X86 MCE: Prevent malicious guest access broken page again

To avoid recursive mce.

Signed-off-by: Liu, Jinsong <jinsong.liu@intel.com>
Committed-by: Keir Fraser <keir@xen.org>

1 files changed, 14 insertions, 0 deletions

diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c
index f38d1ff986..3ce34af440 100644
--- a/xen/common/page_alloc.c
+++ b/xen/common/page_alloc.c
@@ -38,6 +38,7 @@
 #include <xen/tmem.h>
 #include <xen/tmem_xen.h>
 #include <public/sysctl.h>
+#include <public/sched.h>
 #include <asm/page.h>
 #include <asm/numa.h>
 #include <asm/flushtlb.h>
@@ -708,6 +709,19 @@ int offline_page(unsigned long mfn, int broken, uint32_t *status)
         return -EINVAL;
     }
 
+    /*
+     * NB. When broken page belong to guest, usually hypervisor will
+     * notify the guest to handle the broken page. However, hypervisor
+     * need to prevent malicious guest access the broken page again.
+     * Under such case, hypervisor shutdown guest, preventing recursive mce.
+     */
+    if ( (pg->count_info & PGC_broken) && (owner = page_get_owner(pg)) )
+    {
+        *status = PG_OFFLINE_AGAIN;
+        domain_shutdown(owner, SHUTDOWN_crash);
+        return 0;
+    }
+
     spin_lock(&heap_lock);
 
     old_info = mark_page_offline(pg, broken);