Just ahead of the logic in question we've translated the subject MFN to
a valid original GFN, in order to then translate that GFN back to an
MFN. Restricting the call to p2m_remove_page() to the case where these
two MFNs match is too weak. Instead refuse the operation altogether when
there's a mismatch (which likely indicates a bug elsewhere in Xen).
Signed-off-by: Jan Beulich <jbeul...@suse.com>
---
If we were certain that a mismatch indicates a bug elsewhere, we might
want to consider crashing the domain instead, to limit damage as well as
to make sure the issue is actually noticed.
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -714,13 +714,19 @@ p2m_add_page(struct domain *d, gfn_t gfn
mfn_x(mfn_add(mfn, i)), gfn_x(ogfn),
gfn_x(gfn_add(gfn, i)));
omfn = p2m->get_entry(p2m, ogfn, &ot, &a, 0, NULL, NULL);
+ if ( !mfn_eq(omfn, mfn_add(mfn, i)) )
+ {
+ P2M_DEBUG("old gfn %#lx -> mfn %#lx != mfn %#lx\n",
+ gfn_x(ogfn), mfn_x(omfn), mfn_x(mfn) + i);
+ rc = -EXDEV;
+ goto out;
+ }
if ( p2m_is_ram(ot) && !p2m_is_paged(ot) )
{
ASSERT(mfn_valid(omfn));
P2M_DEBUG("old gfn=%#lx -> mfn %#lx\n",
gfn_x(ogfn) , mfn_x(omfn));
- if ( mfn_eq(omfn, mfn_add(mfn, i)) &&
- (rc = p2m_remove_entry(p2m, ogfn, omfn, 0)) )
+ if ( (rc = p2m_remove_entry(p2m, ogfn, omfn, 0)) )
goto out;
}
}
