direct-io.hg

changeset 15469:936aa542053d

find changesets by author, revision, files, or words in the commit message
[HVM] Shadow: avoid xen crash if guest uses special memory for pagetables
(just crash the guest and don't do any more PTE propagations).
Signed-off-by: Tim Deegan <Tim.Deegan@xensource.com>
author Tim Deegan <Tim.Deegan@xensource.com>
date Thu Jul 05 14:46:13 2007 +0100 (2007-07-05)
parents d54d47fc8c6c
children b01225c94f83
files xen/arch/x86/mm/shadow/common.c xen/arch/x86/mm/shadow/multi.c
line diff
     1.1 --- a/xen/arch/x86/mm/shadow/common.c	Thu Jul 05 10:19:25 2007 +0100
     1.2 +++ b/xen/arch/x86/mm/shadow/common.c	Thu Jul 05 14:46:13 2007 +0100
     1.3 @@ -506,7 +506,9 @@ void shadow_promote(struct vcpu *v, mfn_
     1.4      ASSERT(mfn_valid(gmfn));
     1.5  
     1.6      /* We should never try to promote a gmfn that has writeable mappings */
     1.7 -    ASSERT(sh_remove_write_access(v, gmfn, 0, 0) == 0);
     1.8 +    ASSERT((page->u.inuse.type_info & PGT_type_mask) != PGT_writable_page
     1.9 +           || (page->u.inuse.type_info & PGT_count_mask) == 0
    1.10 +           || v->domain->is_shutting_down);
    1.11  
    1.12      /* Is the page already shadowed? */
    1.13      if ( !test_and_set_bit(_PGC_page_table, &page->count_info) )
    1.14 @@ -1850,11 +1852,12 @@ int sh_remove_write_access(struct vcpu *
    1.15      perfc_incr(shadow_writeable_bf);
    1.16      hash_foreach(v, callback_mask, callbacks, gmfn);
    1.17  
    1.18 -    /* If that didn't catch the mapping, something is very wrong */
    1.19 +    /* If that didn't catch the mapping, then there's some non-pagetable
    1.20 +     * mapping -- ioreq page, grant mapping, &c. */
    1.21      if ( (mfn_to_page(gmfn)->u.inuse.type_info & PGT_count_mask) != 0 )
    1.22      {
    1.23 -        SHADOW_ERROR("can't find all writeable mappings of mfn %lx: "
    1.24 -                      "%lu left\n", mfn_x(gmfn),
    1.25 +        SHADOW_ERROR("can't remove write access to mfn %lx: guest has "
    1.26 +                      "%lu special-use mappings of it\n", mfn_x(gmfn),
    1.27                        (mfn_to_page(gmfn)->u.inuse.type_info&PGT_count_mask));
    1.28          domain_crash(v->domain);
    1.29      }

     2.1 --- a/xen/arch/x86/mm/shadow/multi.c	Thu Jul 05 10:19:25 2007 +0100
     2.2 +++ b/xen/arch/x86/mm/shadow/multi.c	Thu Jul 05 14:46:13 2007 +0100
     2.3 @@ -2719,10 +2719,21 @@ static int sh_page_fault(struct vcpu *v,
     2.4                     
     2.5      if ( guest_walk_tables(v, va, &gw, 1) != 0 )
     2.6      {
     2.7 -        SHADOW_PRINTK("malformed guest pagetable!");
     2.8 +        SHADOW_PRINTK("malformed guest pagetable\n");
     2.9          print_gw(&gw);
    2.10      }
    2.11  
    2.12 +    /* It's possible that the guest has put pagetables in memory that it has 
    2.13 +     * already used for some special purpose (ioreq pages, or granted pages).
    2.14 +     * If that happens we'll have killed the guest already but it's still not 
    2.15 +     * safe to propagate entries out of the guest PT so get out now. */
    2.16 +    if ( unlikely(d->is_shutting_down) )
    2.17 +    {
    2.18 +        SHADOW_PRINTK("guest is shutting down\n");
    2.19 +        shadow_unlock(d);
    2.20 +        return 0;
    2.21 +    }
    2.22 +
    2.23      sh_audit_gw(v, &gw);
    2.24  
    2.25      // We do not look at the gw->l1e, as that will not exist for superpages.