aboutsummaryrefslogtreecommitdiffstats
path: root/arch/x86
diff options
context:
space:
mode:
authorKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>2013-03-29 10:20:56 -0400
committerKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>2013-04-02 14:02:23 -0400
commitb22227944b8fe92b19150b4c36421e37979d9a16 (patch)
treec513332fb531df0e3642ca4f7abde28c8e57c40b /arch/x86
parentbee980d9e9642e96351fa3ca9077b853ecf62f57 (diff)
xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables.
Occassionaly on a DL380 G4 the guest would crash quite early with this: (XEN) d244:v0: unhandled page fault (ec=0003) (XEN) Pagetable walk from ffffffff84dc7000: (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789 (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7 (XEN) domain_crash_sync called from entry.S (XEN) Domain 244 (vcpu#0) crashed on cpu#3: (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]---- (XEN) CPU: 3 (XEN) RIP: e033:[<ffffffff81263f22>] (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000 The offending code shows it to be a loop writting the value zero (%rax) in the %rdi (the L4 provided by Xen) register: 0: 44 00 00 add %r8b,(%rax) 3: 31 c0 xor %eax,%eax 5: b9 40 00 00 00 mov $0x40,%ecx a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1) 11: 00 00 13: ff c9 dec %ecx 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction 18: 48 89 47 08 mov %rax,0x8(%rdi) 1c: 48 89 47 10 mov %rax,0x10(%rdi) which fails. xen_setup_kernel_pagetable recycles some of the Xen's page-table entries when it has switched over to its Linux page-tables. Right before try to clear the page, we make a hypercall to change it from _RO to _RW and that works (otherwise we would hit an BUG()). And the _RW flag is set for that page: (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7 The error code is 3, so PFEC_page_present and PFEC_write_access, so page is present (correct), and we tried to write to the page, but a violation occurred. The one theory is that the the page entries in hardware (which are cached) are not up to date with what we just set. Especially as we have just done an CR3 write and flushed the multicalls. This patch does solve the problem by flusing out the TLB page entry after changing it from _RO to _RW and we don't hit this issue anymore. Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4] Reported-and-Tested-by: Saar Maoz <Saar.Maoz@oracle.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Diffstat (limited to 'arch/x86')
-rw-r--r--arch/x86/xen/mmu.c12
1 files changed, 8 insertions, 4 deletions
diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
index 6afbb2ca9a0a..a4ea92477e01 100644
--- a/arch/x86/xen/mmu.c
+++ b/arch/x86/xen/mmu.c
@@ -1748,14 +1748,18 @@ static void *m2v(phys_addr_t maddr)
1748} 1748}
1749 1749
1750/* Set the page permissions on an identity-mapped pages */ 1750/* Set the page permissions on an identity-mapped pages */
1751static void set_page_prot(void *addr, pgprot_t prot) 1751static void set_page_prot_flags(void *addr, pgprot_t prot, unsigned long flags)
1752{ 1752{
1753 unsigned long pfn = __pa(addr) >> PAGE_SHIFT; 1753 unsigned long pfn = __pa(addr) >> PAGE_SHIFT;
1754 pte_t pte = pfn_pte(pfn, prot); 1754 pte_t pte = pfn_pte(pfn, prot);
1755 1755
1756 if (HYPERVISOR_update_va_mapping((unsigned long)addr, pte, 0)) 1756 if (HYPERVISOR_update_va_mapping((unsigned long)addr, pte, flags))
1757 BUG(); 1757 BUG();
1758} 1758}
1759static void set_page_prot(void *addr, pgprot_t prot)
1760{
1761 return set_page_prot_flags(addr, prot, UVMF_NONE);
1762}
1759#ifdef CONFIG_X86_32 1763#ifdef CONFIG_X86_32
1760static void __init xen_map_identity_early(pmd_t *pmd, unsigned long max_pfn) 1764static void __init xen_map_identity_early(pmd_t *pmd, unsigned long max_pfn)
1761{ 1765{
@@ -1839,12 +1843,12 @@ static void __init check_pt_base(unsigned long *pt_base, unsigned long *pt_end,
1839 unsigned long addr) 1843 unsigned long addr)
1840{ 1844{
1841 if (*pt_base == PFN_DOWN(__pa(addr))) { 1845 if (*pt_base == PFN_DOWN(__pa(addr))) {
1842 set_page_prot((void *)addr, PAGE_KERNEL); 1846 set_page_prot_flags((void *)addr, PAGE_KERNEL, UVMF_INVLPG);
1843 clear_page((void *)addr); 1847 clear_page((void *)addr);
1844 (*pt_base)++; 1848 (*pt_base)++;
1845 } 1849 }
1846 if (*pt_end == PFN_DOWN(__pa(addr))) { 1850 if (*pt_end == PFN_DOWN(__pa(addr))) {
1847 set_page_prot((void *)addr, PAGE_KERNEL); 1851 set_page_prot_flags((void *)addr, PAGE_KERNEL, UVMF_INVLPG);
1848 clear_page((void *)addr); 1852 clear_page((void *)addr);
1849 (*pt_end)--; 1853 (*pt_end)--;
1850 } 1854 }