changeset: 23905:50ee6be56460 user: Olaf Hering date: Thu Oct 06 12:33:17 2011 +0100 files: xen/arch/x86/mm/p2m.c description: xenpaging: fix locking in p2m_mem_paging functions As suggested by , query and adjust the p2mt under the p2m_lock to prevent races with PoD. Signed-off-by: Olaf Hering Acked-by: Tim Deegan Committed-by: Tim Deegan --- xen/arch/x86/mm/p2m.c | 42 ++++++++++++++++++++++++++---------------- 1 file changed, 26 insertions(+), 16 deletions(-) Index: xen-4.1.2-testing/xen/arch/x86/mm/p2m.c =================================================================== --- xen-4.1.2-testing.orig/xen/arch/x86/mm/p2m.c +++ xen-4.1.2-testing/xen/arch/x86/mm/p2m.c @@ -2843,6 +2843,8 @@ int p2m_mem_paging_nominate(struct p2m_d mfn_t mfn; int ret; + p2m_lock(p2m); + mfn = p2m->get_entry(p2m, gfn, &p2mt, &a, p2m_query); /* Check if mfn is valid */ @@ -2869,14 +2871,12 @@ int p2m_mem_paging_nominate(struct p2m_d goto out; /* Fix p2m entry */ - p2m_lock(p2m); set_p2m_entry(p2m, gfn, mfn, 0, p2m_ram_paging_out, a); audit_p2m(p2m, 1); - p2m_unlock(p2m); - ret = 0; out: + p2m_unlock(p2m); return ret; } @@ -2887,30 +2887,31 @@ int p2m_mem_paging_evict(struct p2m_doma p2m_access_t a; mfn_t mfn; struct domain *d = p2m->domain; + int ret = -EINVAL; + + p2m_lock(p2m); /* Get mfn */ mfn = p2m->get_entry(p2m, gfn, &p2mt, &a, p2m_query); if ( unlikely(!mfn_valid(mfn)) ) - return -EINVAL; + goto out; if ( (p2mt == p2m_ram_paged) || (p2mt == p2m_ram_paging_in) || (p2mt == p2m_ram_paging_in_start) ) - return -EINVAL; + goto out; /* Get the page so it doesn't get modified under Xen's feet */ page = mfn_to_page(mfn); if ( unlikely(!get_page(page, d)) ) - return -EINVAL; + goto out; /* Decrement guest domain's ref count of the page */ if ( test_and_clear_bit(_PGC_allocated, &page->count_info) ) put_page(page); /* Remove mapping from p2m table */ - p2m_lock(p2m); set_p2m_entry(p2m, gfn, _mfn(PAGING_MFN), 0, p2m_ram_paged, a); audit_p2m(p2m, 1); - p2m_unlock(p2m); /* Put the page back so it gets freed */ put_page(page); @@ -2918,7 +2919,11 @@ int p2m_mem_paging_evict(struct p2m_doma /* Track number of paged gfns */ atomic_inc(&p2m->domain->paged_pages); - return 0; + ret = 0; + + out: + p2m_unlock(p2m); + return ret; } void p2m_mem_paging_drop_page(struct p2m_domain *p2m, unsigned long gfn) @@ -2958,14 +2963,14 @@ void p2m_mem_paging_populate(struct p2m_ /* Fix p2m mapping */ /* XXX: It seems inefficient to have this here, as it's only needed * in one case (ept guest accessing paging out page) */ + p2m_lock(p2m); p2m->get_entry(p2m, gfn, &p2mt, &a, p2m_query); if ( p2mt == p2m_ram_paged ) { - p2m_lock(p2m); set_p2m_entry(p2m, gfn, _mfn(PAGING_MFN), 0, p2m_ram_paging_in_start, a); audit_p2m(p2m, 1); - p2m_unlock(p2m); } + p2m_unlock(p2m); /* Pause domain */ if ( v->domain->domain_id == d->domain_id ) @@ -2993,22 +2998,27 @@ int p2m_mem_paging_prep(struct p2m_domai struct page_info *page; p2m_type_t p2mt; p2m_access_t a; + int ret = -ENOMEM; + + p2m_lock(p2m); p2m->get_entry(p2m, gfn, &p2mt, &a, p2m_query); + /* Get a free page */ page = alloc_domheap_page(p2m->domain, 0); if ( unlikely(page == NULL) ) - return -ENOMEM; + goto out; /* Fix p2m mapping */ - p2m_lock(p2m); set_p2m_entry(p2m, gfn, page_to_mfn(page), 0, p2m_ram_paging_in, a); audit_p2m(p2m, 1); - p2m_unlock(p2m); atomic_dec(&p2m->domain->paged_pages); - return 0; + ret = 0; + out: + p2m_unlock(p2m); + return ret; } void p2m_mem_paging_resume(struct p2m_domain *p2m) @@ -3025,8 +3035,8 @@ void p2m_mem_paging_resume(struct p2m_do /* Fix p2m entry if the page was not dropped */ if ( !(rsp.flags & MEM_EVENT_FLAG_DROP_PAGE) ) { - mfn = p2m->get_entry(p2m, rsp.gfn, &p2mt, &a, p2m_query); p2m_lock(p2m); + mfn = p2m->get_entry(p2m, rsp.gfn, &p2mt, &a, p2m_query); set_p2m_entry(p2m, rsp.gfn, mfn, 0, p2m_ram_rw, a); set_gpfn_from_mfn(mfn_x(mfn), rsp.gfn); audit_p2m(p2m, 1);