From patchwork Sat Oct 18 19:25:21 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Julien Grall X-Patchwork-Id: 39022 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-lb0-f198.google.com (mail-lb0-f198.google.com [209.85.217.198]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 991B223FFC for ; Sat, 18 Oct 2014 19:27:32 +0000 (UTC) Received: by mail-lb0-f198.google.com with SMTP id 10sf1371711lbg.9 for ; Sat, 18 Oct 2014 12:27:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:delivered-to:from:to:date:message-id:cc:subject :precedence:list-id:list-unsubscribe:list-post:list-help :list-subscribe:mime-version:sender:errors-to:x-original-sender :x-original-authentication-results:mailing-list:list-archive :content-type:content-transfer-encoding; bh=rZKVCyOUNKx7jmmRLO02rmKhIYtrmZKJnTtwFpEAs+g=; b=P7EXCBSmjNTnXjzaEMOU8vD3M/KWi3xfZZfwDXkRXjgQMqhSsNKEMczCvlpdbnW7Wb eDD4fV+MmOIPXg84MWjKRtb7wEe3TdYkBvotxxsf7BLKCQRVpcENWpqYMVdXL9gobq5j eGBKIuX/9S//DaqWgnWP8HGs0wSf85nj7qljM9dQn/Qr/TNP9b64DvbpPC9byD5uE0xM f0/UYo7r7rofCoGmqRGkUcvj90FA73Vpkqqi2+bPNgnEQCub/7+3c8oaF71VsBkYiNVn Ay5Us67IKKDm+kygxbO6EtwvvKfX5vohNkmyOXCWSli3ewU7Tng3coVF8GJRmIWl59NG AoAA== X-Gm-Message-State: ALoCoQl/h5rW6TEc1VPpCZNHUWtFURecfsGYK+d5E26qhanQVpUPyaiXsnhtOGawAZsGlH3HBXFA X-Received: by 10.180.96.101 with SMTP id dr5mr994113wib.0.1413660450530; Sat, 18 Oct 2014 12:27:30 -0700 (PDT) X-BeenThere: patchwork-forward@linaro.org Received: by 10.152.19.227 with SMTP id i3ls291102lae.28.gmail; Sat, 18 Oct 2014 12:27:30 -0700 (PDT) X-Received: by 10.152.198.204 with SMTP id je12mr16915705lac.61.1413660450111; Sat, 18 Oct 2014 12:27:30 -0700 (PDT) Received: from mail-lb0-f173.google.com (mail-lb0-f173.google.com. [209.85.217.173]) by mx.google.com with ESMTPS id ms6si7400887lbb.19.2014.10.18.12.27.30 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 18 Oct 2014 12:27:30 -0700 (PDT) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.217.173 as permitted sender) client-ip=209.85.217.173; Received: by mail-lb0-f173.google.com with SMTP id 10so2169625lbg.18 for ; Sat, 18 Oct 2014 12:27:30 -0700 (PDT) X-Received: by 10.152.5.38 with SMTP id p6mr12126622lap.44.1413660449948; Sat, 18 Oct 2014 12:27:29 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.112.84.229 with SMTP id c5csp82907lbz; Sat, 18 Oct 2014 12:27:29 -0700 (PDT) X-Received: by 10.52.165.68 with SMTP id yw4mr6433325vdb.42.1413660448761; Sat, 18 Oct 2014 12:27:28 -0700 (PDT) Received: from lists.xen.org (lists.xen.org. [50.57.142.19]) by mx.google.com with ESMTPS id fl8si2470348vdc.92.2014.10.18.12.27.28 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Sat, 18 Oct 2014 12:27:28 -0700 (PDT) Received-SPF: none (google.com: xen-devel-bounces@lists.xen.org does not designate permitted sender hosts) client-ip=50.57.142.19; Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XfZdB-0008Bq-Nv; Sat, 18 Oct 2014 19:25:37 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XfZd9-0008Bl-T8 for xen-devel@lists.xenproject.org; Sat, 18 Oct 2014 19:25:35 +0000 Received: from [193.109.254.147:10973] by server-7.bemta-14.messagelabs.com id BA/73-13362-FAEB2445; Sat, 18 Oct 2014 19:25:35 +0000 X-Env-Sender: julien.grall@linaro.org X-Msg-Ref: server-5.tower-27.messagelabs.com!1413660334!8963746!1 X-Originating-IP: [74.125.82.42] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.12.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 1863 invoked from network); 18 Oct 2014 19:25:34 -0000 Received: from mail-wg0-f42.google.com (HELO mail-wg0-f42.google.com) (74.125.82.42) by server-5.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 18 Oct 2014 19:25:34 -0000 Received: by mail-wg0-f42.google.com with SMTP id z12so2877734wgg.13 for ; Sat, 18 Oct 2014 12:25:34 -0700 (PDT) X-Received: by 10.180.108.43 with SMTP id hh11mr7797050wib.80.1413660333947; Sat, 18 Oct 2014 12:25:33 -0700 (PDT) Received: from belegaer.uk.xensource.com ([185.25.64.249]) by mx.google.com with ESMTPSA id wx3sm6019481wjc.19.2014.10.18.12.25.32 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 18 Oct 2014 12:25:33 -0700 (PDT) From: Julien Grall To: xen-devel@lists.xenproject.org Date: Sat, 18 Oct 2014 20:25:21 +0100 Message-Id: <1413660321-14620-1-git-send-email-julien.grall@linaro.org> X-Mailer: git-send-email 1.7.10.4 Cc: stefano.stabellini@citrix.com, Julien Grall , tim@xen.org, ian.campbell@citrix.com Subject: [Xen-devel] [PATCH for 4.5] xen/arm: p2m: Fix crash when p2m_lookup is used with an invalid IPA X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Post: , List-Help: , List-Subscribe: , MIME-Version: 1.0 Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: julien.grall@linaro.org X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.217.173 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 List-Archive: Since the commit 58f0fd8 "xen: arm: handle variable p2m levels in p2m_lookup", Xen checks that the root_table offset is valid. If not, its unlock the p2m spinlock before returning an error. But, at this time, the lock has not been taken. On Xen built with debug=y, we can get the following stack trace if the guest use an invalid IPA in hypercall or mess-up the grant-table: (XEN) Assertion '_raw_spin_is_locked(lock)' failed at xen/include/asm/arm32/spinlock.h:22 ... (XEN) [<0022d1bc>] _spin_unlock+0x2c/0x50 (PC) (XEN) [<00253264>] p2m_lookup+0x20c/0x230 (LR) (XEN) [<7ffdfd54>] 7ffdfd54 (XEN) [<002539f4>] gmfn_to_mfn+0x24/0x3c (XEN) [<0020e4d4>] __get_paged_frame+0x30/0x12c (XEN) [<00210680>] __acquire_grant_for_copy+0x4e0/0x768 (XEN) [<00212030>] do_grant_table_op+0x13a0/0x2534 (XEN) [<00257b10>] do_trap_hypervisor+0xe10/0x1148 (XEN) [<0025b330>] return_from_trap+0/0x4 Signed-off-by: Julien Grall --- This is a bug fix for Xen 4.5. Any buggy guest could make Xen crash in debug build. I haven't really though about what could happen in non-debug build. --- xen/arch/arm/p2m.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c index 1585d35..69191b9 100644 --- a/xen/arch/arm/p2m.c +++ b/xen/arch/arm/p2m.c @@ -207,9 +207,8 @@ paddr_t p2m_lookup(struct domain *d, paddr_t paddr, p2m_type_t *t) *t = pte.p2m.type; } -err: spin_unlock(&p2m->lock); - +err: return maddr; }