x86/mm/p2m: Fix locking discipline around p2m lookups.

All gfn_to_mfn* functions except _query() might take the p2m lock,
so can't be called with a p2m, shadow, hap or log_dirty lock held.
The remaining offender is the memory sharing code, which calls
_unshare() from inside the pagetable walker!  Fixing that is too big
for a cleanup patch like this one.

Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>

diff --git a/xen/arch/x86/hvm/mtrr.c b/xen/arch/x86/hvm/mtrr.c
index ec4a15f23d22612420903507271d78c4054fd7e5..11cfa4b106d120eddab2bad9bd32d2aeb30e3350 100644 (file)
--- a/xen/arch/x86/hvm/mtrr.c
+++ b/xen/arch/x86/hvm/mtrr.c
@@ -390,7 +390,7 @@ uint32_t get_pat_flags(struct vcpu *v,
     {
         struct domain *d = v->domain;
         p2m_type_t p2mt;
-        gfn_to_mfn(d, paddr_to_pfn(gpaddr), &p2mt);
+        gfn_to_mfn_query(d, paddr_to_pfn(gpaddr), &p2mt);
         if (p2m_is_ram(p2mt))
             gdprintk(XENLOG_WARNING,
                     "Conflict occurs for a given guest l1e flags:%x "

diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index 460fbab9dcca27493ec6685ba0a29fe7b0ab65ac..d42b766271ab7a81f0705fba438f8ac2801455bd 100644 (file)
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -566,7 +566,7 @@ set_mmio_p2m_entry(struct domain *d, unsigned long gfn, mfn_t mfn)
     if ( 0 == rc )
         gdprintk(XENLOG_ERR,
             "set_mmio_p2m_entry: set_p2m_entry failed! mfn=%08lx\n",
-            mfn_x(gfn_to_mfn(d, gfn, &ot)));
+            mfn_x(gfn_to_mfn_query(d, gfn, &ot)));
     return rc;
 }
 
@@ -623,8 +623,8 @@ set_shared_p2m_entry(struct domain *d, unsigned long gfn, mfn_t mfn)
     p2m_unlock(p2m);
     if ( 0 == rc )
         gdprintk(XENLOG_ERR,
-            "set_mmio_p2m_entry: set_p2m_entry failed! mfn=%08lx\n",
-            gmfn_to_mfn(p2m->domain, gfn));
+            "set_shared_p2m_entry: set_p2m_entry failed! mfn=%08lx\n",
+            mfn_x(gfn_to_mfn_query(d, gfn, &ot)));
     return rc;
 }
 

diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c
index 639eb62466294dc6e6366b25bdc6dcbc7b39bf4d..849dec347cff0fd8377b7b8d41617ecac171be55 100644 (file)
--- a/xen/arch/x86/mm/shadow/common.c
+++ b/xen/arch/x86/mm/shadow/common.c
@@ -3712,7 +3712,7 @@ int shadow_track_dirty_vram(struct domain *d,
 
         /* Iterate over VRAM to track dirty bits. */
         for ( i = 0; i < nr; i++ ) {
-            mfn_t mfn = gfn_to_mfn(d, begin_pfn + i, &t);
+            mfn_t mfn = gfn_to_mfn_query(d, begin_pfn + i, &t);
             struct page_info *page;
             int dirty = 0;
             paddr_t sl1ma = dirty_vram->sl1ma[i];
@@ -3797,7 +3797,7 @@ int shadow_track_dirty_vram(struct domain *d,
                 /* was clean for more than two seconds, try to disable guest
                  * write access */
                 for ( i = begin_pfn; i < end_pfn; i++ ) {
-                    mfn_t mfn = gfn_to_mfn(d, i, &t);
+                    mfn_t mfn = gfn_to_mfn_query(d, i, &t);
                     if (mfn_x(mfn) != INVALID_MFN)
                         flush_tlb |= sh_remove_write_access(d->vcpu[0], mfn, 1, 0);
                 }

diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h
index 0a2e538cfa24559a36806457fc4a53385b8b5b4b..4b12ea2857467698e095b1e6811e4f1ef47f40d8 100644 (file)
--- a/xen/include/asm-x86/p2m.h
+++ b/xen/include/asm-x86/p2m.h
@@ -411,6 +411,10 @@ static inline mfn_t gfn_to_mfn_type(struct domain *d,
     return gfn_to_mfn_type_p2m(p2m, gfn, t, &a, q);
 }
 
+/* Syntactic sugar: most callers will use one of these. 
+ * N.B. gfn_to_mfn_query() is the _only_ one guaranteed not to take the
+ * p2m lock; none of the others can be called with the p2m, hap or
+ * shadow lock held. */
 #define gfn_to_mfn(d, g, t)         gfn_to_mfn_type((d), (g), (t), p2m_alloc)
 #define gfn_to_mfn_query(d, g, t)   gfn_to_mfn_type((d), (g), (t), p2m_query)
 #define gfn_to_mfn_guest(d, g, t)   gfn_to_mfn_type((d), (g), (t), p2m_guest)