From: Hongyan Xia <hongy...@amazon.com>
stack++ can go into the next page and unmap_domain_page() will unmap the
wrong one, causing mapcache and memory corruption. Fix.
This is found with direct map removal. For now, the idle domain does not
have a mapcache and uses the direct map, so no errors will occur.
Signed-off-by: Hongyan Xia <hongy...@amazon.com>
---
xen/arch/x86/traps.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index 33e5d21ece..f033a804a3 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -300,6 +300,7 @@ static void show_guest_stack(struct vcpu *v, const struct
cpu_user_regs *regs)
int i;
unsigned long *stack, addr;
unsigned long mask = STACK_SIZE;
+ void *stack_page = NULL;
/* Avoid HVM as we don't know what the stack looks like. */
if ( is_hvm_vcpu(v) )
@@ -328,7 +329,7 @@ static void show_guest_stack(struct vcpu *v, const struct
cpu_user_regs *regs)
vcpu = maddr_get_owner(read_cr3()) == v->domain ? v : NULL;
if ( !vcpu )
{
- stack = do_page_walk(v, (unsigned long)stack);
+ stack_page = stack = do_page_walk(v, (unsigned long)stack);
if ( (unsigned long)stack < PAGE_SIZE )
{
printk("Inaccessible guest memory.\n");
@@ -358,7 +359,7 @@ static void show_guest_stack(struct vcpu *v, const struct
cpu_user_regs *regs)
if ( mask == PAGE_SIZE )
{
BUILD_BUG_ON(PAGE_SIZE == STACK_SIZE);
- unmap_domain_page(stack);
+ unmap_domain_page(stack_page);
}
if ( i == 0 )
printk("Stack empty.");
--
2.17.1
