xenpaging: Fix c/s 23507:0a29c8c3ddf7 ("update machine_to_phys_mapping[] during page deallocation")

This patch clobbers page owner in free_heap_pages() before we are
finished using it. This means that a subsequent test to determine
whether it is safe to avoid safety TLB flushes incorrectly always
determines that it is safe to do so.

The fix is simple: we can defer the original patch's work until after
we are done with the page-owner field.

Thanks to Christian Limpach for spotting this one.

Signed-off-by: Keir Fraser <keir@xen.org>

1 files changed, 4 insertions, 4 deletions

diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c
index 3470d32a4a..249bb355dd 100644
--- a/xen/common/page_alloc.c
+++ b/xen/common/page_alloc.c
@@ -547,10 +547,6 @@ static void free_heap_pages(
 
     for ( i = 0; i < (1 << order); i++ )
     {
-        /* This page is not a guest frame any more. */
-        page_set_owner(&pg[i], NULL); /* set_gpfn_from_mfn snoops pg owner */
-        set_gpfn_from_mfn(mfn + i, INVALID_M2P_ENTRY);
-
         /*
          * Cannot assume that count_info == 0, as there are some corner cases
          * where it isn't the case and yet it isn't a bug:
@@ -574,6 +570,10 @@ static void free_heap_pages(
         pg[i].u.free.need_tlbflush = (page_get_owner(&pg[i]) != NULL);
         if ( pg[i].u.free.need_tlbflush )
             pg[i].tlbflush_timestamp = tlbflush_current_time();
+
+        /* This page is not a guest frame any more. */
+        page_set_owner(&pg[i], NULL); /* set_gpfn_from_mfn snoops pg owner */
+        set_gpfn_from_mfn(mfn + i, INVALID_M2P_ENTRY);
     }
 
     avail[node][zone] += 1 << order;