From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tim Deegan Subject: Re: Is this a racing bug in page_make_sharable()? Date: Thu, 10 Jan 2013 13:00:58 +0000 Message-ID: <20130110130058.GD99373@ocelot.phlegethon.org> References: <4F14345B.4040807@gmail.com> <20120117105323.GA74654@ocelot.phlegethon.org> <50DC6ABF.7020003@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <50DC6ABF.7020003@gmail.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Nai Xia Cc: Xiaowei Yang , Andres Lagar-Cavilla , "Luohao (brian)" , Lixiuchang , xen-devel@lists.xensource.com List-Id: xen-devel@lists.xenproject.org Hi, At 23:35 +0800 on 27 Dec (1356651327), Nai Xia wrote: > I think I can construct a bug by interleaving the two code paths: > > in guest_remove_page() | in page_make_sharable() > ------------------------------------------------------------------------------------------------------------------------------ > if ( p2m_is_shared(p2mt) ) ..... > ... ..... > page = mfn_to_page(mfn); ..... > ..... > > if ( > !get_page_and_type(page, > d, PGT_shared_page) ) > // success > > ......... > if ( page->count_info != > (PGC_allocated | (2 + > expected_refcnt)) ) // > also pass > > > if ( unlikely(!get_page(page, d)) ) > > /* go on to remove page */ /* go on to add page to > cow domain */ > ------------------------------------------------------------------------------------------------------------------------------------- > > > is there anything that can already prevent such racing or is this really > can happen? I think this race can happen. I'm not sure exactly what the effect is, though. I guess the page ends up belonging to dom_cow, but without the PGC_allocated bit set. So when it becomes unshared again, it's immediately freed. :( Andres, what do you think? Tim.