This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-bugs] [Bug 1496] New: a suspected race bug at common/gdbstub.c rela

To: xen-bugs@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-bugs] [Bug 1496] New: a suspected race bug at common/gdbstub.c related to atomic instructions
From: bugzilla-daemon@xxxxxxxxxxxxxxxxxxx
Date: Thu, 27 Aug 2009 23:15:23 -0700
Delivery-date: Thu, 27 Aug 2009 23:15:29 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-bugs-request@lists.xensource.com?subject=help>
List-id: Xen Bugzilla <xen-bugs.lists.xensource.com>
List-post: <mailto:xen-bugs@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-bugs>, <mailto:xen-bugs-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-bugs>, <mailto:xen-bugs-request@lists.xensource.com?subject=unsubscribe>
Reply-to: bugs@xxxxxxxxxxxxxxxxxx
Sender: xen-bugs-bounces@xxxxxxxxxxxxxxxxxxx

           Summary: a suspected race bug at common/gdbstub.c related to
                    atomic instructions
           Product: Xen
           Version: unstable
          Platform: All
        OS/Version: Windows
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Unspecified
        AssignedTo: xen-bugs@xxxxxxxxxxxxxxxxxxx
        ReportedBy: hongshin@xxxxxxxxx

Hi. I am reporting  a suspected race bug at __trap_to_gdb()
in xen/common/gdbstub.c of Xen 3.4.1.

I found this bug while I read Xen code. Since I do not have
much background on Xen, it might not be a real bug. But
I hope that this report would be helpful.
Please examine the code and let me know your opinion.

It seems that the function checks whether gdb_ctx->running is 1 or not
by atomic_dec_and_test(&gdb_ctx->running).

If the return value is negative (a.k.a gdb_ctx->running > 1), 
it restores the value and then return with error.

However, if there is two threads which execute __trap_to_gdb() concurrently
and if gdb_ctx->running == 2, the following scenario would be possible.

thread 1                                    |  thread 2
if (!atomic_dec_and_test(&gdb_ctx->running))|
   printk("WARNING...                       |
   atomic_inc(&gdb_ctx->running) ;          |
   return -EBUSY;
                                            | /* gdb_ctx->running is 1 */

Configure bugmail: 
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Xen-bugs mailing list

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-bugs] [Bug 1496] New: a suspected race bug at common/gdbstub.c related to atomic instructions, bugzilla-daemon <=