[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Is this a racing bug in page_make_sharable()?



At 11:36 -0500 on 10 Jan (1357817806), Andres Lagar-Cavilla wrote:
> Hi there, thanks for the report. Sorry I didn't respond earlier, fell through 
> the cracks.
> 
> Having said that...
> On Jan 10, 2013, at 8:00 AM, Tim Deegan <tim@xxxxxxx> wrote:
> 
> > Hi,
> > 
> > At 23:35 +0800 on 27 Dec (1356651327), Nai Xia wrote:
> >> I think I can construct a bug by interleaving the two code paths:
> >> 
> >> in guest_remove_page()              |              in page_make_sharable()
> >> ------------------------------------------------------------------------------------------------------------------------------
> >> if ( p2m_is_shared(p2mt) )                       .....
> >> ...                                              .....
> >> page = mfn_to_page(mfn);                         .....
> >>                                                 .....
> >> 
> >>                                                 if ( 
> >>                                                 !get_page_and_type(page, 
> >>                                                 d, PGT_shared_page) )    
> >>                                                 // success
> >> 
> >>                                                 .........
> >>                                                 if ( page->count_info != 
> >>                                                 (PGC_allocated | (2 + 
> >>                                                 expected_refcnt)) ) // 
> >>                                                 also pass
> >> 
> >> 
> >> if ( unlikely(!get_page(page, d)) )
> >> 
> >> /* go on to remove page */                       /* go on to add page to 
> >> cow domain */
> >> -------------------------------------------------------------------------------------------------------------------------------------
> >> 
> >> 
> >> is there anything that can already prevent such racing or is this really 
> >> can happen?
> > 
> > I think this race can happen.  
> 
> Through a p2m entry in a domain. Is this the same domain as the one
> for which quest_remove_page is executing?  Then all is serialized
> through the p2m lock, no race.

Right, that's what I was missing.  Because guest_remove_page has called
get_gfn_query on the gfn, and not yet called put_gfn(),
page_make_sharable() can't be running.  All is well. :)

Thanks,

Tim.
 

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.