From: Andres Lagar-Cavilla <andres@lagarcavilla.org>
To: xen-devel@lists.xensource.com
Cc: andres@gridcentric.ca, tim@xen.org, olaf@aepfle.de, adin@gridcentric.ca
Subject: [PATCH 4 of 4] x86/mm: Fix two PAE+paging bugs
Date: Wed, 15 Feb 2012 22:42:28 -0500 [thread overview]
Message-ID: <62b1fe67b8d1bb48932f.1329363748@xdev.gridcentric.ca> (raw)
In-Reply-To: <patchbomb.1329363744@xdev.gridcentric.ca>
xen/arch/x86/hvm/vmx/vmx.c | 16 +++++++++++++---
xen/arch/x86/mm/hap/hap.c | 2 +-
2 files changed, 14 insertions(+), 4 deletions(-)
In hap_paging_update_modes, we were getting the gpa of the cr3, rather than the
gfn.
Vmx_load_pdptrs was crashing the host if the cr3 is paged out. Now it will only
crash the guest.
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
diff -r 7a1d415a71d0 -r 62b1fe67b8d1 xen/arch/x86/hvm/vmx/vmx.c
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -1010,12 +1010,22 @@ static void vmx_load_pdptrs(struct vcpu
if ( (cr3 & 0x1fUL) && !hvm_pcid_enabled(v) )
goto crash;
- mfn = mfn_x(get_gfn(v->domain, cr3 >> PAGE_SHIFT, &p2mt));
- if ( !p2m_is_ram(p2mt) )
+ mfn = mfn_x(get_gfn_unshare(v->domain, cr3 >> PAGE_SHIFT, &p2mt));
+ if ( !p2m_is_ram(p2mt) || !mfn_valid(mfn) ||
+ /* If we didn't succeed in unsharing, get_page will fail
+ * (page still belongs to dom_cow) */
+ !get_page(mfn_to_page(mfn), v->domain) )
{
+ /* Ideally you don't want to crash but rather go into a wait
+ * queue, but this is the wrong place. We're holding at least
+ * the paging lock */
+ gdprintk(XENLOG_ERR,
+ "Bad cr3 on load pdptrs gfn %"PRIx64" mfn %"PRIx64
+ " type %d\n",cr3 >> PAGE_SHIFT, mfn, (int)p2mt);
put_gfn(v->domain, cr3 >> PAGE_SHIFT);
goto crash;
}
+ put_gfn(v->domain, cr3 >> PAGE_SHIFT);
p = map_domain_page(mfn);
@@ -1043,7 +1053,7 @@ static void vmx_load_pdptrs(struct vcpu
vmx_vmcs_exit(v);
unmap_domain_page(p);
- put_gfn(v->domain, cr3 >> PAGE_SHIFT);
+ put_page(mfn_to_page(mfn));
return;
crash:
diff -r 7a1d415a71d0 -r 62b1fe67b8d1 xen/arch/x86/mm/hap/hap.c
--- a/xen/arch/x86/mm/hap/hap.c
+++ b/xen/arch/x86/mm/hap/hap.c
@@ -786,7 +786,7 @@ hap_paging_get_mode(struct vcpu *v)
static void hap_update_paging_modes(struct vcpu *v)
{
struct domain *d = v->domain;
- unsigned long cr3_gfn = v->arch.hvm_vcpu.guest_cr[3];
+ unsigned long cr3_gfn = v->arch.hvm_vcpu.guest_cr[3] >> PAGE_SHIFT;
p2m_type_t t;
/* We hold onto the cr3 as it may be modified later, and
next prev parent reply other threads:[~2012-02-16 3:42 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-16 3:42 [PATCH 0 of 4] x86/mm: Four fixes Andres Lagar-Cavilla
2012-02-16 3:42 ` [PATCH 1 of 4] x86/mm: Make asserts on types and counts of shared pages more accurate Andres Lagar-Cavilla
2012-02-16 3:42 ` [PATCH 2 of 4] x86/mm: Fix more ballooning+paging and ballooning+sharing bugs Andres Lagar-Cavilla
2012-02-16 3:42 ` [PATCH 3 of 4] x86/mm: Check sharing/paging/access have been enabled before processing a memop Andres Lagar-Cavilla
2012-02-16 3:42 ` Andres Lagar-Cavilla [this message]
2012-02-16 15:59 ` [PATCH 0 of 4] x86/mm: Four fixes Tim Deegan
2012-02-17 16:14 ` Andres Lagar-Cavilla
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=62b1fe67b8d1bb48932f.1329363748@xdev.gridcentric.ca \
--to=andres@lagarcavilla.org \
--cc=adin@gridcentric.ca \
--cc=andres@gridcentric.ca \
--cc=olaf@aepfle.de \
--cc=tim@xen.org \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).