From 64aac38d20090be7cba2a5777794ff54b6976b02 Mon Sep 17 00:00:00 2001
From: "kaf24@firebug.cl.cam.ac.uk" <kaf24@firebug.cl.cam.ac.uk>
Date: Mon, 14 Nov 2005 18:27:11 +0100
Subject: [PATCH] Flush writable pagetable state before emulating a PT update.
 Avoids possibility of updating a PTE temporarily marked writable by ptwr
 batching logic, which can corrupt page reference counts. Aiee!

Signed-off-by: Keir Fraser <keir@xensource.com>
---
 xen/arch/x86/mm.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index b37a16a4b0..79af9319a8 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -3358,6 +3358,13 @@ int ptwr_do_page_fault(struct domain *d, unsigned long addr,
     return EXCRET_fault_fixed;
 
  emulate:
+    /*
+     * Cleaning up avoids emulating an update to a PTE that is temporarily
+     * marked writable (_PAGE_RW) by the batched ptwr logic. If this were
+     * performance critical then the check could compare addr against l1va's in
+     * ptwr_emulated_update(). Without this flush we can corrupt page refcnts!
+     */
+    cleanup_writable_pagetable(d);
     if ( x86_emulate_memop(guest_cpu_user_regs(), addr,
                            &ptwr_mem_emulator, BITS_PER_LONG/8) )
         return 0;
-- 
2.30.2