File 68c01990-x86-Viridian-ref-TSC-page-concurrency.patch of Package xen.41885

# Commit 45729a510a352e1a973e4023bd0067cddb1bcaf8
# Date 2025-09-09 14:12:00 +0200
# Author Roger Pau Monne <roger.pau@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/viridian: protect concurrent modification of the reference TSC page

The reference TSC page is shared between all vCPUs, and the data stored in
the domain struct.  However the handlers to set and clear it are not safe
against concurrent accesses.  It's possible for two (or more) vCPUs to call
HV_X64_MSR_REFERENCE_TSC at the same time and cause the in-use reference
TSC page to be freed, while still being on the p2m.  This creates a use-
after-free bug, where the page can end up mapped in another domain or used
by Xen while still being part of the original domain's p2m.

It's also possible to underflow the reference counter, as multiple
concurrent writes to HV_X64_MSR_REFERENCE_TSC can create an imbalance on
the number of put_page_and_type() calls.

Introduce a lock to protect the reference TSC domain field, thus
serializing concurrent vCPU accesses.

This is CVE-2025-58143 / part of XSA-472.

Fixes: 386b3365221d ('viridian: use viridian_map/unmap_guest_page() for reference tsc page')
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/hvm/viridian/time.c
+++ b/xen/arch/x86/hvm/viridian/time.c
@@ -108,8 +108,10 @@ static void time_ref_count_thaw(const st
 
     trc->off = (int64_t)trc->val - trc_val(d, 0);
 
+    spin_lock(&vd->lock);
     if ( vd->reference_tsc.msr.enabled )
         update_reference_tsc(d, false);
+    spin_unlock(&vd->lock);
 }
 
 static uint64_t time_ref_count(const struct domain *d)
@@ -331,6 +333,7 @@ int viridian_time_wrmsr(struct vcpu *v,
         if ( !(viridian_feature_mask(d) & HVMPV_reference_tsc) )
             return X86EMUL_EXCEPTION;
 
+        spin_lock(&vd->lock);
         viridian_unmap_guest_page(&vd->reference_tsc);
         vd->reference_tsc.msr.raw = val;
         viridian_dump_guest_page(v, "REFERENCE_TSC", &vd->reference_tsc);
@@ -339,6 +342,7 @@ int viridian_time_wrmsr(struct vcpu *v,
             viridian_map_guest_page(d, &vd->reference_tsc);
             update_reference_tsc(d, true);
         }
+        spin_unlock(&vd->lock);
         break;
 
     case HV_X64_MSR_TIME_REF_COUNT:
--- a/xen/arch/x86/hvm/viridian/viridian.c
+++ b/xen/arch/x86/hvm/viridian/viridian.c
@@ -494,6 +494,8 @@ int viridian_domain_init(struct domain *
     if ( !d->arch.hvm.viridian )
         return -ENOMEM;
 
+    spin_lock_init(&d->arch.hvm.viridian->lock);
+
     rc = viridian_synic_domain_init(d);
     if ( rc )
         goto fail;
--- a/xen/arch/x86/include/asm/hvm/viridian.h
+++ b/xen/arch/x86/include/asm/hvm/viridian.h
@@ -71,6 +71,7 @@ struct viridian_domain
     DECLARE_BITMAP(hypercall_flags, _HCALL_nr);
     struct viridian_time_ref_count time_ref_count;
     struct viridian_page reference_tsc;
+    spinlock_t lock;
 };
 
 void cpuid_viridian_leaves(const struct vcpu *v, uint32_t leaf,