From: Harry Butterworth <harry@hebutterworth.freeserve.co.uk>
To: keir.fraser@cl.cam.ac.uk, christopher.clark@cl.cam.ac.uk
Cc: xen-devel@lists.xensource.com
Subject: Bug in use of grant tables in blkback.c error path?
Date: Sun, 06 Nov 2005 12:24:54 +0000 [thread overview]
Message-ID: <1131279894.6956.17.camel@localhost> (raw)
In dispatch_rw_block_io after a call to HYPERVISOR_grant_table_op, there
is the following code which calls fast_flush_area and breaks out of the
loop early if one of the handles returned from HYPERVISOR_grant_table_op
is negative:
for (i = 0; i < nseg; i++) {
if (unlikely(map[i].handle < 0)) {
DPRINTK("invalid buffer -- could not remap it\n");
fast_flush_area(pending_idx, nseg);
goto bad_descriptor;
}
phys_to_machine_mapping[__pa(MMAP_VADDR(
pending_idx, i)) >> PAGE_SHIFT] =
FOREIGN_FRAME(map[i].dev_bus_addr >> PAGE_SHIFT);
pending_handle(pending_idx, i) = map[i].handle;
}
The implementation of fast_flush_area uses pending_handle and is called
to flush the whole range nseg but the loop above is setting up
pending_handle as it goes along so the handles for the pages after the
erroneous one are not set up when fast_flush area is called.
Here's the bit of fast_flush_area that uses pending_handle:
for (i = 0; i < nr_pages; i++) {
handle = pending_handle(idx, i); <<<<<<<<<<<<<<<<<
if (handle == BLKBACK_INVALID_HANDLE)
continue;
unmap[i].host_addr = MMAP_VADDR(idx, i);
unmap[i].dev_bus_addr = 0;
unmap[i].handle = handle;
pending_handle(idx, i) = BLKBACK_INVALID_HANDLE;
invcount++;
}
I also checked the implementation of gnttab_map_grant_ref:
static long
gnttab_map_grant_ref(
gnttab_map_grant_ref_t *uop, unsigned int count)
{
int i;
for ( i = 0; i < count; i++ )
(void)__gnttab_map_grant_ref(&uop[i]);
return 0;
}
gnttab_map_grant_ref seems to keep going and attempt to map the
remaining pages after an error is encountered.
All in all, this looks like a bug to me where failure to map a grant
reference in the middle of a set would result in pages kept mapped in
the backend when fast_flush_area fails to clean them up.
Am I right?
Harry.
--
Harry Butterworth <harry@hebutterworth.freeserve.co.uk>
next reply other threads:[~2005-11-06 12:24 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-06 12:24 Harry Butterworth [this message]
2005-11-06 15:32 ` Bug in use of grant tables in blkback.c error path? Keir Fraser
2005-11-06 16:18 ` Harry Butterworth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1131279894.6956.17.camel@localhost \
--to=harry@hebutterworth.freeserve.co.uk \
--cc=christopher.clark@cl.cam.ac.uk \
--cc=keir.fraser@cl.cam.ac.uk \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.