On 08/23/2012 12:37 AM, Andrea Arcangeli wrote:
> On Wed, Aug 22, 2012 at 11:51:17AM +0800, Xiao Guangrong wrote:
>> Hmm, in KSM code, i found this code in replace_page:
>>
>> set_pte_at_notify(mm, addr, ptep, mk_pte(kpage, vma->vm_page_prot));
>>
>> It is possible to establish a writable pte, no?
>
> Hugh already answered this thanks. Further details on the vm_page_prot
> are in top of mmap.c, and KSM never scans MAP_SHARED vmas.
>
Yes, i see that, thank you, Andrea!
>> Unfortunately, all these bugs are triggered by test cases.
>
> Sure, I've seen the very Oops for the other one, and this one also can
> trigger if unlucky.
>
> This one can trigger with KVM but only if KSM is enabled or with live
> migration or with device hotplug or some other event that triggers a
> fork in qemu.
>
> My curiosity about the other one in the exit/unregister/release paths
> is if it really ever triggered with KVM. Because I can't easily see
> how it could trigger. By the time kvm_destroy_vm or exit_mmap() runs,
> no vcpu can be in guest mode anymore, so it cannot matter whatever the
> status of any leftover spte at that time.
>
vcpu is not in guest mode, but the memory can be still hold in KVM MMU.
Consider this case:
CPU 0 CPU 1
create kvm
create vcpu thread
[ Guest is happily running ]
send kill signal to the process
call do_exit
mmput mm
exit_mmap, then
delete mmu_notify
reclaim the memory of these threads
!!!!!!
Now, the page has been reclaimed but
it is still hold in KVM MMU
mmu_notify->release
!!!!!!
delete spte, and call
mark_page_accessed/mark_page_dirty for
the page which has already been freed on CPU 1
exit_files
release kvm/vcpu file, then
kvm and vcpu are destroyed.
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
