xen/arm: p2m: Read *_mapped_gfn with the p2m lock taken

*_mapped_gfn are currently read before acquiring the lock. However, they
may be modified by the p2m code before the lock was acquired. This means
we will use the wrong values.

Fix it by moving the read inside the section protected by the p2m lock.

Signed-off-by: Julien Grall <julien.grall@arm.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>

diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
index 0410b1e86b1de799d641e1f618af86097194bb0a..68b488997d0b3c37fe8095d98b117af04b8467d2 100644 (file)
--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -1303,13 +1303,13 @@ int relinquish_p2m_mapping(struct domain *d)
     p2m_type_t t;
     int rc = 0;
     unsigned int order;
-
-    /* Convenience alias */
-    gfn_t start = p2m->lowest_mapped_gfn;
-    gfn_t end = p2m->max_mapped_gfn;
+    gfn_t start, end;
 
     p2m_write_lock(p2m);
 
+    start = p2m->lowest_mapped_gfn;
+    end = p2m->max_mapped_gfn;
+
     for ( ; gfn_x(start) < gfn_x(end);
           start = gfn_next_boundary(start, order) )
     {
@@ -1364,9 +1364,6 @@ int p2m_cache_flush(struct domain *d, gfn_t start, unsigned long nr)
     p2m_type_t t;
     unsigned int order;
 
-    start = gfn_max(start, p2m->lowest_mapped_gfn);
-    end = gfn_min(end, p2m->max_mapped_gfn);
-
     /*
      * The operation cache flush will invalidate the RAM assigned to the
      * guest in a given range. It will not modify the page table and
@@ -1375,6 +1372,9 @@ int p2m_cache_flush(struct domain *d, gfn_t start, unsigned long nr)
      */
     p2m_read_lock(p2m);
 
+    start = gfn_max(start, p2m->lowest_mapped_gfn);
+    end = gfn_min(end, p2m->max_mapped_gfn);
+
     for ( ; gfn_x(start) < gfn_x(end); start = next_gfn )
     {
         mfn_t mfn = p2m_get_entry(p2m, start, &t, NULL, &order);