From 45f6866e34b7e9ee8b6ac16d646a2e954c97e48e Mon Sep 17 00:00:00 2001 From: Roger Pau Monne Date: Tue, 17 Feb 2026 09:33:43 +0100 Subject: [PATCH] x86/p2m: issue a sync flush before freeing paging pages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In the EPT implementation, the defer flushing logic is used unconditionally, and that would lead to paging memory being returned to the paging pool before its references had been flushed. Issue any pending flushes before freeing the paging memory back to the pool. Note AMD (NPT) and Shadow paging are not affected, as they don't implement the deferred flushing logic. This is XSA-480 / CVE-2026-23554 Fixes: 4a59e6bb3a96 ("x86/EPT: squash meaningless TLB flush") Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich --- xen/arch/x86/mm/p2m.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index e915da26a832..fddecdf978ec 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -479,6 +479,11 @@ void p2m_free_ptp(struct p2m_domain *p2m, struct page_info *pg) ASSERT(p2m->domain); ASSERT(p2m->domain->arch.paging.free_page); + /* + * Issue any pending flush here, in case it was deferred before. The page + * will be returned to the paging pool now. + */ + p2m_tlb_flush_sync(p2m); page_list_del(pg, &p2m->pages); p2m->domain->arch.paging.free_page(p2m->domain, pg); -- 2.51.0