From: Julien Grall <julien.grall@citrix.com>
To: Andrew Cooper <andrew.cooper3@citrix.com>,
Jan Beulich <jbeulich@suse.com>, Tim Deegan <tim@xen.org>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
Ian Campbell <ian.campbell@citrix.com>,
xen-devel <xen-devel@lists.xen.org>
Subject: Re: Fwd: Question regarding the behavior of guest_physmap_remove_page on x86
Date: Wed, 18 Nov 2015 16:16:25 +0000 [thread overview]
Message-ID: <564CA459.4050100@citrix.com> (raw)
In-Reply-To: <564B7637.3040804@citrix.com>
Hi Andrew,
On 17/11/15 18:47, Andrew Cooper wrote:
> On 17/11/15 18:09, Julien Grall wrote:
>> On ARM, it's possible to fail when removing a page from the P2M. It's
>> happening if we are trying to shatter a superpage and we don't have
>> memory to allocate the table. Therefore the mapping won't be removed
>> from the P2M.
>>
>> However on ARM (and until recently on x86 [1]), the function
>> guest_physmap_remove_page is not supposed to return an error. So we
>> would free the page even if we fail to remove the page. This will end up
>> to re-use the page by someone else even though the mapping is still
>> present in the P2M.
>>
>> I looked to the x86 version and I'm not sure how the function is
>> behaving. Maybe an x86 maintainers could give me insight here.
>>
>> I'm thinking to fix the problem by checking the return of
>> guest_physmap_remove_page to avoid the page being reallocate to someone
>> else (see for instance guest_remove_page in xen/common/memory.c). Is it
>> a sensible way to fix it?
>
> x86 can just as easily fail because of a failure to shatter a superpage.
>
> Despite the below changeset, none of the callee's were updated to
> actually act upon the error.
>
> As a result, the same issue affects x86, in principle.
>
> Does ARM have a shadow pool? On x86, we arrange that the shadow pool
> (should be) large enough so that we never actually encounter an
> out-of-memory when shattering a superpage.
We don't have shadow pool on ARM. Even if we implement I think we have
to check the return of guest_physmap_remove_page in the event there is
other error path.
> I also observe that there is a latent bug with iommu_unmap_page() (which
> is part of guest_physmap_remove_page()) as (almost) nothing checks its
> return value. Currently all (x86) callpaths either return success, or
> crash the domain.
>
> Looking at other codepaths, other possible errors (other than -ENOMEM
> from shattering) are:
>
> if ( unlikely(p2m_is_foreign(p2mt)) )
> {
> /* pvh fixme: foreign types are only supported on ept at present */
> gdprintk(XENLOG_WARNING, "Unimplemented foreign p2m type.\n");
> return -EINVAL;
> }
>
> or:
>
> if ( !(p2m_entry = p2m_find_entry(*table, gfn_remainder, gfn,
> shift, max)) )
> return -ENOENT;
>
>
> All this code looks quite rotten through, and is in some serious need of
> some error handling hygiene.
I don't know the x86 code. I would appreciate can take care of the x86 part.
Regards,
--
Julien Grall
prev parent reply other threads:[~2015-11-18 16:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <564B6C56.8080501@citrix.com>
2015-11-17 18:09 ` Fwd: Question regarding the behavior of guest_physmap_remove_page on x86 Julien Grall
2015-11-17 18:47 ` Andrew Cooper
2015-11-18 16:16 ` Julien Grall [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=564CA459.4050100@citrix.com \
--to=julien.grall@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=ian.campbell@citrix.com \
--cc=jbeulich@suse.com \
--cc=stefano.stabellini@eu.citrix.com \
--cc=tim@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).