aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/virtio
diff options
context:
space:
mode:
authorMichael S. Tsirkin <mst@redhat.com>2012-04-12 09:38:00 -0400
committerMichael S. Tsirkin <mst@redhat.com>2012-04-15 04:51:06 -0400
commit3ccc9372ed0fab33d20f10be3c1efd5776ff5913 (patch)
treec0e0422269e8d340906848e4993d268b8d4170ad /drivers/virtio
parent1a87228f5f1d316002c7c161316f5524592be766 (diff)
virtio_balloon: fix handling of PAGE_SIZE != 4k
As reported by David Gibson, current code handles PAGE_SIZE != 4k completely wrong which can lead to guest memory corruption errors: - page_to_balloon_pfn is wrong: e.g. on system with 64K page size it gives the same pfn value for 16 different pages. - we also need to convert back to linux pfns when we free. - for each linux page we need to tell host about multiple balloon pages, but code only adds one pfn to the array. This patch fixes all that, tested with a 64k ppc64 kernel. Reported-by: David Gibson <david@gibson.dropbear.id.au> Tested-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Diffstat (limited to 'drivers/virtio')
-rw-r--r--drivers/virtio/virtio_balloon.c51
1 files changed, 41 insertions, 10 deletions
diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c
index 9e95ca602006..c2d05a8279fd 100644
--- a/drivers/virtio/virtio_balloon.c
+++ b/drivers/virtio/virtio_balloon.c
@@ -28,6 +28,13 @@
28#include <linux/slab.h> 28#include <linux/slab.h>
29#include <linux/module.h> 29#include <linux/module.h>
30 30
31/*
32 * Balloon device works in 4K page units. So each page is pointed to by
33 * multiple balloon pages. All memory counters in this driver are in balloon
34 * page units.
35 */
36#define VIRTIO_BALLOON_PAGES_PER_PAGE (PAGE_SIZE >> VIRTIO_BALLOON_PFN_SHIFT)
37
31struct virtio_balloon 38struct virtio_balloon
32{ 39{
33 struct virtio_device *vdev; 40 struct virtio_device *vdev;
@@ -42,8 +49,13 @@ struct virtio_balloon
42 /* Waiting for host to ack the pages we released. */ 49 /* Waiting for host to ack the pages we released. */
43 struct completion acked; 50 struct completion acked;
44 51
45 /* The pages we've told the Host we're not using. */ 52 /* Number of balloon pages we've told the Host we're not using. */
46 unsigned int num_pages; 53 unsigned int num_pages;
54 /*
55 * The pages we've told the Host we're not using.
56 * Each page on this list adds VIRTIO_BALLOON_PAGES_PER_PAGE
57 * to num_pages above.
58 */
47 struct list_head pages; 59 struct list_head pages;
48 60
49 /* The array of pfns we tell the Host about. */ 61 /* The array of pfns we tell the Host about. */
@@ -66,7 +78,13 @@ static u32 page_to_balloon_pfn(struct page *page)
66 78
67 BUILD_BUG_ON(PAGE_SHIFT < VIRTIO_BALLOON_PFN_SHIFT); 79 BUILD_BUG_ON(PAGE_SHIFT < VIRTIO_BALLOON_PFN_SHIFT);
68 /* Convert pfn from Linux page size to balloon page size. */ 80 /* Convert pfn from Linux page size to balloon page size. */
69 return pfn >> (PAGE_SHIFT - VIRTIO_BALLOON_PFN_SHIFT); 81 return pfn * VIRTIO_BALLOON_PAGES_PER_PAGE;
82}
83
84static struct page *balloon_pfn_to_page(u32 pfn)
85{
86 BUG_ON(pfn % VIRTIO_BALLOON_PAGES_PER_PAGE);
87 return pfn_to_page(pfn / VIRTIO_BALLOON_PAGES_PER_PAGE);
70} 88}
71 89
72static void balloon_ack(struct virtqueue *vq) 90static void balloon_ack(struct virtqueue *vq)
@@ -96,12 +114,23 @@ static void tell_host(struct virtio_balloon *vb, struct virtqueue *vq)
96 wait_for_completion(&vb->acked); 114 wait_for_completion(&vb->acked);
97} 115}
98 116
117static void set_page_pfns(u32 pfns[], struct page *page)
118{
119 unsigned int i;
120
121 /* Set balloon pfns pointing at this page.
122 * Note that the first pfn points at start of the page. */
123 for (i = 0; i < VIRTIO_BALLOON_PAGES_PER_PAGE; i++)
124 pfns[i] = page_to_balloon_pfn(page) + i;
125}
126
99static void fill_balloon(struct virtio_balloon *vb, size_t num) 127static void fill_balloon(struct virtio_balloon *vb, size_t num)
100{ 128{
101 /* We can only do one array worth at a time. */ 129 /* We can only do one array worth at a time. */
102 num = min(num, ARRAY_SIZE(vb->pfns)); 130 num = min(num, ARRAY_SIZE(vb->pfns));
103 131
104 for (vb->num_pfns = 0; vb->num_pfns < num; vb->num_pfns++) { 132 for (vb->num_pfns = 0; vb->num_pfns < num;
133 vb->num_pfns += VIRTIO_BALLOON_PAGES_PER_PAGE) {
105 struct page *page = alloc_page(GFP_HIGHUSER | __GFP_NORETRY | 134 struct page *page = alloc_page(GFP_HIGHUSER | __GFP_NORETRY |
106 __GFP_NOMEMALLOC | __GFP_NOWARN); 135 __GFP_NOMEMALLOC | __GFP_NOWARN);
107 if (!page) { 136 if (!page) {
@@ -113,9 +142,9 @@ static void fill_balloon(struct virtio_balloon *vb, size_t num)
113 msleep(200); 142 msleep(200);
114 break; 143 break;
115 } 144 }
116 vb->pfns[vb->num_pfns] = page_to_balloon_pfn(page); 145 set_page_pfns(vb->pfns + vb->num_pfns, page);
146 vb->num_pages += VIRTIO_BALLOON_PAGES_PER_PAGE;
117 totalram_pages--; 147 totalram_pages--;
118 vb->num_pages++;
119 list_add(&page->lru, &vb->pages); 148 list_add(&page->lru, &vb->pages);
120 } 149 }
121 150
@@ -130,8 +159,9 @@ static void release_pages_by_pfn(const u32 pfns[], unsigned int num)
130{ 159{
131 unsigned int i; 160 unsigned int i;
132 161
133 for (i = 0; i < num; i++) { 162 /* Find pfns pointing at start of each page, get pages and free them. */
134 __free_page(pfn_to_page(pfns[i])); 163 for (i = 0; i < num; i += VIRTIO_BALLOON_PAGES_PER_PAGE) {
164 __free_page(balloon_pfn_to_page(pfns[i]));
135 totalram_pages++; 165 totalram_pages++;
136 } 166 }
137} 167}
@@ -143,11 +173,12 @@ static void leak_balloon(struct virtio_balloon *vb, size_t num)
143 /* We can only do one array worth at a time. */ 173 /* We can only do one array worth at a time. */
144 num = min(num, ARRAY_SIZE(vb->pfns)); 174 num = min(num, ARRAY_SIZE(vb->pfns));
145 175
146 for (vb->num_pfns = 0; vb->num_pfns < num; vb->num_pfns++) { 176 for (vb->num_pfns = 0; vb->num_pfns < num;
177 vb->num_pfns += VIRTIO_BALLOON_PAGES_PER_PAGE) {
147 page = list_first_entry(&vb->pages, struct page, lru); 178 page = list_first_entry(&vb->pages, struct page, lru);
148 list_del(&page->lru); 179 list_del(&page->lru);
149 vb->pfns[vb->num_pfns] = page_to_balloon_pfn(page); 180 set_page_pfns(vb->pfns + vb->num_pfns, page);
150 vb->num_pages--; 181 vb->num_pages -= VIRTIO_BALLOON_PAGES_PER_PAGE;
151 } 182 }
152 183
153 /* 184 /*