diff options
| author | David Gibson <david@gibson.dropbear.id.au> | 2012-05-08 06:24:08 -0400 |
|---|---|---|
| committer | Avi Kivity <avi@redhat.com> | 2012-05-08 10:54:08 -0400 |
| commit | de6c0b02d4d7bdf2587e679a6ddbb71b7d68bb89 (patch) | |
| tree | d1b7cb647d6282052768c4a1e5a37fb88cd482f5 /arch | |
| parent | 62c49cc976af84cb0ffcb5ec07ee88da1a94e222 (diff) | |
KVM: PPC: Book3S HV: Fix refcounting of hugepages
The H_REGISTER_VPA hcall implementation in HV Power KVM needs to pin some
guest memory pages into host memory so that they can be safely accessed
from usermode. It does this used get_user_pages_fast(). When the VPA is
unregistered, or the VCPUs are cleaned up, these pages are released using
put_page().
However, the get_user_pages() is invoked on the specific memory are of the
VPA which could lie within hugepages. In case the pinned page is huge,
we explicitly find the head page of the compound page before calling
put_page() on it.
At least with the latest kernel, this is not correct. put_page() already
handles finding the correct head page of a compound, and also deals with
various counts on the individual tail page which are important for
transparent huge pages. We don't support transparent hugepages on Power,
but even so, bypassing this count maintenance can lead (when the VM ends)
to a hugepage being released back to the pool with a non-zero mapcount on
one of the tail pages. This can then lead to a bad_page() when the page
is released from the hugepage pool.
This removes the explicit compound_head() call to correct this bug.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Acked-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Avi Kivity <avi@redhat.com>
Diffstat (limited to 'arch')
| -rw-r--r-- | arch/powerpc/kvm/book3s_64_mmu_hv.c | 22 | ||||
| -rw-r--r-- | arch/powerpc/kvm/book3s_hv.c | 2 |
2 files changed, 13 insertions, 11 deletions
diff --git a/arch/powerpc/kvm/book3s_64_mmu_hv.c b/arch/powerpc/kvm/book3s_64_mmu_hv.c index ddc485a529f2..c3beaeef3f60 100644 --- a/arch/powerpc/kvm/book3s_64_mmu_hv.c +++ b/arch/powerpc/kvm/book3s_64_mmu_hv.c | |||
| @@ -258,6 +258,8 @@ static long kvmppc_get_guest_page(struct kvm *kvm, unsigned long gfn, | |||
| 258 | !(memslot->userspace_addr & (s - 1))) { | 258 | !(memslot->userspace_addr & (s - 1))) { |
| 259 | start &= ~(s - 1); | 259 | start &= ~(s - 1); |
| 260 | pgsize = s; | 260 | pgsize = s; |
| 261 | get_page(hpage); | ||
| 262 | put_page(page); | ||
| 261 | page = hpage; | 263 | page = hpage; |
| 262 | } | 264 | } |
| 263 | } | 265 | } |
| @@ -281,11 +283,8 @@ static long kvmppc_get_guest_page(struct kvm *kvm, unsigned long gfn, | |||
| 281 | err = 0; | 283 | err = 0; |
| 282 | 284 | ||
| 283 | out: | 285 | out: |
| 284 | if (got) { | 286 | if (got) |
| 285 | if (PageHuge(page)) | ||
| 286 | page = compound_head(page); | ||
| 287 | put_page(page); | 287 | put_page(page); |
| 288 | } | ||
| 289 | return err; | 288 | return err; |
| 290 | 289 | ||
| 291 | up_err: | 290 | up_err: |
| @@ -678,8 +677,15 @@ int kvmppc_book3s_hv_page_fault(struct kvm_run *run, struct kvm_vcpu *vcpu, | |||
| 678 | SetPageDirty(page); | 677 | SetPageDirty(page); |
| 679 | 678 | ||
| 680 | out_put: | 679 | out_put: |
| 681 | if (page) | 680 | if (page) { |
| 682 | put_page(page); | 681 | /* |
| 682 | * We drop pages[0] here, not page because page might | ||
| 683 | * have been set to the head page of a compound, but | ||
| 684 | * we have to drop the reference on the correct tail | ||
| 685 | * page to match the get inside gup() | ||
| 686 | */ | ||
| 687 | put_page(pages[0]); | ||
| 688 | } | ||
| 683 | return ret; | 689 | return ret; |
| 684 | 690 | ||
| 685 | out_unlock: | 691 | out_unlock: |
| @@ -979,6 +985,7 @@ void *kvmppc_pin_guest_page(struct kvm *kvm, unsigned long gpa, | |||
| 979 | pa = *physp; | 985 | pa = *physp; |
| 980 | } | 986 | } |
| 981 | page = pfn_to_page(pa >> PAGE_SHIFT); | 987 | page = pfn_to_page(pa >> PAGE_SHIFT); |
| 988 | get_page(page); | ||
| 982 | } else { | 989 | } else { |
| 983 | hva = gfn_to_hva_memslot(memslot, gfn); | 990 | hva = gfn_to_hva_memslot(memslot, gfn); |
| 984 | npages = get_user_pages_fast(hva, 1, 1, pages); | 991 | npages = get_user_pages_fast(hva, 1, 1, pages); |
| @@ -991,8 +998,6 @@ void *kvmppc_pin_guest_page(struct kvm *kvm, unsigned long gpa, | |||
| 991 | page = compound_head(page); | 998 | page = compound_head(page); |
| 992 | psize <<= compound_order(page); | 999 | psize <<= compound_order(page); |
| 993 | } | 1000 | } |
| 994 | if (!kvm->arch.using_mmu_notifiers) | ||
| 995 | get_page(page); | ||
| 996 | offset = gpa & (psize - 1); | 1001 | offset = gpa & (psize - 1); |
| 997 | if (nb_ret) | 1002 | if (nb_ret) |
| 998 | *nb_ret = psize - offset; | 1003 | *nb_ret = psize - offset; |
| @@ -1003,7 +1008,6 @@ void kvmppc_unpin_guest_page(struct kvm *kvm, void *va) | |||
| 1003 | { | 1008 | { |
| 1004 | struct page *page = virt_to_page(va); | 1009 | struct page *page = virt_to_page(va); |
| 1005 | 1010 | ||
| 1006 | page = compound_head(page); | ||
| 1007 | put_page(page); | 1011 | put_page(page); |
| 1008 | } | 1012 | } |
| 1009 | 1013 | ||
diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c index 01294a5099dd..108d1f580177 100644 --- a/arch/powerpc/kvm/book3s_hv.c +++ b/arch/powerpc/kvm/book3s_hv.c | |||
| @@ -1192,8 +1192,6 @@ static void unpin_slot(struct kvm *kvm, int slot_id) | |||
| 1192 | continue; | 1192 | continue; |
| 1193 | pfn = physp[j] >> PAGE_SHIFT; | 1193 | pfn = physp[j] >> PAGE_SHIFT; |
| 1194 | page = pfn_to_page(pfn); | 1194 | page = pfn_to_page(pfn); |
| 1195 | if (PageHuge(page)) | ||
| 1196 | page = compound_head(page); | ||
| 1197 | SetPageDirty(page); | 1195 | SetPageDirty(page); |
| 1198 | put_page(page); | 1196 | put_page(page); |
| 1199 | } | 1197 | } |