[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] P2M: Don't try to free the existing PTE if we can't allocate a new table

To: xen-devel@xxxxxxxxxxxxxxxxxxxx
From: Julien Grall <julien@xxxxxxx>
Date: Sat, 26 Jul 2025 13:26:07 +0100
Cc: julien@xxxxxxx, Julien Grall <jgrall@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>
Delivery-date: Sat, 26 Jul 2025 12:26:49 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

From: Julien Grall <jgrall@xxxxxxxxxx>

When we can't split a superpage (on Arm p2m_split_superpage() returns false,
on x86 ept_split_superpage() returns 0), the caller is expected to clean
any PTE that may have been allocated. However, when we can't allocate
the page-tables 'entry' (arm) / 'ept_entry' still points to a live PTE.
So we will end up to free a PTE that is still used.

In practice for:
  * x86: We don't do any refcounting for 2MB/1GB mappings. So this is
    harmless
  * arm: We do refcounting for 2MB mapping (not for 1GB ones). This is
    only used for static memory.

So there is a security issue on Arm but this doesn't meet the criteria
for an XSA (static memory is not security supported).

Solve the issue by clearing the PTE if we can't allocate the table.

Reported-by: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>
Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx>

----

I decided to not split the patch in two as the issue for x86 and
arm is the same. But I am happy to split if this is preferred.
---
 xen/arch/arm/mmu/p2m.c    | 8 ++++++++
 xen/arch/x86/mm/p2m-ept.c | 9 +++++++++
 2 files changed, 17 insertions(+)

diff --git a/xen/arch/arm/mmu/p2m.c b/xen/arch/arm/mmu/p2m.c
index 51abf3504fcf..9a1fb44a0204 100644
--- a/xen/arch/arm/mmu/p2m.c
+++ b/xen/arch/arm/mmu/p2m.c
@@ -888,7 +888,15 @@ static bool p2m_split_superpage(struct p2m_domain *p2m, 
lpae_t *entry,
 
     page = p2m_alloc_page(p2m->domain);
     if ( !page )
+    {
+        /*
+         * The caller is in charge to free the sub-tree. So tell the
+         * As we didn't manage to allocate anything, just tell the
+         * caller there is nothing to free by invalidating the PTE.
+         */
+        memset(entry, 0, sizeof(*entry));
         return false;
+    }
 
     page_list_add(page, &p2m->pages);
     table = __map_domain_page(page);
diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c
index 62fc8e50689f..1efac27835d2 100644
--- a/xen/arch/x86/mm/p2m-ept.c
+++ b/xen/arch/x86/mm/p2m-ept.c
@@ -261,7 +261,16 @@ static bool ept_split_super_page(
 
     table = ept_set_middle_entry(p2m, &new_ept);
     if ( !table )
+    {
+        /*
+         * The caller is in charge to free the sub-tree. So tell the
+         * As we didn't manage to allocate anything, just tell the
+         * caller there is nothing to free by invalidating the PTE.
+         */
+        memset(ept_entry, 0, sizeof(*ept_entry));
+
         return 0;
+    }
 
     trunk = 1UL << ((level - 1) * EPT_TABLE_ORDER);
 
-- 
2.47.3

Follow-Ups:
- Re: [PATCH] P2M: Don't try to free the existing PTE if we can't allocate a new table
  - From: dmkhn

Prev by Date: Re: [PATCH v5 2/2] xen/arm: allow translated iommu mappings
Next by Date: Re: [PATCH v1] xen/console: remove __printk_ratelimit()
Previous by thread: [PATCH v5 00/11] xenstored patches from split hardware control
Next by thread: Re: [PATCH] P2M: Don't try to free the existing PTE if we can't allocate a new table
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.