From cf5e1a74b9687be3d146e59ab10c26be6da9d0d4 Mon Sep 17 00:00:00 2001 From: Julien Grall Date: Fri, 24 Feb 2017 09:58:50 +0100 Subject: [PATCH] arm/p2m: remove the page from p2m->pages list before freeing it The p2m code is using the page list field to link all the pages used for the stage-2 page tables. The page is added into the p2m->pages list just after the allocation but never removed from the list. The page list field is also used by the allocator, not removing may result a later Xen crash due to inconsistency (see [1]). This bug was introduced by the reworking of p2m code in commit 2ef3e36ec7 "xen/arm: p2m: Introduce p2m_set_entry and __p2m_set_entry". [1] https://lists.xenproject.org/archives/html/xen-devel/2017-02/msg00524.html Reported-by: Vijaya Kumar K Signed-off-by: Julien Grall Reviewed-by: Stefano Stabellini --- xen/arch/arm/p2m.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c index e36d07502a..1fc6ca3bb2 100644 --- a/xen/arch/arm/p2m.c +++ b/xen/arch/arm/p2m.c @@ -660,6 +660,7 @@ static void p2m_free_entry(struct p2m_domain *p2m, unsigned int i; lpae_t *table; mfn_t mfn; + struct page_info *pg; /* Nothing to do if the entry is invalid. */ if ( !p2m_valid(entry) ) @@ -697,7 +698,10 @@ static void p2m_free_entry(struct p2m_domain *p2m, mfn = _mfn(entry.p2m.base); ASSERT(mfn_valid(mfn)); - free_domheap_page(mfn_to_page(mfn_x(mfn))); + pg = mfn_to_page(mfn_x(mfn)); + + page_list_del(pg, &p2m->pages); + free_domheap_page(pg); } static bool p2m_split_superpage(struct p2m_domain *p2m, lpae_t *entry, -- 2.30.2