Re: [Xen-devel] shadow2 corrupting PV guest state

You (Keir.Fraser) said:
>>> True, but we don't look at nd unless the page is allocated...
>>   Between domain_relinquish_resources() in domain_kill() and
>> shadow_final_teadown() in domain_destroy(), nd might be looked
>> with gnttab_copy(), I think.
> Domain_destroy() is only called when the domain refcnt reaches zero. This
> can only happen when all its page refcnts have reached zero. When a page's
> refcnt reaches zero, get_page() no longer succeeds on it. So there is no
> race between gnttab_copy() and domain_destroy().

  I see.

  I want to confirm that...

  In free_domheap_pages(), if the page counts of each section are zero,
then domain refcount is decreased. Finaly the domain refcount is zero,
and domain_destroy() is called.

  In the other hand, get_page checks page count like below...

        if ( unlikely((x & PGC_count_mask) == 0) ||  /* Not allocated? */
             unlikely((nx & PGC_count_mask) == 0) || /* Count overflow? */
             unlikely(d != _domain) )                /* Wrong owner? */

  Thus, get_page can't succeeds on it.

  Is my understaning is right ?

- Tsunehisa Doi

