[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] possible grant table issue

Hello!

Attached is a patch that dumps some debugging output for the block 
interface backend. The reason why I am posting this patch is due to the 
somewhat strange assignments of the handles that are returned from the 
HYPERVISOR_grant_table_op. I am stopping short of saying it's a bug, 
because I don't know the code well enough, but when looking at the 
hypervisor code I see some place where I doubt that this is right. 
Particularly one should try the following:

Create user domains that use the block interfaces.

1st user domain witll be assigned handle 0x0. - should be ok
2nd user domain will be assigned handle 0x1. - should be ok
3rd user domain will be assigned handle 0x2. - should be ok

(handle numbers have obviously been increasing so far)

bring down 3rd user domain - free'ed handle will be 0x2 - should be ok

create 3rd user domain again - will be assigned handle 0x0 - this is not 
what I would expect.

(the code that's causing this is called when handle 0x2 was free'ed
static inline void
put_maptrack_handle(
            grant_table_t *t, int handle)
        {
            t->maptrack[handle].ref_and_flags = t->maptrack_head << 
MAPTRACK_REF_SHIFT;
            t->maptrack_head = handle;
                             ^^^^^^
            t->map_count--;
        }
)



Now when I look  at xen/common/grant_tables.c I see how the handles are 
used in :


static int
__gnttab_map_grant_ref(
    gnttab_map_grant_ref_t *uop,
    unsigned long *va)
{
        [...] // much omitted

    if ( 0 <= ( rc = __gnttab_activate_grant_ref( ld, led, rd, ref,
                                                  dev_hst_ro_flags,
                                                  host_virt_addr, 
&frame)))
    {
        /*
         * Only make the maptrack live _after_ writing the pte, in case we 

         * overwrite the same frame number, causing a maptrack walk to 
find it
         */
        ld->grant_table->maptrack[handle].domid = dom;
                                  ^^^^^^
        ld->grant_table->maptrack[handle].ref_and_flags
                                  ^^^^^^
            = (ref << MAPTRACK_REF_SHIFT) |
              (dev_hst_ro_flags & MAPTRACK_GNTMAP_MASK);

        (void)__put_user(frame, &uop->dev_bus_addr);

        if ( dev_hst_ro_flags & GNTMAP_host_map )
            *va = host_virt_addr;

        (void)__put_user(handle, &uop->handle);


I think this newly assigned handle of '0' (for the re-created 3rd user 
domain) is overwriting some previously assign array entry for the first 
user domain. Please someone who knows have a look at this. All this is 
happening in the domain where the blockdevice backend is located.

   Stefan


Signed-off-by : Stefan Berger <stefanb@xxxxxxxxxx>

Attachment: blkif_debug.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.