WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-devel] [PATCH][QEMU] fix segmentation fault after hotplug pass-thro

from [Zhai, Edwin] [Permanent Link][Original]
To: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Subject: [Xen-devel] [PATCH][QEMU] fix segmentation fault after hotplug pass-through device
From: "Zhai, Edwin" <edwin.zhai@xxxxxxxxx>
Date: Fri, 09 Apr 2010 17:01:01 +0800
Cc: Xen Developers <xen-devel@xxxxxxxxxxxxxxxxxxx>, "Zhai, Edwin" <edwin.zhai@xxxxxxxxx>
Delivery-date: Fri, 09 Apr 2010 02:04:54 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.17 (X11/20080914) 
This patch fixed the QEMU segmentation fault after hotplug
pass-through devices with MSI-X for many times.

There is a wrong boundary check in cpu_register_io_memory that uses
io_index rather than io_mem_nb. After many times of hotplug of MSI-X
pass-through device, io_mem_read[] got extended to overwrite mmio_cnt,
then cause QEMU segmentation fault.

This fix sync with upstream QEMU code in exec.c, and free unused
io_mem_XXX element after hot removal.

Signed-off-by: Zhai Edwin <edwin.zhai@xxxxxxxxx>

Index: xen-dev/tools/ioemu-remote/hw/pt-msi.c
===================================================================
--- xen-dev.orig/tools/ioemu-remote/hw/pt-msi.c
+++ xen-dev/tools/ioemu-remote/hw/pt-msi.c
@@ -623,5 +623,11 @@ void pt_msix_delete(struct pt_dev *dev)
           dev->msix->table_offset_adjust);
    }

+    if (dev->msix->mmio_index > 0)
+    {
+        cpu_unregister_io_memory(dev->msix->mmio_index);
+    }
+
+
    free(dev->msix);
}
Index: xen-dev/tools/ioemu-remote/i386-dm/exec-dm.c
===================================================================
--- xen-dev.orig/tools/ioemu-remote/i386-dm/exec-dm.c
+++ xen-dev/tools/ioemu-remote/i386-dm/exec-dm.c
@@ -125,7 +125,7 @@ unsigned long qemu_host_page_mask;
CPUWriteMemoryFunc *io_mem_write[IO_MEM_NB_ENTRIES][4];
CPUReadMemoryFunc *io_mem_read[IO_MEM_NB_ENTRIES][4];
void *io_mem_opaque[IO_MEM_NB_ENTRIES];
-static int io_mem_nb = 1;
+char io_mem_used[IO_MEM_NB_ENTRIES];

/* log support */
FILE *logfile;
@@ -310,6 +310,20 @@ void cpu_register_physical_memory(target
    mmio[mmio_cnt++].size = size;
}

+static int get_free_io_mem_idx(void)
+{
+    int i;
+
+    /* Leave 1st element empty */
+    for (i = 1; i<IO_MEM_NB_ENTRIES; i++)
+        if (!io_mem_used[i]) {
+            io_mem_used[i] = 1;
+            return i;
+        }
+
+    return -1;
+}
+
/* mem_read and mem_write are arrays of functions containing the
   function to access byte (index 0), word (index 1) and dword (index
   2). All functions must be supplied. If io_index is non zero, the
@@ -324,9 +338,9 @@ int cpu_register_io_memory(int io_index,
    int i;

    if (io_index <= 0) {
-        if (io_index >= IO_MEM_NB_ENTRIES)
-            return -1;
-        io_index = io_mem_nb++;
+        io_index = get_free_io_mem_idx();
+        if (io_index == -1)
+            return io_index;
    } else {
        if (io_index >= IO_MEM_NB_ENTRIES)
            return -1;
@@ -357,6 +371,7 @@ void cpu_unregister_io_memory(int io_tab
        io_mem_write[io_index][i] = NULL;
    }
    io_mem_opaque[io_index] = NULL;
+    io_mem_used[io_index] = 0;
}

void cpu_physical_memory_set_dirty(ram_addr_t addr)


--
best rgds,
edwin


Index: xen-dev/tools/ioemu-remote/hw/pt-msi.c
===================================================================
--- xen-dev.orig/tools/ioemu-remote/hw/pt-msi.c
+++ xen-dev/tools/ioemu-remote/hw/pt-msi.c
@@ -623,5 +623,11 @@ void pt_msix_delete(struct pt_dev *dev)
            dev->msix->table_offset_adjust);
     }
 
+    if (dev->msix->mmio_index > 0)
+    {
+        cpu_unregister_io_memory(dev->msix->mmio_index);
+    }
+
+
     free(dev->msix);
 }
Index: xen-dev/tools/ioemu-remote/i386-dm/exec-dm.c
===================================================================
--- xen-dev.orig/tools/ioemu-remote/i386-dm/exec-dm.c
+++ xen-dev/tools/ioemu-remote/i386-dm/exec-dm.c
@@ -125,7 +125,7 @@ unsigned long qemu_host_page_mask;
 CPUWriteMemoryFunc *io_mem_write[IO_MEM_NB_ENTRIES][4];
 CPUReadMemoryFunc *io_mem_read[IO_MEM_NB_ENTRIES][4];
 void *io_mem_opaque[IO_MEM_NB_ENTRIES];
-static int io_mem_nb = 1;
+char io_mem_used[IO_MEM_NB_ENTRIES];
 
 /* log support */
 FILE *logfile;
@@ -310,6 +310,20 @@ void cpu_register_physical_memory(target
     mmio[mmio_cnt++].size = size;
 }
 
+static int get_free_io_mem_idx(void)
+{
+    int i;
+
+    /* Leave 1st element empty */
+    for (i = 1; i<IO_MEM_NB_ENTRIES; i++)
+        if (!io_mem_used[i]) {
+            io_mem_used[i] = 1;
+            return i;
+        }
+
+    return -1;
+}
+
 /* mem_read and mem_write are arrays of functions containing the
    function to access byte (index 0), word (index 1) and dword (index
    2). All functions must be supplied. If io_index is non zero, the
@@ -324,9 +338,9 @@ int cpu_register_io_memory(int io_index,
     int i;
 
     if (io_index <= 0) {
-        if (io_index >= IO_MEM_NB_ENTRIES)
-            return -1;
-        io_index = io_mem_nb++;
+        io_index = get_free_io_mem_idx();
+        if (io_index == -1)
+            return io_index;
     } else {
         if (io_index >= IO_MEM_NB_ENTRIES)
             return -1;
@@ -357,6 +371,7 @@ void cpu_unregister_io_memory(int io_tab
         io_mem_write[io_index][i] = NULL;
     }
     io_mem_opaque[io_index] = NULL;
+    io_mem_used[io_index] = 0;
 }
 
 void cpu_physical_memory_set_dirty(ram_addr_t addr)

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-devel] [PATCH][QEMU] fix segmentation fault after hotplug pass-through device, Zhai, Edwin <=
Previous by Date:  [Xen-users] Re: [Xen-devel] XenKernelFeatures wiki page added, Jean Guyader
Next by Date:  [Xen-devel] Re: [Xen-users] Re: Xen 4.0 on gentoo hotplug scripts problem? broken with filenames with spaces, Pasi Kärkkäinen
Previous by Thread:  [Xen-devel] New release candidiate for Xen 3.4.3, Keir Fraser
Next by Thread:  [Xen-devel] Re: [Xen-users] Re: Xen 4.0 on gentoo hotplug scripts problem? broken with filenames with spaces, Pasi Kärkkäinen
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy