From mboxrd@z Thu Jan  1 00:00:00 1970
From: Juergen Gross <juergen.gross@ts.fujitsu.com>
Subject: [Patch] cmpxchg emulation returns wrong ZF
Date: Thu, 06 Aug 2009 08:49:15 +0200
Message-ID: <4A7A7CEB.9080702@ts.fujitsu.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------060302030001050901040005"
Return-path: <xen-devel-bounces@lists.xensource.com>
List-Unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>
List-Id: xen-devel@lists.xenproject.org

This is a multi-part message in MIME format.
--------------060302030001050901040005
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Hi,

attached patch corrects a bug in cmpxchg emulation in the hypervisor.

BS2000 running as HVM-domain on 4 vcpus (no HAP) hit an error due to this bug
after several days.


Juergen

-- 
Juergen Gross                 Principal Developer Operating Systems
TSP ES&S SWE OS6                       Telephone: +49 (0) 89 636 47950
Fujitsu Technolgy Solutions               e-mail: juergen.gross@ts.fujitsu.com
Otto-Hahn-Ring 6                        Internet: ts.fujitsu.com
D-81739 Muenchen                 Company details: ts.fujitsu.com/imprint.html

--------------060302030001050901040005
Content-Type: text/x-patch;
 name="cmpxchg.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="cmpxchg.patch"

The cmpxchg emulation for accesses to page tables of guests doesn't handle
races correct.
ops->cmpxchg might return X86EMUL_CMPXCHG_FAILED if the addressed memory
location changed after checking the old contents. In this case ZF was not
changed and could remain 1 instead of being set to 0.

Signed-off-by: juergen.gross@ts.fujitsu.com


# HG changeset patch
# User juergen.gross@ts.fujitsu.com
# Date 1249540842 -7200
# Node ID 26adbdb6cb1d59d95e0a65b6a0d38fa8e95b9f51
# Parent  68e8b8379244e293c55875e7dc3692fc81d3d212
handle race on cmpxchg emulation

diff -r 68e8b8379244 -r 26adbdb6cb1d xen/arch/x86/x86_emulate/x86_emulate.c
--- a/xen/arch/x86/x86_emulate/x86_emulate.c	Sun Aug 02 13:43:15 2009 +0100
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c	Thu Aug 06 08:40:42 2009 +0200
@@ -4124,6 +4124,7 @@
         op_bytes *= 2;
 
         /* Get actual old value. */
+cmpxchg_failed:
         for ( i = 0; i < (op_bytes/sizeof(long)); i++ )
             if ( (rc = read_ulong(ea.mem.seg, ea.mem.off + i*sizeof(long),
                                   &old[i], sizeof(long), ctxt, ops)) != 0 )
@@ -4151,10 +4152,13 @@
         else
         {
             /* Expected == actual: attempt atomic cmpxchg and set ZF. */
-            if ( (rc = ops->cmpxchg(ea.mem.seg, ea.mem.off, old,
-                                    new, op_bytes, ctxt)) != 0 )
-                goto done;
-            _regs.eflags |= EFLG_ZF;
+            rc = ops->cmpxchg(ea.mem.seg, ea.mem.off, old, new, op_bytes, ctxt);
+            if ( rc == 0 )
+                _regs.eflags |= EFLG_ZF;
+            else if ( rc == X86EMUL_CMPXCHG_FAILED )
+                goto cmpxchg_failed;
+            else
+                goto done;
         }
         break;
     }

--------------060302030001050901040005
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

--------------060302030001050901040005--