diff options
| author | Andres Lagar-Cavilla <andres@lagarcavilla.org> | 2012-02-16 15:43:02 +0000 |
|---|---|---|
| committer | Andres Lagar-Cavilla <andres@lagarcavilla.org> | 2012-02-16 15:43:02 +0000 |
| commit | 64f9219d68f5c28af469bce8ec27cfaef07b9011 (patch) | |
| tree | 7b1dca6eca582fb8a74a622fa64e3069f1e1c6da /xen/common/memory.c | |
| parent | aab3d7142016948afb21e260a89a1c879b0c3ca7 (diff) | |
| download | xen-64f9219d68f5c28af469bce8ec27cfaef07b9011.tar.gz xen-64f9219d68f5c28af469bce8ec27cfaef07b9011.tar.bz2 xen-64f9219d68f5c28af469bce8ec27cfaef07b9011.zip | |
x86/mm: Fix more ballooning+paging and ballooning+sharing bugs
If the guest balloons away a page that has been nominated for paging but
not yet paged out, we fix:
- Send EVICT_FAIL flag in the event to the pager
- Do not leak the underlying page
If the page was shared, we were not:
- properly refreshing the mfn to balloon after the unshare.
- unlocking the p2m on the error exit case
Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>
Committed-by: Tim Deegan <tim@xen.org>
Diffstat (limited to 'xen/common/memory.c')
| -rw-r--r-- | xen/common/memory.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/xen/common/memory.c b/xen/common/memory.c index 781053d00c..e0976b1f08 100644 --- a/xen/common/memory.c +++ b/xen/common/memory.c @@ -167,6 +167,15 @@ int guest_remove_page(struct domain *d, unsigned long gmfn) { guest_physmap_remove_page(d, gmfn, mfn, 0); put_gfn(d, gmfn); + /* If the page hasn't yet been paged out, there is an + * actual page that needs to be released. */ + if ( p2mt == p2m_ram_paging_out ) + { + ASSERT(mfn_valid(mfn)); + page = mfn_to_page(mfn); + if ( test_and_clear_bit(_PGC_allocated, &page->count_info) ) + put_page(page); + } p2m_mem_paging_drop_page(d, gmfn, p2mt); return 1; } @@ -181,7 +190,6 @@ int guest_remove_page(struct domain *d, unsigned long gmfn) return 0; } - page = mfn_to_page(mfn); #ifdef CONFIG_X86_64 if ( p2m_is_shared(p2mt) ) { @@ -190,10 +198,17 @@ int guest_remove_page(struct domain *d, unsigned long gmfn) * need to trigger proper cleanup. Once done, this is * like any other page. */ if ( mem_sharing_unshare_page(d, gmfn, 0) ) + { + put_gfn(d, gmfn); return 0; + } + /* Maybe the mfn changed */ + mfn = mfn_x(get_gfn_query_unlocked(d, gmfn, &p2mt)); + ASSERT(!p2m_is_shared(p2mt)); } #endif /* CONFIG_X86_64 */ + page = mfn_to_page(mfn); if ( unlikely(!get_page(page, d)) ) { put_gfn(d, gmfn); |