From: Jan Beulich <jbeulich@suse.com>
Date: Tue, 26 Jul 2022 12:54:34 +0000 (+0200)
Subject: x86/mm: correct TLB flush condition in _get_page_type()
X-Git-Tag: archive/raspbian/4.17.0-1+rpi1^2~33^2~383
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=a9949efb288fd6e21bbaf9d5826207c7c41cda27;p=xen.git

x86/mm: correct TLB flush condition in _get_page_type()

When this logic was moved, it was moved across the point where nx is
updated to hold the new type for the page. IOW originally it was
equivalent to using x (and perhaps x would better have been used), but
now it isn't anymore. Switch to using x, which then brings things in
line again with the slightly earlier comment there (now) talking about
transitions _from_ writable.

I have to confess though that I cannot make a direct connection between
the reported observed behavior of guests leaving several pages around
with pending general references and the change here. Repeated testing,
nevertheless, confirms the reported issue is no longer there.

This is CVE-2022-33745 / XSA-408.

Reported-by: Charles Arnold <carnold@suse.com>
Fixes: 8cc5036bc385 ("x86/pv: Fix ABAC cmpxchg() race in _get_page_type()")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
---

diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 5b81d5fbdb..2c1c35151a 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -3038,7 +3038,7 @@ static int _get_page_type(struct page_info *page, unsigned long type,
             if ( unlikely(!cpumask_empty(mask)) &&
                  /* Shadow mode: track only writable pages. */
                  (!shadow_mode_enabled(d) ||
-                  ((nx & PGT_type_mask) == PGT_writable_page)) )
+                  ((x & PGT_type_mask) == PGT_writable_page)) )
             {
                 perfc_incr(need_flush_tlb_flush);
                 /*