|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] x86/mm: fix a potential race condition in map_pages_to_xen().
>>> On 09.11.17 at 16:29, <yu.c.zhang@xxxxxxxxxxxxxxx> wrote: > In map_pages_to_xen(), a L2 page table entry may be reset to point to > a superpage, and its corresponding L1 page table need be freed in such > scenario, when these L1 page table entries are mapping to consecutive > page frames and having the same mapping flags. > > However, variable `pl1e` is not protected by the lock before L1 page table > is enumerated. A race condition may happen if this code path is invoked > simultaneously on different CPUs. > > For example, `pl1e` value on CPU0 may hold an obsolete value, pointing > to a page which has just been freed on CPU1. Besides, before this page > is reused, it will still be holding the old PTEs, referencing consecutive > page frames. Consequently the `free_xen_pagetable(l2e_to_l1e(ol2e))` will > be triggered on CPU0, resulting the unexpected free of a normal page. > > Protecting the `pl1e` with the lock will fix this race condition. > > Signed-off-by: Min He <min.he@xxxxxxxxx> > Signed-off-by: Yi Zhang <yi.z.zhang@xxxxxxxxx> > Signed-off-by: Yu Zhang <yu.c.zhang@xxxxxxxxxxxxxxx> Oh, one more thing: Is it really the case that all three of you contributed to the patch? We don't use the Linux model of everyone through whose hands a patch passes adding an S-o-b of their own - that would rather be Reviewed-by then (if applicable). Also generally I would consider the first S-o-b to be that of the original author, yet the absence of an explicit From: tag makes authorship ambiguous here. Please clarify this in v2. Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |