p***@xen.org
2018-11-20 14:55:56 UTC
commit c1fd0703f3f9860c80a2d2540b1c5e525e2fd30e
Author: Andrew Cooper <***@citrix.com>
AuthorDate: Tue Nov 20 15:43:02 2018 +0100
Commit: Jan Beulich <***@suse.com>
CommitDate: Tue Nov 20 15:43:02 2018 +0100
x86/mm: Don't perform flush after failing to update a guests L1e
If the L1e update hasn't occured, the flush cannot do anything useful. This
skips the potentially expensive vcpumask_to_pcpumask() conversion, and
broadcast TLB shootdown.
More importantly however, we might be in the error path due to a bad va
parameter from the guest, and this should not propagate into the TLB flushing
logic. The INVPCID instruction for example raises #GP for a non-canonical
address.
This is XSA-279.
Reported-by: Matthew Daley <***@bugfuzz.com>
Signed-off-by: Andrew Cooper <***@citrix.com>
Reviewed-by: Jan Beulich <***@suse.com>
master commit: 6c8d50288722672ecc8e19b0741a31b521d01706
master date: 2018-11-20 14:58:41 +0100
---
xen/arch/x86/mm.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 57f4982509..9d21c1a8eb 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -4046,6 +4046,14 @@ static int __do_update_va_mapping(
if ( pl1e )
unmap_domain_page(pl1e);
+ /*
+ * Any error at this point means that we haven't change the L1e. Skip the
+ * flush, as it won't do anything useful. Furthermore, va is guest
+ * controlled and not necesserily audited by this point.
+ */
+ if ( rc )
+ return rc;
+
switch ( flags & UVMF_FLUSHTYPE_MASK )
{
case UVMF_TLB_FLUSH:
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.10
Author: Andrew Cooper <***@citrix.com>
AuthorDate: Tue Nov 20 15:43:02 2018 +0100
Commit: Jan Beulich <***@suse.com>
CommitDate: Tue Nov 20 15:43:02 2018 +0100
x86/mm: Don't perform flush after failing to update a guests L1e
If the L1e update hasn't occured, the flush cannot do anything useful. This
skips the potentially expensive vcpumask_to_pcpumask() conversion, and
broadcast TLB shootdown.
More importantly however, we might be in the error path due to a bad va
parameter from the guest, and this should not propagate into the TLB flushing
logic. The INVPCID instruction for example raises #GP for a non-canonical
address.
This is XSA-279.
Reported-by: Matthew Daley <***@bugfuzz.com>
Signed-off-by: Andrew Cooper <***@citrix.com>
Reviewed-by: Jan Beulich <***@suse.com>
master commit: 6c8d50288722672ecc8e19b0741a31b521d01706
master date: 2018-11-20 14:58:41 +0100
---
xen/arch/x86/mm.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 57f4982509..9d21c1a8eb 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -4046,6 +4046,14 @@ static int __do_update_va_mapping(
if ( pl1e )
unmap_domain_page(pl1e);
+ /*
+ * Any error at this point means that we haven't change the L1e. Skip the
+ * flush, as it won't do anything useful. Furthermore, va is guest
+ * controlled and not necesserily audited by this point.
+ */
+ if ( rc )
+ return rc;
+
switch ( flags & UVMF_FLUSHTYPE_MASK )
{
case UVMF_TLB_FLUSH:
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.10