KVM MMU: fix kvm_mmu_zap_page() and its calling path
in [Kernel]
|
Prev: frv: remove "struct file *" argument from sysctl ->proc_handler
Next: KVM MMU: optimize/cleanup for marking parent unsync
From: Xiao Guangrong on 12 Apr 2010 08:30 Avi Kivity wrote: > On 04/12/2010 12:22 PM, Xiao Guangrong wrote: >> Hi Avi, >> >> Avi Kivity wrote: > But kvm_mmu_zap_page() will only destroy sp == tpos == pos; n points at > pos->next already, so it's safe. > kvm_mmu_zap_page(sp) not only zaps sp but also zaps all sp's unsync children pages, if n is just sp's unsyc child, just at the same hlist and just behind sp, it will crash. :-) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Avi Kivity on 12 Apr 2010 08:50 On 04/12/2010 03:22 PM, Xiao Guangrong wrote: > >> But kvm_mmu_zap_page() will only destroy sp == tpos == pos; n points at >> pos->next already, so it's safe. >> >> > kvm_mmu_zap_page(sp) not only zaps sp but also zaps all sp's unsync children > pages, if n is just sp's unsyc child, just at the same hlist and just behind sp, > it will crash. :-) > Ouch. I see now, thanks for explaining. One way to fix it is to make kvm_mmu_zap_page() only zap the page it is given, and use sp->role.invalid on its children. But it's better to fix it now quickly and do the more involved fixes later. Just change the assignment to a 'goto restart;' please, I don't like playing with list_for_each internals. -- I have a truly marvellous patch that fixes the bug which this signature is too narrow to contain. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Marcelo Tosatti on 12 Apr 2010 13:20 On Mon, Apr 12, 2010 at 04:01:09PM +0800, Xiao Guangrong wrote: > - calculate zapped page number properly in mmu_zap_unsync_children() > - calculate freeed page number properly kvm_mmu_change_mmu_pages() > - restart list walking if have children page zapped > > Signed-off-by: Xiao Guangrong <xiaoguangrong(a)cn.fujitsu.com> > --- > arch/x86/kvm/mmu.c | 7 ++++--- > 1 files changed, 4 insertions(+), 3 deletions(-) > > diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c > index a23ca75..8f4f781 100644 > --- a/arch/x86/kvm/mmu.c > +++ b/arch/x86/kvm/mmu.c > @@ -1483,8 +1483,8 @@ static int mmu_zap_unsync_children(struct kvm *kvm, > for_each_sp(pages, sp, parents, i) { > kvm_mmu_zap_page(kvm, sp); > mmu_pages_clear_parents(&parents); > + zapped++; > } > - zapped += pages.nr; > kvm_mmu_pages_init(parent, &parents, &pages); > } Don't see why this is needed? The for_each_sp loop uses pvec.nr. > @@ -1540,7 +1540,7 @@ void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int kvm_nr_mmu_pages) > > page = container_of(kvm->arch.active_mmu_pages.prev, > struct kvm_mmu_page, link); > - kvm_mmu_zap_page(kvm, page); > + used_pages -= kvm_mmu_zap_page(kvm, page); > used_pages--; > } > kvm->arch.n_free_mmu_pages = 0; Oops. > @@ -1589,7 +1589,8 @@ static void mmu_unshadow(struct kvm *kvm, gfn_t gfn) > && !sp->role.invalid) { > pgprintk("%s: zap %lx %x\n", > __func__, gfn, sp->role.word); > - kvm_mmu_zap_page(kvm, sp); > + if (kvm_mmu_zap_page(kvm, sp)) > + nn = bucket->first; Oops 2. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Xiao Guangrong on 12 Apr 2010 21:40 Marcelo Tosatti wrote: >> @@ -1483,8 +1483,8 @@ static int mmu_zap_unsync_children(struct kvm *kvm, >> for_each_sp(pages, sp, parents, i) { >> kvm_mmu_zap_page(kvm, sp); >> mmu_pages_clear_parents(&parents); >> + zapped++; >> } >> - zapped += pages.nr; >> kvm_mmu_pages_init(parent, &parents, &pages); >> } > > Don't see why this is needed? The for_each_sp loop uses pvec.nr. I think mmu_zap_unsync_children() should return the number of zapped pages then we can adjust the number of free pages in kvm_mmu_change_mmu_pages(), but pages.nr no only includes the unsync/zapped pages but also includes their parents. Thanks, Xiao -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Marcelo Tosatti on 13 Apr 2010 11:20
On Tue, Apr 13, 2010 at 09:34:14AM +0800, Xiao Guangrong wrote: > > > Marcelo Tosatti wrote: > > >> @@ -1483,8 +1483,8 @@ static int mmu_zap_unsync_children(struct kvm *kvm, > >> for_each_sp(pages, sp, parents, i) { > >> kvm_mmu_zap_page(kvm, sp); > >> mmu_pages_clear_parents(&parents); > >> + zapped++; > >> } > >> - zapped += pages.nr; > >> kvm_mmu_pages_init(parent, &parents, &pages); > >> } > > > > Don't see why this is needed? The for_each_sp loop uses pvec.nr. > > I think mmu_zap_unsync_children() should return the number of zapped pages then we > can adjust the number of free pages in kvm_mmu_change_mmu_pages(), but pages.nr no > only includes the unsync/zapped pages but also includes their parents. Oh i see. I think its safer to check for list_empty then to rely on proper accounting there, like __kvm_mmu_free_some_pages does. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |