From: Keir Fraser <keir.xen@gmail.com>
To: David Vrabel <david.vrabel@citrix.com>, xen-devel@lists.xen.org
Cc: Jan Beulich <jbeulich@suse.com>
Subject: Re: [PATCH 2/2] evtchn/fifo: don't corrupt queues if an old tail is linked
Date: Tue, 07 Jan 2014 15:50:50 +0000 [thread overview]
Message-ID: <CEF1D2DA.47C2F%keir.xen@gmail.com> (raw)
In-Reply-To: <1386683820-9834-3-git-send-email-david.vrabel@citrix.com>
On 10/12/2013 13:57, "David Vrabel" <david.vrabel@citrix.com> wrote:
> From: David Vrabel <david.vrabel@citrix.com>
>
> An event may still be the tail of a queue even if the queue is now
> empty (an 'old tail' event). There is logic to handle the case when
> this old tail event needs to be added to the now empty queue (by
> checking for q->tail == port).
>
> However, this does not cover all cases.
>
> 1. An old tail may be re-added simultaneously with another event.
> LINKED is set on the old tail, and the other CPU may misinterpret
> this as the old tail still being valid and set LINK instead of
> HEAD. All events on this queue will then be lost.
>
> 2. If the old tail event on queue A is moved to a different queue B
> (by changing its VCPU or priority), the event may then be linked
> onto queue B. When another event is linked onto queue A it will
> check the old tail, see that it is linked (but on queue B) and
> overwrite the LINK field, corrupting both queues.
>
> When an event is linked, save the vcpu id and priority of the queue it
> is being linked onto. Use this when linking an event to check if it
> is an unlinked old tail event. If it is an old tail event, the old
> queue is empty and old_q->tail is invalidated to ensure adding another
> event to old_q will update HEAD. The tail is invalidated by setting
> it to 0 since the event 0 is never linked.
>
> The old_q->lock is held while setting LINKED to avoid the race with
> the test of LINKED in evtchn_fifo_set_link().
>
> Since a event channel may move queues after old_q->lock is acquired,
> we must check that we have the correct lock and retry if not. Since
> changing VCPUs or priority is expected to be rare events that are
> serialized in the guest, we try at most 3 times before dropping the
> event. This prevents a malicious guest from repeatedly adjusting
> priority to prevent another domain from acquiring old_q->lock.
>
> Signed-off-by: David Vrabel <david.vrabel@citrix.com>
> ---
Acked-by: Keir Fraser <keir@xen.org>
next prev parent reply other threads:[~2014-01-07 15:50 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-10 13:56 [PATCHv7 0/2] Xen: FIFO-based event channel fixes David Vrabel
2013-12-10 13:56 ` [PATCH 1/2] evtchn/fifo: initialize priority when events are bound David Vrabel
2013-12-10 14:50 ` Jan Beulich
2013-12-10 14:54 ` David Vrabel
2013-12-16 13:45 ` David Vrabel
2014-01-06 18:04 ` David Vrabel
2014-01-07 15:50 ` Keir Fraser
2013-12-10 13:57 ` [PATCH 2/2] evtchn/fifo: don't corrupt queues if an old tail is linked David Vrabel
2013-12-10 14:55 ` Jan Beulich
2014-01-07 15:50 ` Keir Fraser [this message]
-- strict thread matches above, loose matches on Subject: below --
2013-11-19 18:17 [PATCHv5 0/2] Xen: FIFO-based event channel ABI fixes David Vrabel
2013-11-19 18:17 ` [PATCH 2/2] evtchn/fifo: don't corrupt queues if an old tail is linked David Vrabel
2013-11-20 17:21 ` David Vrabel
2013-11-22 12:02 ` Jan Beulich
2013-11-22 18:23 ` David Vrabel
2013-11-25 9:10 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CEF1D2DA.47C2F%keir.xen@gmail.com \
--to=keir.xen@gmail.com \
--cc=david.vrabel@citrix.com \
--cc=jbeulich@suse.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.