,7 @@ static void p2m_free_entry(struct p2m_domain *p2m, + unsigned int i; + lpae_t *table; + mfn_t mfn; ++ struct page_info *pg; + + /* Nothing to do if the entry is invalid. */ + if ( !p2m_valid(entry) ) +@@ -697,7 +698,10 @@ static void p2m_free_entry(struct p2m_domain *p2m, + mfn = _mfn(entry.p2m.base); + ASSERT(mfn_valid(mfn_x(mfn))); + +- free_domheap_page(mfn_to_page(mfn_x(mfn))); ++ pg = mfn_to_page(mfn_x(mfn)); ++ ++ page_list_del(pg, &p2m->pages); ++ free_domheap_page(pg); + } + + static bool p2m_split_superpage(struct p2m_domain *p2m, lpae_t *entry, |