WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-ia64-devel

[Xen-ia64-devel] [RFC] refcnt countup bug

To: xen-ia64-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-ia64-devel] [RFC] refcnt countup bug
From: Masaki Kanno <kanno.masaki@xxxxxxxxxxxxxx>
Date: Thu, 02 Feb 2006 13:34:40 +0900
Delivery-date: Thu, 02 Feb 2006 04:45:31 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-ia64-devel-request@lists.xensource.com?subject=help>
List-id: Discussion of the ia64 port of Xen <xen-ia64-devel.lists.xensource.com>
List-post: <mailto:xen-ia64-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-ia64-devel>, <mailto:xen-ia64-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-ia64-devel>, <mailto:xen-ia64-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-ia64-devel-bounces@xxxxxxxxxxxxxxxxxxx
I found a bug regarding updating domain struct's "refcnt", that is,
"refcnt" is incremented 2 times in the following condition.
(I belive it should be incremented only once).
 
 - Hypercall (DOM0_GETMEMLIST) is issued and
 - This is the first memory allocation for that DomU

*** hypercall(dom0_op -> DOM0_GETMEMLIST) start ***

do_dom0_op()                                 |
|                                            |
+->arch_do_dom0_op()                         | refcnt : 1
   |                                         |
   |->find_domain_by_id()                    |
   |  |                                      |
   |  +->get_domain() ------------------------ refcnt 1up
   |                                         |
   |->__gpfn_to_mfn_foreign()                |
   |  |                                      |
   |  +->lookup_domain_mpa()                 |
   |     |                                   | refcnt : 2
   |     +->map_new_domain_page()            |
   |        |                                |
   |        +->alloc_domheap_page(s)()       |
   |           |                             |
   |           +->get_knownalive_domain() ---- refcnt 1up
   |                                         |
   |                                         | refcnt : 3
   |                                         |
   +->put_domain() --------------------------- refcnt 1down
                                             |
                                             | refcnt : 2
                                             |

*** hypercall(dom0_op -> DOM0_GETMEMLIST) end ***

To solve this problem, I propose the following patch. Please
request for comments.

Signed-off-by: Masaki Kanno <kanno.masaki@xxxxxxxxxxxxxx>

Best regards,
 Kan

diff -r 5fcc346d6fe0 xen/arch/ia64/xen/domain.c
--- a/xen/arch/ia64/xen/domain.c        Thu Jan 26 10:31:28 2006
+++ b/xen/arch/ia64/xen/domain.c        Thu Feb  2 12:47:49 2006
@@ -423,9 +423,23 @@
                else
 #endif
                {
-                       p = alloc_domheap_page(d);
-                       // zero out pages for security reasons
-                       if (p) memset(__va(page_to_phys(p)),0,PAGE_SIZE);
+                       if (likely(d->tot_pages))
+                       {
+                               p = alloc_domheap_page(d);
+                               // zero out pages for security reasons
+                               if (p) 
memset(__va(page_to_phys(p)),0,PAGE_SIZE);
+                       }
+                       else
+                       {
+                               p = alloc_domheap_page(d);
+                               if (p)
+                               {
+                                       // for get_knownalive_domain in 
alloc_domheap_page(s)
+                                       atomic_dec(&d->refcnt);
+                                       // zero out pages for security reasons
+                                       
memset(__va(page_to_phys(p)),0,PAGE_SIZE);
+                               }
+                       }
                }
                if (unlikely(!p)) {
 printf("map_new_domain_page: Can't alloc!!!! Aaaargh!\n");

Attachment: refcnt.patch
Description: Binary data

_______________________________________________
Xen-ia64-devel mailing list
Xen-ia64-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-ia64-devel
<Prev in Thread] Current Thread [Next in Thread>