[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen staging] x86/hvm/ioreq: use ref-counted target-assigned shared pages



commit e862e6ceb1fd971d755a0c57d6a0f3b8065187dc
Author:     Paul Durrant <Paul.Durrant@xxxxxxxxxx>
AuthorDate: Tue Nov 20 14:57:38 2018 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Nov 20 14:57:38 2018 +0100

    x86/hvm/ioreq: use ref-counted target-assigned shared pages
    
    Passing MEMF_no_refcount to alloc_domheap_pages() will allocate, as
    expected, a page that is assigned to the specified domain but is not
    accounted for in tot_pages. Unfortunately there is no logic for tracking
    such allocations and avoiding any adjustment to tot_pages when the page
    is freed.
    
    The only caller of alloc_domheap_pages() that passes MEMF_no_refcount is
    hvm_alloc_ioreq_mfn() so this patch removes use of the flag from that
    call-site to avoid the possibility of a domain using an ioreq server as
    a means to adjust its tot_pages and hence allocate more memory than it
    should be able to.
    
    However, the reason for using the flag in the first place was to avoid
    the allocation failing if the emulator domain is already at its maximum
    memory limit. Hence this patch switches to allocating memory from the
    target domain instead of the emulator domain. There is already an extra
    memory allowance of 2MB (LIBXL_HVM_EXTRA_MEMORY) applied to HVM guests,
    which is sufficient to cover the pages required by the supported
    configuration of a single IOREQ server for QEMU. (Stub-domains do not,
    so far, use resource mapping). It also also the case the QEMU will have
    mapped the IOREQ server pages before the guest boots, hence it is not
    possible for the guest to inflate its balloon to consume these pages.
    
    Reported-by: Julien Grall <julien.grall@xxxxxxx>
    Signed-off-by: Paul Durrant <paul.durrant@xxxxxxxxxx>
---
 xen/arch/x86/hvm/ioreq.c | 12 ++----------
 xen/arch/x86/mm.c        |  6 ------
 2 files changed, 2 insertions(+), 16 deletions(-)

diff --git a/xen/arch/x86/hvm/ioreq.c b/xen/arch/x86/hvm/ioreq.c
index da36ef727e..a56d634f31 100644
--- a/xen/arch/x86/hvm/ioreq.c
+++ b/xen/arch/x86/hvm/ioreq.c
@@ -371,20 +371,12 @@ static int hvm_alloc_ioreq_mfn(struct hvm_ioreq_server 
*s, bool buf)
         return 0;
     }
 
-    /*
-     * Allocated IOREQ server pages are assigned to the emulating
-     * domain, not the target domain. This is safe because the emulating
-     * domain cannot be destroyed until the ioreq server is destroyed.
-     * Also we must use MEMF_no_refcount otherwise page allocation
-     * could fail if the emulating domain has already reached its
-     * maximum allocation.
-     */
-    page = alloc_domheap_page(s->emulator, MEMF_no_refcount);
+    page = alloc_domheap_page(s->target, 0);
 
     if ( !page )
         return -ENOMEM;
 
-    if ( !get_page_and_type(page, s->emulator, PGT_writable_page) )
+    if ( !get_page_and_type(page, s->target, PGT_writable_page) )
     {
         /*
          * The domain can't possibly know about this page yet, so failure
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 16c7d88a8e..55f1cb182e 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -4464,12 +4464,6 @@ int arch_acquire_resource(struct domain *d, unsigned int 
type,
 
             mfn_list[i] = mfn_x(mfn);
         }
-
-        /*
-         * The frames will have been assigned to the domain that created
-         * the ioreq server.
-         */
-        *flags |= XENMEM_rsrc_acq_caller_owned;
         break;
     }
 #endif
--
generated by git-patchbot for /home/xen/git/xen.git#staging

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.