XEN_DMOP_track_dirty_vram possibly calls into paging_log_dirty_enable
when using HAP mode, and it can interact badly with other ongoing
paging domctls, as XEN_DMOP_track_dirty_vram is not holding the domctl
lock.
This was detected as a result of the following assert triggering when
doing repeated migrations of a HAP HVM domain with a stubdom:
Assertion 'd->arch.paging.log_dirty.allocs == 0' failed at paging.c:198
----[ Xen-4.17-unstable x86_64 debug=y Not tainted ]----
CPU: 34
RIP: e008:[<
ffff82d040314b3b>] arch/x86/mm/paging.c#paging_free_log_dirty_bitmap+0x606/0x6
RFLAGS:
0000000000010206 CONTEXT: hypervisor (d0v23)
[...]
Xen call trace:
[<
ffff82d040314b3b>] R arch/x86/mm/paging.c#paging_free_log_dirty_bitmap+0x606/0x63a
[<
ffff82d040279f96>] S xsm/flask/hooks.c#domain_has_perm+0x5a/0x67
[<
ffff82d04031577f>] F paging_domctl+0x251/0xd41
[<
ffff82d04031640c>] F paging_domctl_continuation+0x19d/0x202
[<
ffff82d0403202fa>] F pv_hypercall+0x150/0x2a7
[<
ffff82d0403a729d>] F lstar_enter+0x12d/0x140
Such assert triggered because the stubdom used
XEN_DMOP_track_dirty_vram while dom0 was in the middle of executing
XEN_DOMCTL_SHADOW_OP_OFF, and so log dirty become enabled while
retiring the old structures, thus leading to new entries being
populated in already clear slots.
Fix this by not enabling log dirty for VRAM tracking, similar to what
is done when using shadow instead of HAP. Call
p2m_enable_hardware_log_dirty when enabling VRAM tracking in order to
get some hardware assistance if available. As a side effect the memory
pressure on the p2m pool should go down if only VRAM tracking is
enabled, as the dirty bitmap is no longer allocated.
Note that paging_log_dirty_range (used to get the dirty bitmap for
VRAM tracking) doesn't use the log dirty bitmap, and instead relies on
checking whether each gfn on the range has been switched from
p2m_ram_logdirty to p2m_ram_rw in order to account for dirty pages.
This is CVE-2022-26356 / XSA-397.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
master commit:
4f4db53784d912c4f409a451c36ebfd4754e0a42
master date: 2022-04-05 14:11:30 +0200
{
int size = (nr + BITS_PER_BYTE - 1) / BITS_PER_BYTE;
- if ( !paging_mode_log_dirty(d) )
- {
- rc = paging_log_dirty_enable(d, 0);
- if ( rc )
- goto out;
- }
-
rc = -ENOMEM;
dirty_bitmap = vzalloc(size);
if ( !dirty_bitmap )
paging_unlock(d);
+ domain_pause(d);
+ p2m_enable_hardware_log_dirty(d);
+ domain_unpause(d);
+
if ( oend > ostart )
p2m_change_type_range(d, ostart, oend,
p2m_ram_logdirty, p2m_ram_rw);
return rc;
}
-int paging_log_dirty_enable(struct domain *d, bool_t log_global)
+static int paging_log_dirty_enable(struct domain *d, bool_t log_global)
{
int ret;
unsigned long nr,
uint8_t *dirty_bitmap);
-/* enable log dirty */
-int paging_log_dirty_enable(struct domain *d, bool_t log_global);
-
/* log dirty initialization */
void paging_log_dirty_init(struct domain *d, const struct log_dirty_ops *ops);
projects / xen.git / commitdiff