WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] shadow2 corrupting PV guest state

Hi Tim,

You (Tim.Deegan) said:
>>> Are you worried about a race where the foreign domain is destroyed and
>>> another domain created, with the same struct domain pointer, and which
>>> owns the same frame, between the __acquire_grant_for_copy() and the
>>> get_page()?
>> 
>>   No, I'm worried that two domains use with same page frame.
>> 
>>   The released pages can be used by new domain, but old domain sturct
>> exists between domain_kill and domain_destroy.
> 
> If the released frames are used by a new domain, get_page() will fail:
> the old domain still exists (we have a reference to it), so the new
> owner's domain pointer must be different from the one we pass to
> get_page.

  In my investigation, get_page() assumes that the page frame is in
use. But, the page_info structure of released page frame should not
be treated as inuse. Thus the nd value might be invalid value in this
situation, I think.

[xen/include/asm-x86/mm.h]
static inline int get_page(struct page_info *page,
                           struct domain *domain)
{
    u32 x, nx, y = page->count_info;
    u32 d, nd = page->u.inuse._domain;    /* <<=== THIS LINE */
    u32 _domain = pickle_domptr(domain);

    do {
        x  = y;
        nx = x + 1;
        d  = nd;
        if ( unlikely((x & PGC_count_mask) == 0) ||  /* Not allocated? */
             unlikely((nx & PGC_count_mask) == 0) || /* Count overflow? */
             unlikely(d != _domain) )                /* Wrong owner? */
        {
            if ( !_shadow_mode_refcounts(domain) )
                DPRINTK("Error pfn %lx: rd=%p, od=%p, caf=%08x, taf=%"
                        PRtype_info "\n",
                        page_to_mfn(page), domain, unpickle_domptr(d),
                        x, page->u.inuse.type_info);
            return 0;
        }
        __asm__ __volatile__(
            LOCK_PREFIX "cmpxchg8b %3"
            : "=d" (nd), "=a" (y), "=c" (d),
              "=m" (*(volatile u64 *)(&page->count_info))
            : "0" (d), "1" (x), "c" (d), "b" (nx) );    /* <<=== THIS LINE */
    }
    while ( unlikely(nd != d) || unlikely(y != x) );

    return 1;
}

Thanks,
- Tsunehisa Doi

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel