Re: [Xen-devel] [PATCH 2/2] evtchn/fifo: don't corrupt queues if an old tail moves queues

[David Vrabel <david.vrabel@xxxxxxxxxx>]

On 12/11/13 11:38, David Vrabel wrote:
> From: David Vrabel <david.vrabel@xxxxxxxxxx>
> 
> An event may still be the tail of a queue even if the queue is now
> empty (an 'old tail' event).  There is logic to handle the case when
> this old tail event needs to be added to the now empty queue (by
> checking for q->tail == port).
> 
> However, if the old tail event on queue A is moved to a different
> queue B (by changing its VCPU or priority), the event may then be
> linked onto queue B.  When another event is linked onto queue A it
> will check the old tail, see that it is linked (but on queue B) and
> overwrite the LINK field, corrupting both queues.

This fix is not quite right so don't apply.

> --- a/xen/common/event_fifo.c
> +++ b/xen/common/event_fifo.c
> @@ -98,6 +98,47 @@ static bool_t evtchn_fifo_set_link(const struct domain *d, 
> event_word_t *word,
>      return 1;
>  }
>  
> +static bool_t test_and_set_linked(const struct domain *d,
> +                                  struct evtchn *evtchn,
> +                                  struct evtchn_fifo_queue *q,
> +                                  event_word_t *word)
> +{
> +    struct vcpu *old_v;
> +    struct evtchn_fifo_queue *old_q;
> +    bool_t was_linked;
> +    unsigned long flags;
> +
> +    old_v = d->vcpu[evtchn->last_vcpu_id];
> +    old_q = &old_v->evtchn_fifo->queue[evtchn->last_priority];
> +
> +    evtchn->last_vcpu_id = evtchn->notify_vcpu_id;
> +    evtchn->last_priority = evtchn->priority;

We set the last queue here even if we're not moving it yet.

David

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel