Xen project Mailing List

Re: [Xen-devel] bug in hvmloader xenbus_shutdown logic

To: David Scott <dave.scott@xxxxxxxxxxxxx>

From: Ian Campbell <Ian.Campbell@xxxxxxxxxx>

Date: Thu, 5 Dec 2013 11:10:32 +0000

Cc: "Liuqiming \(John\)" <john.liuqiming@xxxxxxxxxx>, Yanqiangjun <yanqiangjun@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Thu, 05 Dec 2013 11:10:39 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Thu, 2013-12-05 at 09:36 +0000, David Scott wrote: > On 05/12/13 02:08, Liuqiming (John) wrote: > > According to oxenstored source code, oxenstored will read every domain's IO > > ring no matter what events happened. > > > > Here is the main loop of oxenstored: > > > > let main_loop () = > ... > > process_domains store cons domains <- no matter what event income, > > this will handle IO ring request of all domains > > in > > > > so when one domain's hvmloader is clearing its IO ring, oxenstored may > > access this IO ring because of another domain's event happened. > > Yes, this version of the code checks all the interdomain rings every > time it goes around the main loop. FWIW my experimental updated > oxenstore uses one (user-level) thread per connection. I had thought > this was just an efficiency issue... I didn't realise it had correctness > implications. TBH the protocol probably doesn't say anything about not looking unless you've got a event, so I guess it is kind of implicit and I suppose it could be argued that what you do is fine (except it's broken in practice ;-)) Is there some well defined order in which we could clear the various pointer fields safely? I'd need to get my ring macro head on to figure that out I think. > >> On Wed, 2013-12-04 at 04:25 +0000, Liuqiming (John) wrote: > >> > >>> memset can not set all the page to zero in an atomic way, and during > >>> the clear up process oxenstored may access this ring. > >> > >> Why is oxenstored poking at the ring? Surely it should only do so when > >> the guest (hvmloader) sends it a request. If hvmloader is clearing the > >> page while there is a request/event outstanding then this is an > >> hvmloader bug. > > Ok, that makes sense. > > My only hesitation is that violations of this rule (like with current > oxenstored) show up rarely. Presumably the xenstore ring desynchronises > and the guest will never be able to boot properly with PV drivers. I > don't think I've ever seen this myself. > > Do frontends expect the xenstore ring to be in a zeroed state when they > startup? Assuming hvmloader has received all the outstanding > request/events, would it be safe to leave the ring contents alone? Most frontends also have private versions of various pointers which would need to be synchronised, and I suspect all of the init to zero. Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.