# HG changeset patch
# User kfraser@xxxxxxxxxxxxxxxxxxxxx
# Node ID e351aace191ec77efd8337a484147d14eb7f5254
# Parent b786bfb058eb3ac0806f76094126b2857471d3a7
[LINUX] Do not early-unpin pagetables that contain foreign mappings.
This fixes a bug whereby foreign pages were freed by the unpin, which
then become owned by the local domain before it destroys its ptes.
It therefore (erroneously) detects the mappings as local and so
updates reference counts, leading to crashes.
Signed-off-by: Keir Fraser <keir@xxxxxxxxxxxxx>
---
linux-2.6-xen-sparse/arch/i386/kernel/ldt-xen.c | 1 +
linux-2.6-xen-sparse/arch/i386/mm/ioremap-xen.c | 2 ++
linux-2.6-xen-sparse/arch/i386/mm/pgtable-xen.c | 3 ++-
linux-2.6-xen-sparse/arch/x86_64/mm/pageattr-xen.c | 3 ++-
linux-2.6-xen-sparse/include/asm-i386/mach-xen/asm/mmu.h | 3 +++
linux-2.6-xen-sparse/include/asm-x86_64/mach-xen/asm/mmu.h | 1 +
6 files changed, 11 insertions(+), 2 deletions(-)
diff -r b786bfb058eb -r e351aace191e
linux-2.6-xen-sparse/arch/i386/kernel/ldt-xen.c
--- a/linux-2.6-xen-sparse/arch/i386/kernel/ldt-xen.c Tue Aug 01 15:28:09
2006 +0100
+++ b/linux-2.6-xen-sparse/arch/i386/kernel/ldt-xen.c Tue Aug 01 15:48:48
2006 +0100
@@ -109,6 +109,7 @@ int init_new_context(struct task_struct
init_MUTEX(&mm->context.sem);
mm->context.size = 0;
+ mm->context.has_foreign_mappings = 0;
old_mm = current->mm;
if (old_mm && old_mm->context.size > 0) {
down(&old_mm->context.sem);
diff -r b786bfb058eb -r e351aace191e
linux-2.6-xen-sparse/arch/i386/mm/ioremap-xen.c
--- a/linux-2.6-xen-sparse/arch/i386/mm/ioremap-xen.c Tue Aug 01 15:28:09
2006 +0100
+++ b/linux-2.6-xen-sparse/arch/i386/mm/ioremap-xen.c Tue Aug 01 15:48:48
2006 +0100
@@ -126,6 +126,8 @@ int direct_remap_pfn_range(struct vm_are
if (domid == DOMID_SELF)
return -EINVAL;
+ vma->vm_mm->context.has_foreign_mappings = 1;
+
return __direct_remap_pfn_range(
vma->vm_mm, address, mfn, size, prot, domid);
}
diff -r b786bfb058eb -r e351aace191e
linux-2.6-xen-sparse/arch/i386/mm/pgtable-xen.c
--- a/linux-2.6-xen-sparse/arch/i386/mm/pgtable-xen.c Tue Aug 01 15:28:09
2006 +0100
+++ b/linux-2.6-xen-sparse/arch/i386/mm/pgtable-xen.c Tue Aug 01 15:48:48
2006 +0100
@@ -694,6 +694,7 @@ void _arch_exit_mmap(struct mm_struct *m
task_unlock(tsk);
if (test_bit(PG_pinned, &virt_to_page(mm->pgd)->flags) &&
- (atomic_read(&mm->mm_count) == 1))
+ (atomic_read(&mm->mm_count) == 1) &&
+ !mm->context.has_foreign_mappings)
mm_unpin(mm);
}
diff -r b786bfb058eb -r e351aace191e
linux-2.6-xen-sparse/arch/x86_64/mm/pageattr-xen.c
--- a/linux-2.6-xen-sparse/arch/x86_64/mm/pageattr-xen.c Tue Aug 01
15:28:09 2006 +0100
+++ b/linux-2.6-xen-sparse/arch/x86_64/mm/pageattr-xen.c Tue Aug 01
15:48:48 2006 +0100
@@ -159,7 +159,8 @@ void _arch_exit_mmap(struct mm_struct *m
task_unlock(tsk);
- if ( mm->context.pinned && (atomic_read(&mm->mm_count) == 1) )
+ if ( mm->context.pinned && (atomic_read(&mm->mm_count) == 1) &&
+ !mm->context.has_foreign_mappings )
mm_unpin(mm);
}
diff -r b786bfb058eb -r e351aace191e
linux-2.6-xen-sparse/include/asm-i386/mach-xen/asm/mmu.h
--- a/linux-2.6-xen-sparse/include/asm-i386/mach-xen/asm/mmu.h Tue Aug 01
15:28:09 2006 +0100
+++ b/linux-2.6-xen-sparse/include/asm-i386/mach-xen/asm/mmu.h Tue Aug 01
15:48:48 2006 +0100
@@ -12,6 +12,9 @@ typedef struct {
int size;
struct semaphore sem;
void *ldt;
+#ifdef CONFIG_XEN
+ int has_foreign_mappings;
+#endif
} mm_context_t;
/* mm/memory.c:exit_mmap hook */
diff -r b786bfb058eb -r e351aace191e
linux-2.6-xen-sparse/include/asm-x86_64/mach-xen/asm/mmu.h
--- a/linux-2.6-xen-sparse/include/asm-x86_64/mach-xen/asm/mmu.h Tue Aug
01 15:28:09 2006 +0100
+++ b/linux-2.6-xen-sparse/include/asm-x86_64/mach-xen/asm/mmu.h Tue Aug
01 15:48:48 2006 +0100
@@ -17,6 +17,7 @@ typedef struct {
struct semaphore sem;
#ifdef CONFIG_XEN
unsigned pinned:1;
+ unsigned has_foreign_mappings:1;
struct list_head unpinned;
#endif
} mm_context_t;
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
Home