|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Is this a racing bug in page_make_sharable()?
At 11:36 -0500 on 10 Jan (1357817806), Andres Lagar-Cavilla wrote: > Hi there, thanks for the report. Sorry I didn't respond earlier, fell through > the cracks. > > Having said that... > On Jan 10, 2013, at 8:00 AM, Tim Deegan <tim@xxxxxxx> wrote: > > > Hi, > > > > At 23:35 +0800 on 27 Dec (1356651327), Nai Xia wrote: > >> I think I can construct a bug by interleaving the two code paths: > >> > >> in guest_remove_page() | in page_make_sharable() > >> ------------------------------------------------------------------------------------------------------------------------------ > >> if ( p2m_is_shared(p2mt) ) ..... > >> ... ..... > >> page = mfn_to_page(mfn); ..... > >> ..... > >> > >> if ( > >> !get_page_and_type(page, > >> d, PGT_shared_page) ) > >> // success > >> > >> ......... > >> if ( page->count_info != > >> (PGC_allocated | (2 + > >> expected_refcnt)) ) // > >> also pass > >> > >> > >> if ( unlikely(!get_page(page, d)) ) > >> > >> /* go on to remove page */ /* go on to add page to > >> cow domain */ > >> ------------------------------------------------------------------------------------------------------------------------------------- > >> > >> > >> is there anything that can already prevent such racing or is this really > >> can happen? > > > > I think this race can happen. > > Through a p2m entry in a domain. Is this the same domain as the one > for which quest_remove_page is executing? Then all is serialized > through the p2m lock, no race. Right, that's what I was missing. Because guest_remove_page has called get_gfn_query on the gfn, and not yet called put_gfn(), page_make_sharable() can't be running. All is well. :) Thanks, Tim. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |