aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Abd-El-Malek <mabdelmalek@cmu.edu>2008-04-04 05:33:48 -0400
committerIngo Molnar <mingo@elte.hu>2008-04-04 12:36:46 -0400
commitbbc60c18ed17df75270da504bbd8f7bc4a52d43d (patch)
treeb8cd0cc51cf9bfb96f99ad58038b7489ae5b7c9c
parentbae1d2507e44417455eda76d4435352fee14cf51 (diff)
xen: fix grant table bug
fix memory corruption and crash due to mis-sized grant table. A PV OS has two grant table data structures: the grant table itself and a free list. The free list is composed of an array of pages, which grow dynamically as the guest OS requires more grants. While the grant table contains 8-byte entries, the free list contains 4-byte entries. So we have half as many pages in the free list than in the grant table. There was a bug in the free list allocation code. The free list was indexed as if it was the same size as the grant table. But it's only half as large. So memory got corrupted, and I was seeing crashes in the slab allocator later on. Taken from: http://xenbits.xensource.com/linux-2.6.18-xen.hg?rev/4018c0da3360 Signed-off-by: Michael Abd-El-Malek <mabdelmalek@cmu.edu> Signed-off-by: Mark McLoughlin <markmc@redhat.com> Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com> Signed-off-by: Ingo Molnar <mingo@elte.hu>
-rw-r--r--drivers/xen/grant-table.c16
1 files changed, 10 insertions, 6 deletions
diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
index ea94dbabf9a9..d85dc6d41c2a 100644
--- a/drivers/xen/grant-table.c
+++ b/drivers/xen/grant-table.c
@@ -381,11 +381,15 @@ EXPORT_SYMBOL_GPL(gnttab_cancel_free_callback);
381static int grow_gnttab_list(unsigned int more_frames) 381static int grow_gnttab_list(unsigned int more_frames)
382{ 382{
383 unsigned int new_nr_grant_frames, extra_entries, i; 383 unsigned int new_nr_grant_frames, extra_entries, i;
384 unsigned int nr_glist_frames, new_nr_glist_frames;
384 385
385 new_nr_grant_frames = nr_grant_frames + more_frames; 386 new_nr_grant_frames = nr_grant_frames + more_frames;
386 extra_entries = more_frames * GREFS_PER_GRANT_FRAME; 387 extra_entries = more_frames * GREFS_PER_GRANT_FRAME;
387 388
388 for (i = nr_grant_frames; i < new_nr_grant_frames; i++) { 389 nr_glist_frames = (nr_grant_frames * GREFS_PER_GRANT_FRAME + RPP - 1) / RPP;
390 new_nr_glist_frames =
391 (new_nr_grant_frames * GREFS_PER_GRANT_FRAME + RPP - 1) / RPP;
392 for (i = nr_glist_frames; i < new_nr_glist_frames; i++) {
389 gnttab_list[i] = (grant_ref_t *)__get_free_page(GFP_ATOMIC); 393 gnttab_list[i] = (grant_ref_t *)__get_free_page(GFP_ATOMIC);
390 if (!gnttab_list[i]) 394 if (!gnttab_list[i])
391 goto grow_nomem; 395 goto grow_nomem;
@@ -407,7 +411,7 @@ static int grow_gnttab_list(unsigned int more_frames)
407 return 0; 411 return 0;
408 412
409grow_nomem: 413grow_nomem:
410 for ( ; i >= nr_grant_frames; i--) 414 for ( ; i >= nr_glist_frames; i--)
411 free_page((unsigned long) gnttab_list[i]); 415 free_page((unsigned long) gnttab_list[i]);
412 return -ENOMEM; 416 return -ENOMEM;
413} 417}
@@ -530,7 +534,7 @@ static int gnttab_expand(unsigned int req_entries)
530static int __devinit gnttab_init(void) 534static int __devinit gnttab_init(void)
531{ 535{
532 int i; 536 int i;
533 unsigned int max_nr_glist_frames; 537 unsigned int max_nr_glist_frames, nr_glist_frames;
534 unsigned int nr_init_grefs; 538 unsigned int nr_init_grefs;
535 539
536 if (!is_running_on_xen()) 540 if (!is_running_on_xen())
@@ -543,15 +547,15 @@ static int __devinit gnttab_init(void)
543 * grant reference free list on the current hypervisor. 547 * grant reference free list on the current hypervisor.
544 */ 548 */
545 max_nr_glist_frames = (boot_max_nr_grant_frames * 549 max_nr_glist_frames = (boot_max_nr_grant_frames *
546 GREFS_PER_GRANT_FRAME / 550 GREFS_PER_GRANT_FRAME / RPP);
547 (PAGE_SIZE / sizeof(grant_ref_t)));
548 551
549 gnttab_list = kmalloc(max_nr_glist_frames * sizeof(grant_ref_t *), 552 gnttab_list = kmalloc(max_nr_glist_frames * sizeof(grant_ref_t *),
550 GFP_KERNEL); 553 GFP_KERNEL);
551 if (gnttab_list == NULL) 554 if (gnttab_list == NULL)
552 return -ENOMEM; 555 return -ENOMEM;
553 556
554 for (i = 0; i < nr_grant_frames; i++) { 557 nr_glist_frames = (nr_grant_frames * GREFS_PER_GRANT_FRAME + RPP - 1) / RPP;
558 for (i = 0; i < nr_glist_frames; i++) {
555 gnttab_list[i] = (grant_ref_t *)__get_free_page(GFP_KERNEL); 559 gnttab_list[i] = (grant_ref_t *)__get_free_page(GFP_KERNEL);
556 if (gnttab_list[i] == NULL) 560 if (gnttab_list[i] == NULL)
557 goto ini_nomem; 561 goto ini_nomem;