* [PATCH for 4.5] xen/arm: p2m: Fix crash when p2m_lookup is used with an invalid IPA
@ 2014-10-18 19:25 Julien Grall
2014-10-20 13:21 ` Ian Campbell
0 siblings, 1 reply; 2+ messages in thread
From: Julien Grall @ 2014-10-18 19:25 UTC (permalink / raw)
To: xen-devel; +Cc: stefano.stabellini, Julien Grall, tim, ian.campbell
Since the commit 58f0fd8 "xen: arm: handle variable p2m levels in p2m_lookup",
Xen checks that the root_table offset is valid. If not, its unlock the p2m
spinlock before returning an error. But, at this time, the lock has not been
taken.
On Xen built with debug=y, we can get the following stack trace if the guest
use an invalid IPA in hypercall or mess-up the grant-table:
(XEN) Assertion '_raw_spin_is_locked(lock)' failed at xen/include/asm/arm32/spinlock.h:22
...
(XEN) [<0022d1bc>] _spin_unlock+0x2c/0x50 (PC)
(XEN) [<00253264>] p2m_lookup+0x20c/0x230 (LR)
(XEN) [<7ffdfd54>] 7ffdfd54
(XEN) [<002539f4>] gmfn_to_mfn+0x24/0x3c
(XEN) [<0020e4d4>] __get_paged_frame+0x30/0x12c
(XEN) [<00210680>] __acquire_grant_for_copy+0x4e0/0x768
(XEN) [<00212030>] do_grant_table_op+0x13a0/0x2534
(XEN) [<00257b10>] do_trap_hypervisor+0xe10/0x1148
(XEN) [<0025b330>] return_from_trap+0/0x4
Signed-off-by: Julien Grall <julien.grall@linaro.org>
---
This is a bug fix for Xen 4.5. Any buggy guest could make Xen crash in
debug build. I haven't really though about what could happen in
non-debug build.
---
xen/arch/arm/p2m.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
index 1585d35..69191b9 100644
--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -207,9 +207,8 @@ paddr_t p2m_lookup(struct domain *d, paddr_t paddr, p2m_type_t *t)
*t = pte.p2m.type;
}
-err:
spin_unlock(&p2m->lock);
-
+err:
return maddr;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH for 4.5] xen/arm: p2m: Fix crash when p2m_lookup is used with an invalid IPA
2014-10-18 19:25 [PATCH for 4.5] xen/arm: p2m: Fix crash when p2m_lookup is used with an invalid IPA Julien Grall
@ 2014-10-20 13:21 ` Ian Campbell
0 siblings, 0 replies; 2+ messages in thread
From: Ian Campbell @ 2014-10-20 13:21 UTC (permalink / raw)
To: Julien Grall; +Cc: xen-devel, tim, stefano.stabellini
On Sat, 2014-10-18 at 20:25 +0100, Julien Grall wrote:
> Since the commit 58f0fd8 "xen: arm: handle variable p2m levels in p2m_lookup",
> Xen checks that the root_table offset is valid. If not, its unlock the p2m
> spinlock before returning an error. But, at this time, the lock has not been
> taken.
>
> On Xen built with debug=y, we can get the following stack trace if the guest
> use an invalid IPA in hypercall or mess-up the grant-table:
>
> (XEN) Assertion '_raw_spin_is_locked(lock)' failed at xen/include/asm/arm32/spinlock.h:22
> ...
> (XEN) [<0022d1bc>] _spin_unlock+0x2c/0x50 (PC)
> (XEN) [<00253264>] p2m_lookup+0x20c/0x230 (LR)
> (XEN) [<7ffdfd54>] 7ffdfd54
> (XEN) [<002539f4>] gmfn_to_mfn+0x24/0x3c
> (XEN) [<0020e4d4>] __get_paged_frame+0x30/0x12c
> (XEN) [<00210680>] __acquire_grant_for_copy+0x4e0/0x768
> (XEN) [<00212030>] do_grant_table_op+0x13a0/0x2534
> (XEN) [<00257b10>] do_trap_hypervisor+0xe10/0x1148
> (XEN) [<0025b330>] return_from_trap+0/0x4
>
> Signed-off-by: Julien Grall <julien.grall@linaro.org>
acked + applied, thanks.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-10-20 13:21 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-18 19:25 [PATCH for 4.5] xen/arm: p2m: Fix crash when p2m_lookup is used with an invalid IPA Julien Grall
2014-10-20 13:21 ` Ian Campbell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.