Re: Is this a racing bug in page_make_sharable()?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Nai Xia <nai.xia@gmail.com>
To: Tim Deegan <tim@xen.org>
Cc: Lixiuchang <lixiuchang@huawei.com>,
	Xiaowei Yang <xiaowei.yang@huawei.com>,
	"Luohao (brian)" <brian.luohao@huawei.com>,
	xen-devel@lists.xensource.com,
	Grzegorz Milos <Grzegorz.Milos@citrix.com>
Subject: Re: Is this a racing bug in page_make_sharable()?
Date: Thu, 27 Dec 2012 23:35:27 +0800	[thread overview]
Message-ID: <50DC6ABF.7020003@gmail.com> (raw)
In-Reply-To: <20120117105323.GA74654@ocelot.phlegethon.org>

Hi all,

Last time I reported this bug. And I now see some changes in your Xen
git master branch.
However, I think the problem still remains for ref-checking in page
migration to dom_cow.

I think I can construct a bug by interleaving the two code paths:

in guest_remove_page()              |              in page_make_sharable()
------------------------------------------------------------------------------------------------------------------------------
if ( p2m_is_shared(p2mt) )                       .....
...                                              .....
page = mfn_to_page(mfn);                         .....
                                                  .....

                                                  if ( !get_page_and_type(page, d, PGT_shared_page) )    // success

                                                  .........
                                                  if ( page->count_info != (PGC_allocated | (2 + expected_refcnt)) ) // also pass


if ( unlikely(!get_page(page, d)) )

/* go on to remove page */                       /* go on to add page to cow domain */
-------------------------------------------------------------------------------------------------------------------------------------


is there anything that can already prevent such racing or is this really can happen?


Thanks,

Nai Xia


On 2012年01月17日 18:53, Tim Deegan wrote:
> At 22:43 +0800 on 16 Jan (1326753834), Nai Xia wrote:
>> Hi Grzegorz,
>>
>> As I understand, the purpose of the code in page_make_sharable()
>> checking the ref count is to ensure that nobody unexpected is working
>> on the page, and so we can migrate it to dom_cow, right?
>>
>> ====
>>      /* Check if the ref count is 2. The first from PGT_allocated, and
>>       * the second from get_page_and_type at the top of this function */
>>      if(page->count_info != (PGC_allocated | (2 + expected_refcnt)))
>>      {
>>          /* Return type count back to zero */
>>          put_page_and_type(page);
>>          spin_unlock(&d->page_alloc_lock);
>>          return -E2BIG;
>>      }
>> ====
>>
>> However, it seems to me that this ref check and the following page
>> migration is not atomic( although the operations for type_info ref
>> check seems good) i.e. it's possible that it passed this ref
>> check but just before it goes to dom_cow, someone else gets this page?
>
> Yes, there are a number of races around the p2m code; Anders
> Lagar-Cavilla has been working on fixing the locking around p2m lookups
> to take care of this.
>
> Tim.
>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

next prev parent reply	other threads:[~2012-12-27 15:35 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <4F14345B.4040807@gmail.com>
2012-01-16 14:43 ` Is this a racing bug in page_make_sharable()? Nai Xia
2012-01-17 10:53   ` Tim Deegan
2012-12-27 15:35     ` Nai Xia [this message]
2013-01-10 13:00       ` Tim Deegan
2013-01-10 16:36         ` Andres Lagar-Cavilla
2013-01-10 17:25           ` Tim Deegan
2013-01-11  2:46             ` Nai Xia
2012-01-16 14:51 Nai Xia

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=50DC6ABF.7020003@gmail.com \
    --to=nai.xia@gmail.com \
    --cc=Grzegorz.Milos@citrix.com \
    --cc=brian.luohao@huawei.com \
    --cc=lixiuchang@huawei.com \
    --cc=tim@xen.org \
    --cc=xen-devel@lists.xensource.com \
    --cc=xiaowei.yang@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.