[xen stable-4.6] x86/HVM: guard against emulator driving ioreq state in weird ways
Author: Jan Beulich <[hidden email]>
AuthorDate: Tue May 8 18:28:20 2018 +0100
Commit: Andrew Cooper <[hidden email]>
CommitDate: Tue May 8 18:28:20 2018 +0100
x86/HVM: guard against emulator driving ioreq state in weird ways
In the case where hvm_wait_for_io() calls wait_on_xen_event_channel(),
p->state ends up being read twice in succession: once to determine that
state != p->state, and then again at the top of the loop. This gives a
compromised emulator a chance to change the state back between the two
reads, potentially keeping Xen in a loop indefinitely.
* Read p->state once in each of the wait_on_xen_event_channel() tests,
* re-use that value the next time around,
* and insist that the states continue to transition "forward" (with the
exception of the transition to STATE_IOREQ_NONE).