[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Is this a racing bug in page_make_sharable()?

To: Nai Xia <nai.xia@xxxxxxxxx>
From: Tim Deegan <tim@xxxxxxx>
Date: Thu, 10 Jan 2013 13:00:58 +0000
Cc: Xiaowei Yang <xiaowei.yang@xxxxxxxxxx>, Andres Lagar-Cavilla <andreslc@xxxxxxxxxxxxxx>, "Luohao \(brian\)" <brian.luohao@xxxxxxxxxx>, Lixiuchang <lixiuchang@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 10 Jan 2013 13:01:31 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Hi,

At 23:35 +0800 on 27 Dec (1356651327), Nai Xia wrote:
> I think I can construct a bug by interleaving the two code paths:
> 
> in guest_remove_page()              |              in page_make_sharable()
> ------------------------------------------------------------------------------------------------------------------------------
> if ( p2m_is_shared(p2mt) )                       .....
> ...                                              .....
> page = mfn_to_page(mfn);                         .....
>                                                  .....
> 
>                                                  if ( 
>                                                  !get_page_and_type(page, 
>                                                  d, PGT_shared_page) )    
>                                                  // success
> 
>                                                  .........
>                                                  if ( page->count_info != 
>                                                  (PGC_allocated | (2 + 
>                                                  expected_refcnt)) ) // 
>                                                  also pass
> 
> 
> if ( unlikely(!get_page(page, d)) )
> 
> /* go on to remove page */                       /* go on to add page to 
> cow domain */
> -------------------------------------------------------------------------------------------------------------------------------------
> 
> 
> is there anything that can already prevent such racing or is this really 
> can happen?

I think this race can happen.  I'm not sure exactly what the effect
is, though.  I guess the page ends up belonging to dom_cow, but
without the PGC_allocated bit set.  So when it becomes unshared again,
it's immediately freed. :(

Andres, what do you think?

Tim.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] Is this a racing bug in page_make_sharable()?
  - From: Andres Lagar-Cavilla

Prev by Date: Re: [Xen-devel] [PATCH v5 00/10] Nested VMX: Add virtual EPT & VPID support to L1 VMM
Next by Date: [Xen-devel] [PATCH v2] tools/libxl: Improve videoram setting
Previous by thread: Re: [Xen-devel] [PATCH v3 03/10] nested_ept: Implement guest ept's walker
Next by thread: Re: [Xen-devel] Is this a racing bug in page_make_sharable()?
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.