On Wed, Aug 22, 2012 at 11:51:17AM +0800, Xiao Guangrong wrote: > Hmm, in KSM code, i found this code in replace_page: > > set_pte_at_notify(mm, addr, ptep, mk_pte(kpage, vma->vm_page_prot)); > > It is possible to establish a writable pte, no? Hugh already answered this thanks. Further details on the vm_page_prot are in top of mmap.c, and KSM never scans MAP_SHARED vmas. > Unfortunately, all these bugs are triggered by test cases. Sure, I've seen the very Oops for the other one, and this one also can trigger if unlucky. This one can trigger with KVM but only if KSM is enabled or with live migration or with device hotplug or some other event that triggers a fork in qemu. My curiosity about the other one in the exit/unregister/release paths is if it really ever triggered with KVM. Because I can't easily see how it could trigger. By the time kvm_destroy_vm or exit_mmap() runs, no vcpu can be in guest mode anymore, so it cannot matter whatever the status of any leftover spte at that time. The process in the oops certainly wasn't qemu*. This is what I meant in the previous email about this. Of course the fix was certainly good and needed for other mmu notifier users, great fix. Thanks, Andrea -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html