[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-devel] [PATCH] fix stubdom memory corruption
- To: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
- From: Boris Derzhavets <bderzhavets@xxxxxxxxx>
- Date: Tue, 14 Apr 2009 05:28:29 -0700 (PDT)
- Cc:
- Delivery-date: Tue, 14 Apr 2009 05:29:02 -0700
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=CFWhTxP+1PzFXaUIo1oRiGNicwopVlwkH/sZiSmmkFVnQX99Fpmadmm8Pc+vEqYxSuxnFCV1zjaHO/bTCxA/wjyArGWtjAZVJy5Y+/ch9TCZy1h6wNIA541j0VgK2AgwdneCXZDAmanjSlBVVH1kHcDVszWAEq56xro5yvqW0TU=;
- List-id: Xen developer discussion <xen-devel.lists.xensource.com>
This one and vl.c patch have been applied.
stubdom has been rebuilt and reinstalled.
No improvement.
Name ID Mem VCPUs State Time(s)
Domain-0 0 7019 2 r-----
633.9
RHELhvm 1 1024 1 ------ 0.0
root@ServerXen331:/etc/xen# netstat -a|grep 590
tcp 0 0 *:5901 *:* LISTEN
Boris
--- On Tue, 4/14/09, Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx> wrote:
From: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
Subject: [Xen-devel] [PATCH] fix stubdom memory corruption
To: "xen-devel" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Date: Tuesday, April 14, 2009, 5:27 AM
Hi all,
this patch fixes a memory corruption in blkfront that happens every time
we pass a sector aligned buffer (instead of a page aligned buffer) to
blkfront_aio.
To trigger the COW we have to write at least a byte to each page of the
buffer, but we must be careful not to overwrite useful content.
Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
diff -r dbc4014882d0 extras/mini-os/blkfront.c
--- a/extras/mini-os/blkfront.c Wed Apr 01 08:36:21 2009 +0100
+++ b/extras/mini-os/blkfront.c Tue Apr 14 10:18:30 2009 +0100
@@ -317,19 +317,21 @@
req->sector_number = aiocbp->aio_offset / dev->info.sector_size;
for (j = 0; j <
n; j++) {
+ req->seg[j].first_sect = 0;
+ req->seg[j].last_sect = PAGE_SIZE / dev->info.sector_size - 1;
+ }
+ req->seg[0].first_sect = ((uintptr_t)aiocbp->aio_buf &
~PAGE_MASK) / dev->info.sector_size;
+ req->seg[n-1].last_sect = (((uintptr_t)aiocbp->aio_buf +
aiocbp->aio_nbytes - 1) & ~PAGE_MASK) / dev->info.sector_size;
+ for (j = 0; j < n; j++) {
uintptr_t data = "" + j * PAGE_SIZE;
if (!write) {
/* Trigger CoW if needed */
- *(char*)data = "">+ *(char*)(data + (req->seg[j].first_sect << 9)) = 0;
barrier();
}
aiocbp->gref[j] = req->seg[j].gref =
gnttab_grant_access(dev->dom, virtual_to_mfn(data), write);
- req->seg[j].first_sect = 0;
- req->seg[j].last_sect = PAGE_SIZE / dev->info.sector_size - 1;
}
-
req->seg[0].first_sect = ((uintptr_t)aiocbp->aio_buf &
~PAGE_MASK) / dev->info.sector_size;
- req->seg[n-1].last_sect = (((uintptr_t)aiocbp->aio_buf +
aiocbp->aio_nbytes - 1) & ~PAGE_MASK) / dev->info.sector_size;
dev->ring.req_prod_pvt = i + 1;
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
