xen/23905-xenpaging_fix_locking_in_p2m_mem_paging_functions.patch

changeset:   23905:50ee6be56460
user:        Olaf Hering <olaf@aepfle.de>
date:        Thu Oct 06 12:33:17 2011 +0100
files:       xen/arch/x86/mm/p2m.c
description:
xenpaging: fix locking in p2m_mem_paging functions

As suggested by <hongkaixing@huawei.com>, query and adjust the p2mt
under the p2m_lock to prevent races with PoD.

Signed-off-by: Olaf Hering <olaf@aepfle.de>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>


---
 xen/arch/x86/mm/p2m.c |   42 ++++++++++++++++++++++++++----------------
 1 file changed, 26 insertions(+), 16 deletions(-)

Index: xen-4.1.2-testing/xen/arch/x86/mm/p2m.c
===================================================================
--- xen-4.1.2-testing.orig/xen/arch/x86/mm/p2m.c
+++ xen-4.1.2-testing/xen/arch/x86/mm/p2m.c
@@ -2843,6 +2843,8 @@ int p2m_mem_paging_nominate(struct p2m_d
     mfn_t mfn;
     int ret;
 
+    p2m_lock(p2m);
+
     mfn = p2m->get_entry(p2m, gfn, &p2mt, &a, p2m_query);
 
     /* Check if mfn is valid */
@@ -2869,14 +2871,12 @@ int p2m_mem_paging_nominate(struct p2m_d
         goto out;
 
     /* Fix p2m entry */
-    p2m_lock(p2m);
     set_p2m_entry(p2m, gfn, mfn, 0, p2m_ram_paging_out, a);
     audit_p2m(p2m, 1);
-    p2m_unlock(p2m);
-
     ret = 0;
 
  out:
+    p2m_unlock(p2m);
     return ret;
 }
 
@@ -2887,30 +2887,31 @@ int p2m_mem_paging_evict(struct p2m_doma
     p2m_access_t a;
     mfn_t mfn;
     struct domain *d = p2m->domain;
+    int ret = -EINVAL;
+
+    p2m_lock(p2m);
 
     /* Get mfn */
     mfn = p2m->get_entry(p2m, gfn, &p2mt, &a, p2m_query);
     if ( unlikely(!mfn_valid(mfn)) )
-        return -EINVAL;
+        goto out;
 
     if ( (p2mt == p2m_ram_paged) || (p2mt == p2m_ram_paging_in) ||
          (p2mt == p2m_ram_paging_in_start) )
-        return -EINVAL;
+        goto out;
 
     /* Get the page so it doesn't get modified under Xen's feet */
     page = mfn_to_page(mfn);
     if ( unlikely(!get_page(page, d)) )
-        return -EINVAL;
+        goto out;
 
     /* Decrement guest domain's ref count of the page */
     if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
         put_page(page);
 
     /* Remove mapping from p2m table */
-    p2m_lock(p2m);
     set_p2m_entry(p2m, gfn, _mfn(PAGING_MFN), 0, p2m_ram_paged, a);
     audit_p2m(p2m, 1);
-    p2m_unlock(p2m);
 
     /* Put the page back so it gets freed */
     put_page(page);
@@ -2918,7 +2919,11 @@ int p2m_mem_paging_evict(struct p2m_doma
     /* Track number of paged gfns */
     atomic_inc(&p2m->domain->paged_pages);
 
-    return 0;
+    ret = 0;
+
+ out:
+    p2m_unlock(p2m);
+    return ret;
 }
 
 void p2m_mem_paging_drop_page(struct p2m_domain *p2m, unsigned long gfn)
@@ -2958,14 +2963,14 @@ void p2m_mem_paging_populate(struct p2m_
     /* Fix p2m mapping */
     /* XXX: It seems inefficient to have this here, as it's only needed
      *      in one case (ept guest accessing paging out page) */
+    p2m_lock(p2m);
     p2m->get_entry(p2m, gfn, &p2mt, &a, p2m_query);
     if ( p2mt == p2m_ram_paged )
     {
-        p2m_lock(p2m);
         set_p2m_entry(p2m, gfn, _mfn(PAGING_MFN), 0, p2m_ram_paging_in_start, a);
         audit_p2m(p2m, 1);
-        p2m_unlock(p2m);
     }
+    p2m_unlock(p2m);
 
     /* Pause domain */
     if ( v->domain->domain_id == d->domain_id )
@@ -2993,22 +2998,27 @@ int p2m_mem_paging_prep(struct p2m_domai
     struct page_info *page;
     p2m_type_t p2mt;
     p2m_access_t a;
+    int ret = -ENOMEM;
+
+    p2m_lock(p2m);
 
     p2m->get_entry(p2m, gfn, &p2mt, &a, p2m_query);
+
     /* Get a free page */
     page = alloc_domheap_page(p2m->domain, 0);
     if ( unlikely(page == NULL) )
-        return -ENOMEM;
+        goto out;
 
     /* Fix p2m mapping */
-    p2m_lock(p2m);
     set_p2m_entry(p2m, gfn, page_to_mfn(page), 0, p2m_ram_paging_in, a);
     audit_p2m(p2m, 1);
-    p2m_unlock(p2m);
 
     atomic_dec(&p2m->domain->paged_pages);
 
-    return 0;
+    ret = 0;
+ out:
+    p2m_unlock(p2m);
+    return ret;
 }
 
 void p2m_mem_paging_resume(struct p2m_domain *p2m)
@@ -3025,8 +3035,8 @@ void p2m_mem_paging_resume(struct p2m_do
     /* Fix p2m entry if the page was not dropped */
     if ( !(rsp.flags & MEM_EVENT_FLAG_DROP_PAGE) )
     {
-        mfn = p2m->get_entry(p2m, rsp.gfn, &p2mt, &a, p2m_query);
         p2m_lock(p2m);
+        mfn = p2m->get_entry(p2m, rsp.gfn, &p2mt, &a, p2m_query);
         set_p2m_entry(p2m, rsp.gfn, mfn, 0, p2m_ram_rw, a);
         set_gpfn_from_mfn(mfn_x(mfn), rsp.gfn);
         audit_p2m(p2m, 1);