diff options
author | Ian Campbell <ian.campbell@citrix.com> | 2012-08-09 15:47:19 +0100 |
---|---|---|
committer | Ian Campbell <ian.campbell@citrix.com> | 2012-08-09 15:47:19 +0100 |
commit | afa8c5bb3d29f9fa4712e9d7f00122cbcdacb458 (patch) | |
tree | 0fbf216775423e71007c3410f5ec1272466186d8 | |
parent | a49147f3b26ae6b5f6a7ea886628926b01c00b43 (diff) | |
download | xen-afa8c5bb3d29f9fa4712e9d7f00122cbcdacb458.tar.gz xen-afa8c5bb3d29f9fa4712e9d7f00122cbcdacb458.tar.bz2 xen-afa8c5bb3d29f9fa4712e9d7f00122cbcdacb458.zip |
xen: only check for shared pages while any exist on teardown
Avoids worst case behavour when guest has a large p2m.
This is XSA-11 / CVE-2012-3433
Signed-off-by: Tim Deegan <tim@xen.org>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Tested-by: Olaf Hering <olaf@aepfle.de>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
-rw-r--r-- | xen/arch/x86/mm/p2m.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index 51ef7116ca..787b4be6a3 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -1725,6 +1725,8 @@ void p2m_teardown(struct domain *d) #ifdef __x86_64__ for ( gfn=0; gfn < p2m->max_mapped_pfn; gfn++ ) { + if ( atomic_read(&d->shr_pages) == 0 ) + break; mfn = p2m->get_entry(d, gfn, &t, p2m_query); if ( mfn_valid(mfn) && (t == p2m_ram_shared) ) BUG_ON(mem_sharing_unshare_page(d, gfn, MEM_SHARING_DESTROY_GFN)); |