pv-grub: Fix for incorrect dom->p2m_host[] list initialization

Introduction of Linux Kernel git commit
ceefccc93932b920a8ec6f35f596db05202a12fe (x86: default
CONFIG_PHYSICAL_START and CONFIG_PHYSICAL_ALIGN to 16 MB) revealed
deeply hidden bug in pv-grub. During kernel load stage dom->p2m_host[]
list has been incorrectly initialized.

At the beginning of kernel load stage dom->p2m_host[] list is
populated with current PFN->MFN layout. Later during memory allocation
(memory is allocated page by page in kexec_allocate()) page order is
changed to establish linear layout in new domain. It is done by
exchanging subsequent MFNs with newly allocated MFNs. dom->p2m_host[]
list is indexed by currently requested PFN (it is incremented from 0)
and PFN of newly allocated paged. If PFN of newly allocated page is
less than currently requested PFN then earlier allocated MFN is
overwritten which leads to domain crash later. This patch corrects
that issue. If PFN of newly allocated page is less then currently
requested PFN then relevant PFN/MFN pair is properly calculated and
usual exchange occurs later.

Signed-off-by: Daniel Kiper <dkiper@net-space.pl>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

diff --git a/stubdom/grub/kexec.c b/stubdom/grub/kexec.c
index 5281d0b19416a2941cffcdc09556127d5e97e7d8..06bef52ac2f11bb26a9beb72bbcf9bd85e4ec089 100644 (file)
--- a/stubdom/grub/kexec.c
+++ b/stubdom/grub/kexec.c
@@ -48,6 +48,7 @@ extern void _boot(void);
 
 static unsigned long *pages;
 static unsigned long *pages_mfns;
+static xen_pfn_t *pages_moved2pfns;
 static unsigned long allocated;
 
 int pin_table(xc_interface *xc_handle, unsigned int type, unsigned long mfn,
@@ -80,6 +81,7 @@ int kexec_allocate(struct xc_dom_image *dom, xen_vaddr_t up_to)
 
     pages = realloc(pages, new_allocated * sizeof(*pages));
     pages_mfns = realloc(pages_mfns, new_allocated * sizeof(*pages_mfns));
+    pages_moved2pfns = realloc(pages_moved2pfns, new_allocated * sizeof(*pages_moved2pfns));
     for (i = allocated; i < new_allocated; i++) {
         /* Exchange old page of PFN i with a newly allocated page.  */
         xen_pfn_t old_mfn = dom->p2m_host[i];
@@ -91,6 +93,18 @@ int kexec_allocate(struct xc_dom_image *dom, xen_vaddr_t up_to)
         new_pfn = PHYS_PFN(to_phys(pages[i]));
         pages_mfns[i] = new_mfn = pfn_to_mfn(new_pfn);
 
+       /*
+        * If PFN of newly allocated page (new_pfn) is less then currently
+        * requested PFN (i) then look for relevant PFN/MFN pair. In this
+        * situation dom->p2m_host[new_pfn] no longer contains proper MFN
+        * because original page with new_pfn was moved earlier
+        * to different location.
+        */
+       for (; new_pfn < i; new_pfn = pages_moved2pfns[new_pfn]);
+
+       /* Store destination PFN of currently requested page. */
+       pages_moved2pfns[i] = new_pfn;
+
         /* Put old page at new PFN */
         dom->p2m_host[new_pfn] = old_mfn;