[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] shadow2 corrupting PV guest state


You (Tim.Deegan) said:
>>   Basically, the referencee should not be released during to exist the
>> referencer, I think.
>>   In domain_kill phase, domain_relinquish_resource releases a memory
>> of destroying domain. So, the memory may use other domain. But, P2M
>> table of the domain exists, then the memory might be corrupted by
>> gnttab_copy.
>>   In __gnttab_copy code, it will avoid to corrupt a memory that was
>> used in destroying domain with __acquire_grant_for_copy and get_page.
>> But, I think that it has atomicity issue of owner.
> Are you worried about a race where the foreign domain is destroyed and
> another domain created, with the same struct domain pointer, and which
> owns the same frame, between the __acquire_grant_for_copy() and the
> get_page()?

  No, I'm worried that two domains use with same page frame.

  The released pages can be used by new domain, but old domain sturct
exists between domain_kill and domain_destroy.

> Earlier in __gnttab_copy, we call find_domain_by_id() on the foreign
> domain, which calls get_domain(), so we're safe from that.

  I suppose that find_domain_by_id doesn't ensure not to be used by
both domains.

- Tsunehisa Doi

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.