When SECONDARY_EXEC_ENABLE_VIRT_EXCEPTIONS is set,
vmx_vcpu_update_eptp() __vmwrites() EPTP_INDEX in
altp2m_vcpu_destroy(). This means that when disabling altp2m on a
domain after xc_altp2m_set_vcpu_enable_notify() has been
successfully called, EPTP_INDEX ends up being stored as
INVALID_ALTP2M. This makes it possible for vmx_vmexit_handler()
to __vmread() the stale value after a subsequent call to
xc_altp2m_set_vcpu_enable_notify(), and BUG_ON(idx >= MAX_ALTP2M).
Signed-off-by: Razvan Cojocaru <rcojoc...@bitdefender.com>
---
Changes since V1:
- Re-wrote the fix to affect the altp2m code instead of the code
around the BUG_ON().
- Updated the patch description (and title - since the crash
is really a host, not a domain, crash).
---
xen/arch/x86/mm/altp2m.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xen/arch/x86/mm/altp2m.c b/xen/arch/x86/mm/altp2m.c
index 930bdc2..28c800b 100644
--- a/xen/arch/x86/mm/altp2m.c
+++ b/xen/arch/x86/mm/altp2m.c
@@ -58,8 +58,8 @@ altp2m_vcpu_destroy(struct vcpu *v)
altp2m_vcpu_reset(v);
- altp2m_vcpu_update_p2m(v);
altp2m_vcpu_update_vmfunc_ve(v);
+ altp2m_vcpu_update_p2m(v);
if ( v != current )
vcpu_unpause(v);
--
2.7.4
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
