34ec9d
x86/mm: fix a reference counting error in MMU_MACHPHYS_UPDATE
34ec9d
34ec9d
Any domain which can pass the XSM check against a translated guest can cause a
34ec9d
page reference to be leaked.
34ec9d
34ec9d
While shuffling the order of checks, drop the quite-pointless MEM_LOG().  This
34ec9d
brings the check in line with similar checks in the vicinity.
34ec9d
34ec9d
Discovered while reviewing the XSA-109/110 followup series.
34ec9d
34ec9d
This is XSA-113.
34ec9d
34ec9d
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
34ec9d
Reviewed-by: Jan Beulich <jbeulich@suse.com>
34ec9d
Reviewed-by: Tim Deegan <tim@xen.org>
34ec9d
34ec9d
--- a/xen/arch/x86/mm.c
34ec9d
+++ b/xen/arch/x86/mm.c
34ec9d
@@ -3619,6 +3619,12 @@ long do_mmu_update(
34ec9d
 
34ec9d
         case MMU_MACHPHYS_UPDATE:
34ec9d
 
34ec9d
+            if ( unlikely(paging_mode_translate(pg_owner)) )
34ec9d
+            {
34ec9d
+                rc = -EINVAL;
34ec9d
+                break;
34ec9d
+            }
34ec9d
+
34ec9d
             mfn = req.ptr >> PAGE_SHIFT;
34ec9d
             gpfn = req.val;
34ec9d
 
34ec9d
@@ -3638,13 +3644,6 @@ long do_mmu_update(
34ec9d
                 break;
34ec9d
             }
34ec9d
 
34ec9d
-            if ( unlikely(paging_mode_translate(pg_owner)) )
34ec9d
-            {
34ec9d
-                MEM_LOG("Mach-phys update on auto-translate guest");
34ec9d
-                rc = -EINVAL;
34ec9d
-                break;
34ec9d
-            }
34ec9d
-
34ec9d
             set_gpfn_from_mfn(mfn, gpfn);
34ec9d
 
34ec9d
             paging_mark_dirty(pg_owner, mfn);