[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] x86: fix NULL function call in timer_softirq_action()

Hi,

In VT-d enabled and SMP machine, when start HVM guests that was assigned
device such as "pci = ['01:00.0']", sometimes panic happens! This panic
occurs because of NULL function call in timer_softirq_action().

Attached patch fixes this problem.

This panic's cause was find_first_bit() in vmx_dirq_assist().
In find_first_bit(__find_first_bit) function, "repe; scas" instruction
and "bsf" instruction refer addresses of a bitmap. If clear_bit() is
called to clear a bit of the bitmap between above instructions, eax
register's value is zero after execution of "bsf" instruction. As a
result, the return value of find_first_bit() will be 0, 64, 128 or
192(on x86_64 arch).
In this case, vmx_dirq_assist() calls set_timer() about the bit not to
be set. If hvm_timer(timer structure) about the bit is not initialized,
timer_softirq_action() will call zero address.

Only in VT-d enabled and SMP machine, clear_bit() is called in
pt_irq_time_out() on another cpu.


Signed-off-by: Naoki Nishiguchi <nisiguti@xxxxxxxxxxxxxx>

Regards,
Naoki Nishiguchi


diff -r 08e010c3f251 xen/arch/x86/bitops.c
--- a/xen/arch/x86/bitops.c     Tue Apr 15 16:39:00 2008 +0100
+++ b/xen/arch/x86/bitops.c     Wed Apr 16 09:38:06 2008 +0900
@@ -8,12 +8,15 @@ unsigned int __find_first_bit(
     unsigned long d0, d1, res;
 
     asm volatile (
-        "   xor %%eax,%%eax\n\t" /* also ensures ZF==1 if size==0 */
+        "1: xor %%eax,%%eax\n\t" /* also ensures ZF==1 if size==0 */
         "   repe; scas"__OS"\n\t"
-        "   je 1f\n\t"
+        "   je 2f\n\t"
         "   lea -"STR(BITS_PER_LONG/8)"(%2),%2\n\t"
-        "   bsf (%2),%0\n"
-        "1: sub %%ebx,%%edi\n\t"
+        "   bsf (%2),%0\n\t"
+        "   jnz 2f\n\t"
+        "   lea "STR(BITS_PER_LONG/8)"(%2),%2\n\t"
+        "   jmp 1b\n\t"
+        "2: sub %%ebx,%%edi\n\t"
         "   shl $3,%%edi\n\t"
         "   add %%edi,%%eax"
         : "=&a" (res), "=&c" (d0), "=&D" (d1)

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.