From: Jan Beulich <jbeulich@suse.com>
Date: Wed, 27 Sep 2017 10:00:56 +0000 (+0100)
Subject: x86: don't allow page_unlock() to drop the last type reference
X-Git-Tag: archive/raspbian/4.11.1-1+rpi1~1^2~66^2~1096
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=6410733a8a0dff2fe581338ff631670cf91889db;p=xen.git

x86: don't allow page_unlock() to drop the last type reference

Only _put_page_type() does the necessary cleanup, and hence not all
domain pages can be released during guest cleanup (leaving around
zombie domains) if we get this wrong.

This is XSA-242.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
---

diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 1247e1397d..5628bc7389 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -1705,7 +1705,11 @@ void page_unlock(struct page_info *page)
 
     do {
         x = y;
+        ASSERT((x & PGT_count_mask) && (x & PGT_locked));
+
         nx = x - (1 | PGT_locked);
+        /* We must not drop the last reference here. */
+        ASSERT(nx & PGT_count_mask);
     } while ( (y = cmpxchg(&page->u.inuse.type_info, x, nx)) != x );
 }
 
@@ -2308,6 +2312,17 @@ static int _put_page_type(struct page_info *page, bool preemptible,
 
             set_tlbflush_timestamp(page);
         }
+        else if ( unlikely((nx & (PGT_locked | PGT_count_mask)) ==
+                           (PGT_locked | 1)) )
+        {
+            /*
+             * We must not drop the second to last reference when the page is
+             * locked, as page_unlock() doesn't do any cleanup of the type.
+             */
+            cpu_relax();
+            y = page->u.inuse.type_info;
+            continue;
+        }
 
         if ( likely((y = cmpxchg(&page->u.inuse.type_info, x, nx)) == x) )
             break;