From: Andres Lagar-Cavilla <andres@lagarcavilla.org>
To: xen-devel@lists.xensource.com
Cc: andres@gridcentric.ca, tim@xen.org, olaf@aepfle.de, adin@gridcentric.ca
Subject: [PATCH 4 of 4] x86/mm: Fix two PAE+paging bugs
Date: Wed, 15 Feb 2012 22:42:28 -0500 [thread overview]
Message-ID: <62b1fe67b8d1bb48932f.1329363748@xdev.gridcentric.ca> (raw)
In-Reply-To: <patchbomb.1329363744@xdev.gridcentric.ca>
xen/arch/x86/hvm/vmx/vmx.c | 16 +++++++++++++---
xen/arch/x86/mm/hap/hap.c | 2 +-
2 files changed, 14 insertions(+), 4 deletions(-)
In hap_paging_update_modes, we were getting the gpa of the cr3, rather than the
gfn.
Vmx_load_pdptrs was crashing the host if the cr3 is paged out. Now it will only
crash the guest.
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
diff -r 7a1d415a71d0 -r 62b1fe67b8d1 xen/arch/x86/hvm/vmx/vmx.c
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -1010,12 +1010,22 @@ static void vmx_load_pdptrs(struct vcpu
if ( (cr3 & 0x1fUL) && !hvm_pcid_enabled(v) )
goto crash;
- mfn = mfn_x(get_gfn(v->domain, cr3 >> PAGE_SHIFT, &p2mt));
- if ( !p2m_is_ram(p2mt) )
+ mfn = mfn_x(get_gfn_unshare(v->domain, cr3 >> PAGE_SHIFT, &p2mt));
+ if ( !p2m_is_ram(p2mt) || !mfn_valid(mfn) ||
+ /* If we didn't succeed in unsharing, get_page will fail
+ * (page still belongs to dom_cow) */
+ !get_page(mfn_to_page(mfn), v->domain) )
{
+ /* Ideally you don't want to crash but rather go into a wait
+ * queue, but this is the wrong place. We're holding at least
+ * the paging lock */
+ gdprintk(XENLOG_ERR,
+ "Bad cr3 on load pdptrs gfn %"PRIx64" mfn %"PRIx64
+ " type %d\n",cr3 >> PAGE_SHIFT, mfn, (int)p2mt);
put_gfn(v->domain, cr3 >> PAGE_SHIFT);
goto crash;
}
+ put_gfn(v->domain, cr3 >> PAGE_SHIFT);
p = map_domain_page(mfn);
@@ -1043,7 +1053,7 @@ static void vmx_load_pdptrs(struct vcpu
vmx_vmcs_exit(v);
unmap_domain_page(p);
- put_gfn(v->domain, cr3 >> PAGE_SHIFT);
+ put_page(mfn_to_page(mfn));
return;
crash:
diff -r 7a1d415a71d0 -r 62b1fe67b8d1 xen/arch/x86/mm/hap/hap.c
--- a/xen/arch/x86/mm/hap/hap.c
+++ b/xen/arch/x86/mm/hap/hap.c
@@ -786,7 +786,7 @@ hap_paging_get_mode(struct vcpu *v)
static void hap_update_paging_modes(struct vcpu *v)
{
struct domain *d = v->domain;
- unsigned long cr3_gfn = v->arch.hvm_vcpu.guest_cr[3];
+ unsigned long cr3_gfn = v->arch.hvm_vcpu.guest_cr[3] >> PAGE_SHIFT;
p2m_type_t t;
/* We hold onto the cr3 as it may be modified later, and
next prev parent reply other threads:[~2012-02-16 3:42 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-16 3:42 [PATCH 0 of 4] x86/mm: Four fixes Andres Lagar-Cavilla
2012-02-16 3:42 ` [PATCH 1 of 4] x86/mm: Make asserts on types and counts of shared pages more accurate Andres Lagar-Cavilla
2012-02-16 3:42 ` [PATCH 2 of 4] x86/mm: Fix more ballooning+paging and ballooning+sharing bugs Andres Lagar-Cavilla
2012-02-16 3:42 ` [PATCH 3 of 4] x86/mm: Check sharing/paging/access have been enabled before processing a memop Andres Lagar-Cavilla
2012-02-16 3:42 ` Andres Lagar-Cavilla [this message]
2012-02-16 15:59 ` [PATCH 0 of 4] x86/mm: Four fixes Tim Deegan
2012-02-17 16:14 ` Andres Lagar-Cavilla
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=62b1fe67b8d1bb48932f.1329363748@xdev.gridcentric.ca \
--to=andres@lagarcavilla.org \
--cc=adin@gridcentric.ca \
--cc=andres@gridcentric.ca \
--cc=olaf@aepfle.de \
--cc=tim@xen.org \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.