[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-ia64-devel] [RFC] refcnt countup bug

I found a bug regarding updating domain struct's "refcnt", that is,
"refcnt" is incremented 2 times in the following condition.
(I belive it should be incremented only once).
 
 - Hypercall (DOM0_GETMEMLIST) is issued and
 - This is the first memory allocation for that DomU

*** hypercall(dom0_op -> DOM0_GETMEMLIST) start ***

do_dom0_op()                                 |
|                                            |
+->arch_do_dom0_op()                         | refcnt : 1
   |                                         |
   |->find_domain_by_id()                    |
   |  |                                      |
   |  +->get_domain() ------------------------ refcnt 1up
   |                                         |
   |->__gpfn_to_mfn_foreign()                |
   |  |                                      |
   |  +->lookup_domain_mpa()                 |
   |     |                                   | refcnt : 2
   |     +->map_new_domain_page()            |
   |        |                                |
   |        +->alloc_domheap_page(s)()       |
   |           |                             |
   |           +->get_knownalive_domain() ---- refcnt 1up
   |                                         |
   |                                         | refcnt : 3
   |                                         |
   +->put_domain() --------------------------- refcnt 1down
                                             |
                                             | refcnt : 2
                                             |

*** hypercall(dom0_op -> DOM0_GETMEMLIST) end ***

To solve this problem, I propose the following patch. Please
request for comments.

Signed-off-by: Masaki Kanno <kanno.masaki@xxxxxxxxxxxxxx>

Best regards,
 Kan

diff -r 5fcc346d6fe0 xen/arch/ia64/xen/domain.c
--- a/xen/arch/ia64/xen/domain.c        Thu Jan 26 10:31:28 2006
+++ b/xen/arch/ia64/xen/domain.c        Thu Feb  2 12:47:49 2006
@@ -423,9 +423,23 @@
                else
 #endif
                {
-                       p = alloc_domheap_page(d);
-                       // zero out pages for security reasons
-                       if (p) memset(__va(page_to_phys(p)),0,PAGE_SIZE);
+                       if (likely(d->tot_pages))
+                       {
+                               p = alloc_domheap_page(d);
+                               // zero out pages for security reasons
+                               if (p) 
memset(__va(page_to_phys(p)),0,PAGE_SIZE);
+                       }
+                       else
+                       {
+                               p = alloc_domheap_page(d);
+                               if (p)
+                               {
+                                       // for get_knownalive_domain in 
alloc_domheap_page(s)
+                                       atomic_dec(&d->refcnt);
+                                       // zero out pages for security reasons
+                                       
memset(__va(page_to_phys(p)),0,PAGE_SIZE);
+                               }
+                       }
                }
                if (unlikely(!p)) {
 printf("map_new_domain_page: Can't alloc!!!! Aaaargh!\n");

Attachment: refcnt.patch
Description: Binary data

_______________________________________________
Xen-ia64-devel mailing list
Xen-ia64-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-ia64-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.