Xen project Mailing List

Re: [PATCH v2 2/6] x86/mem-paging: correct p2m_mem_paging_prep()'s error handling

To: Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Fri, 15 May 2020 15:40:21 +0100

Authentication-results: esa3.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@xxxxxxxxxx; spf=Pass smtp.mailfrom=Andrew.Cooper3@xxxxxxxxxx; spf=None smtp.helo=postmaster@xxxxxxxxxxxxxxx; dmarc=pass (p=none dis=none) d=citrix.com

Cc: George Dunlap <george.dunlap@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>

Delivery-date: Fri, 15 May 2020 14:40:49 +0000

Ironport-sdr: 8jnWG1/uxZLjiG6AJmZB7EEE6+XYIEJgiNuiUD7Y4Gjiz112IOVD6a8Vl7Y6Y8JUwUkb7ZGbZv PJgZZPWQyq2N/1BLXFkcU9Alwa4CcizyQux2+5FYVg3y4AqjANPlDmiwrxqkHIVEWaUevE/77q 00sTujf4+kdgqFq5Ajb4oo2nxoKDzRof2JHjJQhgkleewfiRIwk+zFKR8nAQWQ1GP+sYqDrhXi wIZ20pIkKHcVdCebqICXWYYTmE1iTh35YtEqqxEfyvZ5nS+b54czsUdQENr9m1gs5eUtQWc0cG Qu4=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 23/04/2020 09:37, Jan Beulich wrote: > Communicating errors from p2m_set_entry() to the caller is not enough: > Neither the M2P nor the stats updates should occur in such a case. "neither". Following a colon/semicolon isn't the start of a new sentence. > Instead the allocated page needs to be freed again; for cleanliness > reasons also properly take into account _PGC_allocated there. > > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> > > --- a/xen/arch/x86/mm/p2m.c > +++ b/xen/arch/x86/mm/p2m.c > @@ -1781,7 +1781,7 @@ void p2m_mem_paging_populate(struct doma > */ > int p2m_mem_paging_prep(struct domain *d, unsigned long gfn_l, uint64_t > buffer) > { > - struct page_info *page; > + struct page_info *page = NULL; > p2m_type_t p2mt; > p2m_access_t a; > gfn_t gfn = _gfn(gfn_l); > @@ -1816,9 +1816,19 @@ int p2m_mem_paging_prep(struct domain *d > goto out; > /* Get a free page */ > ret = -ENOMEM; > - page = alloc_domheap_page(p2m->domain, 0); > + page = alloc_domheap_page(d, 0); > if ( unlikely(page == NULL) ) > goto out; > + if ( unlikely(!get_page(page, d)) ) > + { > + /* > + * The domain can't possibly know about this page yet, so failure > + * here is a clear indication of something fishy going on. > + */ This needs a gprintk(XENLOG_ERR, ...) of some form. (which also reminds me that I *still* need to finish my patch forcing everyone to provide something to qualify the domain crash, so release builds of Xen get some hint as to what went on or why.) > + domain_crash(d); > + page = NULL; > + goto out; > + } > mfn = page_to_mfn(page); > page_extant = 0; > > @@ -1832,7 +1842,6 @@ int p2m_mem_paging_prep(struct domain *d > "Failed to load paging-in gfn %lx Dom%d bytes left > %d\n", > gfn_l, d->domain_id, ret); > ret = -EFAULT; > - put_page(page); /* Don't leak pages */ > goto out; > } > } > @@ -1843,13 +1852,24 @@ int p2m_mem_paging_prep(struct domain *d > ret = p2m_set_entry(p2m, gfn, mfn, PAGE_ORDER_4K, > paging_mode_log_dirty(d) ? p2m_ram_logdirty > : p2m_ram_rw, a); > - set_gpfn_from_mfn(mfn_x(mfn), gfn_l); > + if ( !ret ) > + { > + set_gpfn_from_mfn(mfn_x(mfn), gfn_l); > > - if ( !page_extant ) > - atomic_dec(&d->paged_pages); > + if ( !page_extant ) > + atomic_dec(&d->paged_pages); > + } > > out: > gfn_unlock(p2m, gfn, 0); > + > + if ( page ) > + { > + if ( ret ) > + put_page_alloc_ref(page); > + put_page(page); This is a very long way from clear enough to follow, and buggy if anyone inserts a new goto out path. ~Andrew > + } > + > return ret; > } > >

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.