[Qemu-devel] [PATCH] SMP BIOS race condition bug

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: David Wentzlaff <wentzlaf@cag.csail.mit.edu>
To: bochs-developers@lists.sourceforge.net
Cc: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PATCH] SMP BIOS race condition bug
Date: Thu, 27 Mar 2008 21:39:50 -0400 (EDT)	[thread overview]
Message-ID: <Pine.LNX.4.64.0803272125380.29308@uncle-of-god.csail.mit.edu> (raw)

This patch fixes a race condition in the Bochs rombios.  Under normal MP 
processor enumeration, the boot processor sends an 
inter-processor-interrupt (IPI) to the non-boot processors vectoring them 
to "smp_ap_boot_code_start".  The code at smp_ap_boot_code_start then 
increments CPU_COUNT_ADDR.  The current code base increments with an incw 
instruction, unfortunately incw is not atomic and multiple processors can 
read, then modify, then write back the result at the same time resulting 
in fewer processors being counted than are actually in the system.  I have 
seen this happen in high processor (>=16) count QEMU emulations.  I have 
experienced anywhere from {n, n-1, n-2} processors detected by the BIOS. 
The fix is to simply lock the incw with the x86 'lock' prefix.  Attached 
is the patch.  I have CCed qemu-devel as it that project as well as bochs.

Sincerely,
David Wentzlaff

Index: rombios32start.S
===================================================================
RCS file: /cvsroot/bochs/bochs/bios/rombios32start.S,v
retrieving revision 1.4
diff -d -u -r1.4 rombios32start.S
--- rombios32start.S    26 Jan 2008 09:15:27 -0000      1.4
+++ rombios32start.S    28 Mar 2008 01:29:49 -0000
@@ -42,7 +42,7 @@
  smp_ap_boot_code_start:
    xor %ax, %ax
    mov %ax, %ds
-  incw CPU_COUNT_ADDR
+  lock incw CPU_COUNT_ADDR
  1:
    hlt
    jmp 1b

                 reply	other threads:[~2008-03-28  1:40 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Pine.LNX.4.64.0803272125380.29308@uncle-of-god.csail.mit.edu \
    --to=wentzlaf@cag.csail.mit.edu \
    --cc=bochs-developers@lists.sourceforge.net \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).