From: "Roger Pau Monné" <roger.pau@citrix.com>
To: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: xen-devel@lists.xenproject.org, Jan Beulich <jbeulich@suse.com>,
Anthony PERARD <anthony.perard@vates.tech>,
Michal Orzel <michal.orzel@amd.com>,
Julien Grall <julien@xen.org>,
Stefano Stabellini <sstabellini@kernel.org>
Subject: Re: [PATCH v3] x86/domain: adjust limitation on shared_info allocation below 4G
Date: Thu, 5 Feb 2026 19:37:41 +0100 [thread overview]
Message-ID: <aYTjdULkU2fCSR9Q@Mac.lan> (raw)
In-Reply-To: <5397aef0-2103-4775-af45-49a100be7ab6@citrix.com>
On Thu, Feb 05, 2026 at 06:31:04PM +0000, Andrew Cooper wrote:
> On 05/02/2026 8:03 am, Roger Pau Monne wrote:
> > diff --git a/xen/arch/x86/pv/domain.c b/xen/arch/x86/pv/domain.c
> > index 01499582d2d6..e3273b49269d 100644
> > --- a/xen/arch/x86/pv/domain.c
> > +++ b/xen/arch/x86/pv/domain.c
> > @@ -247,6 +247,34 @@ int switch_compat(struct domain *d)
> > d->arch.has_32bit_shinfo = 1;
> > d->arch.pv.is_32bit = true;
> >
> > + /*
> > + * For 32bit PV guests the shared_info machine address must fit in a 32-bit
> > + * field within the guest's start_info structure. We might need to free
> > + * the current page and allocate a new one that fulfills this requirement.
> > + */
> > + if ( virt_to_maddr(d->shared_info) >> 32 )
> > + {
> > + shared_info_t *prev = d->shared_info;
> > +
> > + d->shared_info = alloc_xenheap_pages(0, MEMF_bits(32));
> > + if ( !d->shared_info )
> > + {
> > + d->shared_info = prev;
> > + rc = -ENOMEM;
> > + goto undo_and_fail;
> > + }
> > + put_page(virt_to_page(prev));
> > + clear_page(d->shared_info);
> > + share_xen_page_with_guest(virt_to_page(d->shared_info), d, SHARE_rw);
> > + /*
> > + * Ensure all pointers to the old shared_info page are replaced. vCPUs
> > + * below XEN_LEGACY_MAX_VCPUS will stash a pointer to
> > + * shared_info->vcpu_info[id].
> > + */
> > + for_each_vcpu ( d, v )
> > + vcpu_info_reset(v);
>
> Sorry, I missed something. Reading this in full, there's an obvious
> (risk of) UAF.
>
> put_page(virt_to_page(prev)) needs to be no earlier than here, or we've
> freed a page that we still have pointers pointing at.
>
> In practice, I expect that the global domctl lock protects us from
> anything actually going wrong.
>
> Nevertheless, for the sake of reordering the actions in this block, lets
> just fix it.
Yeah, I've already made that change. At this point in the domain life
cycle and with d->tot_pages == 0 and the domctl lock held, the vcpu
info area shouldn't be updated in parallel to the bitnewss being
changed, but better make this in the right order.
Thanks for spotting, Roger.
prev parent reply other threads:[~2026-02-05 18:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-05 8:03 [PATCH v3] x86/domain: adjust limitation on shared_info allocation below 4G Roger Pau Monne
2026-02-05 8:36 ` Jan Beulich
2026-02-05 12:13 ` Andrew Cooper
2026-02-05 18:31 ` Andrew Cooper
2026-02-05 18:37 ` Roger Pau Monné [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aYTjdULkU2fCSR9Q@Mac.lan \
--to=roger.pau@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=anthony.perard@vates.tech \
--cc=jbeulich@suse.com \
--cc=julien@xen.org \
--cc=michal.orzel@amd.com \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.