xen/arm: p2m: Fix crash when p2m_lookup is used with an invalid IPA
Since the commit
58f0fd8 "xen: arm: handle variable p2m levels in p2m_lookup",
Xen checks that the root_table offset is valid. If not, its unlock the p2m
spinlock before returning an error. But, at this time, the lock has not been
taken.
On Xen built with debug=y, we can get the following stack trace if the guest
use an invalid IPA in hypercall or mess-up the grant-table:
(XEN) Assertion '_raw_spin_is_locked(lock)' failed at xen/include/asm/arm32/spinlock.h:22
...
(XEN) [<
0022d1bc>] _spin_unlock+0x2c/0x50 (PC)
(XEN) [<
00253264>] p2m_lookup+0x20c/0x230 (LR)
(XEN) [<
7ffdfd54>]
7ffdfd54
(XEN) [<
002539f4>] gmfn_to_mfn+0x24/0x3c
(XEN) [<
0020e4d4>] __get_paged_frame+0x30/0x12c
(XEN) [<
00210680>] __acquire_grant_for_copy+0x4e0/0x768
(XEN) [<
00212030>] do_grant_table_op+0x13a0/0x2534
(XEN) [<
00257b10>] do_trap_hypervisor+0xe10/0x1148
(XEN) [<
0025b330>] return_from_trap+0/0x4
Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
projects / xen.git / commit