[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[win-pv-devel] [PATCH] BalloonReleasePfnArray() is broken in several ways

When BalloonReleasePfnArray() attempts a decrease_reservation operation
then it is possible that not all the requested pages will be released.
In this eventuality, the function is supposed to pull the excess PFNs
that were added to the rangeset back out again and then allow the caller,
BalloonInflate(), to free the PFNs back to Windows.

The first bit of brokenness is that the arguments to RangeSetGet() are
permuted, such that it tries to get a range starting at PFN 1 rather than
a single PFN.

The next bit of brokenness is that the loop zeroes out the PFN value from
the array (presumably to satisfy the subsequent bogus ASSERTion) thus
causing the call to BalloonFreePfnArray() made by BalloonInflate() to
attempt to free PFN 0 potentially multiple times.

This patch fixes the code to do what it was intended to do.

Reported-by: Owen Smith <owen.smith@xxxxxxxxxx>
Signed-off-by: Paul Durrant <paul.durrant@xxxxxxxxxx>
 src/xenbus/balloon.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/src/xenbus/balloon.c b/src/xenbus/balloon.c
index 6f3767c..2f1284e 100644
--- a/src/xenbus/balloon.c
+++ b/src/xenbus/balloon.c
@@ -495,15 +495,13 @@ BalloonReleasePfnArray(
         status = XENBUS_RANGE_SET(Get,
-                                  1,
-                                  (LONGLONG)Context->PfnArray[Index]);
+                                  (LONGLONG)Context->PfnArray[Index],
+                                  1);
-        Context->PfnArray[Index] = 0;
-    ASSERT(IsZeroMemory(Context->PfnArray, Requested * sizeof (PFN_NUMBER)));
+    ASSERT(IsZeroMemory(Context->PfnArray, Count * sizeof (PFN_NUMBER)));
     TimeDelta = __max(((End.QuadPart - Start.QuadPart) / 10000ull), 1);

win-pv-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.