From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andres Lagar-Cavilla Subject: [PATCH 0 of 2] Fix correctness race in xc_mem_paging_prep Date: Tue, 29 Nov 2011 15:32:46 -0500 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: xen-devel@lists.xensource.com Cc: ian.campbell@citrix.com, andres@gridcentric.ca, tim@xen.org, keir.xen@gmail.com, JBeulich@suse.com, ian.jackson@citrix.com, adin@gridcentric.ca List-Id: xen-devel@lists.xenproject.org ging_prep ensures that an mfn is backing the paged-out gfn, and transitions to the next state in the paging state machine for this page. Foreign mappings of the gfn will now succeed. This is the key idea, as it allows the pager to now map the gfn and fill in its contents. Unfortunately, it also allows any other foreign mapper to map the gfn and read its contents. This is particularly dangerous when the populate is launched by a foreign mapper in the first place, which will be actively retrying the map operation and might race with the pager. Qemu-dm being a prime example. Fix the race by allowing a buffer to be optionally passed in the prep operation, and having the hypervisor memcpy from that buffer into the newly prepped page before promoting the gfn type. Second patch is a tools patch, cc'ed maintainers. Signed-off-by: Andres Lagar-Cavilla xen/arch/x86/mm/mem_event.c | 2 +- xen/arch/x86/mm/mem_paging.c | 2 +- xen/arch/x86/mm/p2m.c | 52 +++++++++++++++++++++++++++++++++++++++++-- xen/include/asm-x86/p2m.h | 2 +- xen/include/public/domctl.h | 8 +++++- tools/libxc/xc_mem_event.c | 4 +- tools/libxc/xc_mem_paging.c | 23 +++++++++++++++++++ tools/libxc/xenctrl.h | 2 + 8 files changed, 85 insertions(+), 10 deletions(-)