From: David Vrabel <david.vrabel@citrix.com>
To: Wei Liu <wei.liu2@citrix.com>
Cc: xen-devel@lists.xenproject.org,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
David Vrabel <david.vrabel@citrix.com>
Subject: Re: [PATCH V3] xen/balloon: flush persistent kmaps in correct position
Date: Mon, 17 Mar 2014 14:53:23 +0000 [thread overview]
Message-ID: <53270C63.1030004@citrix.com> (raw)
In-Reply-To: <1394899907-2529-1-git-send-email-wei.liu2@citrix.com>
On 15/03/14 16:11, Wei Liu wrote:
> Xen balloon driver will update ballooned out pages' P2M entries to point
> to scratch page for PV guests. In 24f69373e2 ("xen/balloon: don't alloc
> page while non-preemptible", kmap_flush_unused was moved after updating
> P2M table. In that case for 32 bit PV guest we might end up with
>
> P2M X -----> S (S is mfn of balloon scratch page)
> M2P Y -----> X (Y is mfn in persistent kmap entry)
>
> When kmap_flush_unused is called, it will call into
> flush_all_zero_pkmaps, which calls pte_page. Pte_page will call into
> PVMMU, which relies on P2M and M2P tables to do the correct translation.
> When PVMMU sees X -> S and Y -> X, it gets confused and returns a wrong
> value, which causes the guest to crash high up the call chain.
I don't think using PVMMU as a thing in this paragraph really helps.
kmap_flush_unused() iterates through all the PTEs in the kmap
address space, using pte_to_page() to obtain the page. If the p2m
and the m2p are inconsistent the incorrect page is returned.
This will clear page->address on the wrong page which may cause
subsequent oopses if that page is currently kmap'ed.
> Move the flush back between get_page and __set_phys_to_machine to fix
> this.
Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Cc: stable@vger.kernel.org # 3.12+
> --- a/drivers/xen/balloon.c
> +++ b/drivers/xen/balloon.c
> @@ -404,6 +404,15 @@ static enum bp_state decrease_reservation(unsigned long nr_pages, gfp_t gfp)
> frame_list[i] = pfn_to_mfn(pfn);
>
> scrub_page(page);
> + }
> +
> + /* Ensure that ballooned highmem pages don't have kmaps. */
> + kmap_flush_unused();
> + flush_tlb_all();
Can you check if this flush_tlb_all() is required and post a follow-up
if it isn't. I suggest looking at the update_va_mapping hypercall -- I
took a quick look and it looks like it flushes the TLB already.
> +
> + /* No more mappings: invalidate P2M and add to balloon. */
> + for (i = 0; i < nr_pages; i++) {
> + pfn = mfn_to_pfn(frame_list[i]);
With a bit of refactoring you could avoid some of the mfn_to_pfn() etc.
translations. But a v3 isn't required for this.
David
next prev parent reply other threads:[~2014-03-17 14:53 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-15 16:11 [PATCH V3] xen/balloon: flush persistent kmaps in correct position Wei Liu
2014-03-17 14:53 ` David Vrabel [this message]
2014-03-17 15:04 ` Wei Liu
2014-03-17 15:24 ` David Vrabel
2014-03-18 13:47 ` Wei Liu
2014-03-18 17:40 ` David Vrabel
2014-03-19 11:19 ` Wei Liu
2014-03-19 13:32 ` David Vrabel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53270C63.1030004@citrix.com \
--to=david.vrabel@citrix.com \
--cc=boris.ostrovsky@oracle.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.