From mboxrd@z Thu Jan  1 00:00:00 1970
From: Greg Harris <greg.harris@metacarta.com>
Subject: Re: Kernel Panic in xen-blkfront.c:blkif_queue_request
	under 2.6.28
Date: Mon, 2 Feb 2009 09:53:24 -0500 (EST)
Message-ID: <33412370.8060681233586404023.JavaMail.root@ouachita>
References: <11750686.8060601233586380769.JavaMail.root@ouachita>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xensource.com>
In-Reply-To: <11750686.8060601233586380769.JavaMail.root@ouachita>
List-Unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Jens Axboe <jens.axboe@oracle.com>
Cc: Jeremy Fitzhardinge <jeremy@goop.org>, xen-devel <xen-devel@lists.xensource.com>
List-Id: xen-devel@lists.xenproject.org

----- "Jens Axboe" <jens.axboe@oracle.com> wrote:

Here is what I'm thinking is happening rewritten for clarity:

#define BLKIF_MAX_SEGMENTS_PER_REQUEST 11 
int array[BLKIF_MAX_SEGMENTS_PER_REQUEST]; 

void write_segments( int number_of_segments )
  int nr_segments = 0;
  for( int x = 0; x < number_of_segments; x++ )
  {
    BUG_ON( nr_segments == BLKIF_MAX_SEGMENTS_PER_REQUEST );
    array[nr_segments] = get_segment_value(nr_segments);
    nr_segments ++ ;
  }
}

The BUG_ON is firing because the index into the number of segments is equal to BLKIF_MAX_SEGMENTS_PER_REQUEST which would require an array size of BLKIF_MAX_SEGMENTS_PER_REQUEST + 1 (more than has actually been allocated).

The kernel is being told that it should happily map up to BLKIF_MAX_SEGMENTS_PER_REQUEST segments which will fit in our array as allocated.  The BUG_ON is correctly firing because in the iteration over the number of segments our index has been incremented to a value that now points outside the boundary of our array.

-- Greg

> 
> > It sounds to me like the kernel itself may not be obeying the
> > requested segment limits here?
> 
> It's quite simple - if you tell the kernel that your segment limit is
> 8,
> then it will happily map up to 8 segments for you. So the mixture of
> setting a limit to foo and check calling BUG() if that limit is
> reached
> is crap, of obvious reasons. If you ask for 8 segments but can only
> hold
> 7, well...
> -- 
> Jens Axboe