Re: [PATCH] QEMU support for virtio balloon driver

[Marcelo Tosatti <marcelo@kvack.org>]

On Sat, Jan 26, 2008 at 08:47:28PM +0200, Avi Kivity wrote:
> Anthony Liguori wrote:
> >Do others expect KVM to just cope with the virtual mapping being changed 
> >out from underneath of it?
> >  
> 
> kvm should cope with both malicious guests and malicious (or buggy) host 
> userspace.  It's difficuly to analyze, but mmu notifiers might be 
> necessary for the latter.

The reason for the host crash with madvise is that the rmap code relies
on the guest process virtual mappings from not disappearing while there
are active shadow mappings.

How to proceed now? Do we want to efficiently support ballooning without
mmu notifiers? If so, an ioctl to zap the mmu is necessary as discussed
before.


diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index f0cdfba..4c93b79 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -1009,6 +1009,21 @@ struct page *gva_to_page(struct kvm_vcpu *vcpu, gva_t gva)
 	return page;
 }
 
+static int was_spte_rmapped(struct kvm *kvm, u64 *spte, struct page *page)
+{
+	int ret = 0;
+	unsigned long host_pfn = (*spte & PT64_BASE_ADDR_MASK) >> PAGE_SHIFT;
+
+	if (is_rmap_pte(*spte)) {
+		if (host_pfn != page_to_pfn(page))
+			rmap_remove(kvm, spte);
+		else
+			ret = 1;
+	}
+
+	return ret;
+}
+
 static void mmu_set_spte(struct kvm_vcpu *vcpu, u64 *shadow_pte,
 			 unsigned pt_access, unsigned pte_access,
 			 int user_fault, int write_fault, int dirty,
@@ -1016,7 +1031,7 @@ static void mmu_set_spte(struct kvm_vcpu *vcpu, u64 *shadow_pte,
 			 struct page *page)
 {
 	u64 spte;
-	int was_rmapped = is_rmap_pte(*shadow_pte);
+	int was_rmapped = was_spte_rmapped(vcpu->kvm, shadow_pte, page);
 	int was_writeble = is_writeble_pte(*shadow_pte);
 
 	/*



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/