From: Jan Beulich Date: Fri, 1 Feb 2019 10:30:55 +0000 (+0100) Subject: x86/shadow: don't enable shadow mode with too small a shadow allocation X-Git-Tag: archive/raspbian/4.11.1+26-g87f51bf366-3+rpi1~1^2~66^2~11 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=af25f52a06a82789acf91fd98f71c8563919ab0b;p=xen.git x86/shadow: don't enable shadow mode with too small a shadow allocation We've had more than one report of host crashes after failed migration, and in at least one case we've had a hint towards a too far shrunk shadow allocation pool. Instead of just checking the pool for being empty, check whether the pool is smaller than what shadow_set_allocation() would minimally bump it to if it was invoked in the first place. Signed-off-by: Jan Beulich Acked-by: Tim Deegan master commit: 2634b997afabfdc5a972e07e536dfbc6febb4385 master date: 2018-11-30 12:10:39 +0100 --- diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c index 11d5714317..d2946affe2 100644 --- a/xen/arch/x86/mm/shadow/common.c +++ b/xen/arch/x86/mm/shadow/common.c @@ -1219,7 +1219,7 @@ const u8 sh_type_to_size[] = { * allow for more than ninety allocated pages per vcpu. We round that * up to 128 pages, or half a megabyte per vcpu, and add 1 more vcpu's * worth to make sure we never return zero. */ -static unsigned int shadow_min_acceptable_pages(struct domain *d) +static unsigned int shadow_min_acceptable_pages(const struct domain *d) { return (d->max_vcpus + 1) * 128; } @@ -1610,6 +1610,15 @@ shadow_free_p2m_page(struct domain *d, struct page_info *pg) paging_unlock(d); } +static unsigned int sh_min_allocation(const struct domain *d) +{ + /* + * Don't allocate less than the minimum acceptable, plus one page per + * megabyte of RAM (for the p2m table). + */ + return shadow_min_acceptable_pages(d) + (d->tot_pages / 256); +} + int shadow_set_allocation(struct domain *d, unsigned int pages, bool *preempted) { struct page_info *sp; @@ -1625,9 +1634,7 @@ int shadow_set_allocation(struct domain *d, unsigned int pages, bool *preempted) else pages -= d->arch.paging.shadow.p2m_pages; - /* Don't allocate less than the minimum acceptable, plus one page per - * megabyte of RAM (for the p2m table) */ - lower_bound = shadow_min_acceptable_pages(d) + (d->tot_pages / 256); + lower_bound = sh_min_allocation(d); if ( pages < lower_bound ) pages = lower_bound; } @@ -3243,7 +3250,7 @@ int shadow_enable(struct domain *d, u32 mode) /* Init the shadow memory allocation if the user hasn't done so */ old_pages = d->arch.paging.shadow.total_pages; - if ( old_pages == 0 ) + if ( old_pages < sh_min_allocation(d) + d->arch.paging.shadow.p2m_pages ) { paging_lock(d); rv = shadow_set_allocation(d, 1024, NULL); /* Use at least 4MB */