Something seems not quite right about the cpupool locking... in xen/common/cpupool.c:cpupool_do_domctl(), the cpupool_lock is only held during the find for several operations. Doesn''t that mean that, for instance, it''s possible for someone to call CPUPOOL_OP_DESTROY, while someone concurrently calls CPUPOOL_OP_INFO, such that in the INFO case, the find succeeds, but the structure is shortly thereafter freed by DESTROY, even though INFO code still has a pointer to it which may be dereferenced? I don''t see any reference counting... am I missing something? -George _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
On 04/05/2010 19:51, "George Dunlap" <George.Dunlap@eu.citrix.com> wrote:> Something seems not quite right about the cpupool locking... in > xen/common/cpupool.c:cpupool_do_domctl(), the cpupool_lock is only > held during the find for several operations. Doesn''t that mean that, > for instance, it''s possible for someone to call CPUPOOL_OP_DESTROY, > while someone concurrently calls CPUPOOL_OP_INFO, such that in the > INFO case, the find succeeds, but the structure is shortly thereafter > freed by DESTROY, even though INFO code still has a pointer to it > which may be dereferenced? I don''t see any reference counting... am I > missing something?It certainly looks like "optimistic" concurrency control to me. :-) -- Keir> -George_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
On 05/04/2010 08:51 PM, George Dunlap wrote:> Something seems not quite right about the cpupool locking... in > xen/common/cpupool.c:cpupool_do_domctl(), the cpupool_lock is only > held during the find for several operations. Doesn''t that mean that, > for instance, it''s possible for someone to call CPUPOOL_OP_DESTROY, > while someone concurrently calls CPUPOOL_OP_INFO, such that in the > INFO case, the find succeeds, but the structure is shortly thereafter > freed by DESTROY, even though INFO code still has a pointer to it > which may be dereferenced? I don''t see any reference counting... am I > missing something?cpupool_do_domctl is called always while the domctl lock is being held. Maybe I should have added a comment to document this assumption. Keir''s patch to move the cpupool commands to the sysctl interface makes a change of the locking mandatory. I''ll setup a patch for this. Juergen -- Juergen Gross Principal Developer Operating Systems TSP ES&S SWE OS6 Telephone: +49 (0) 89 3222 2967 Fujitsu Technology Solutions e-mail: juergen.gross@ts.fujitsu.com Domagkstr. 28 Internet: ts.fujitsu.com D-80807 Muenchen Company details: ts.fujitsu.com/imprint.html _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
On 05/05/2010 06:25, "Juergen Gross" <juergen.gross@ts.fujitsu.com> wrote:> cpupool_do_domctl is called always while the domctl lock is being held. Maybe > I should have added a comment to document this assumption.Yes please. Even better would be to explicitly add your own big lock in cpupool.c, just for clarity. And why do you need your ''little'' lock around the lookup operations at all, in that case? It seems unnecessary if you have a bigger lock protecting you; yet insufficient if you do not.> Keir''s patch to move the cpupool commands to the sysctl interface makes a > change of the locking mandatory. I''ll setup a patch for this.Well, there is a big sysctl_lock too, so your cpupool commands will still be serialised. If you require serialisation against *other* domctl operations then yes, you now have an issue. You could just grab the domctl lock of course (no current ordering constraints on the two locks, and there is an API for acquiring/releasing the domctl lock). -- Keir _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
On 05/05/2010 11:00 AM, Keir Fraser wrote:> On 05/05/2010 06:25, "Juergen Gross"<juergen.gross@ts.fujitsu.com> wrote: > >> cpupool_do_domctl is called always while the domctl lock is being held. Maybe >> I should have added a comment to document this assumption. > > Yes please. Even better would be to explicitly add your own big lock in > cpupool.c, just for clarity. And why do you need your ''little'' lock around > the lookup operations at all, in that case? It seems unnecessary if you have > a bigger lock protecting you; yet insufficient if you do not.That''s the best solution, I think. Patch attached. Juergen -- Juergen Gross Principal Developer Operating Systems TSP ES&S SWE OS6 Telephone: +49 (0) 89 3222 2967 Fujitsu Technology Solutions e-mail: juergen.gross@ts.fujitsu.com Domagkstr. 28 Internet: ts.fujitsu.com D-80807 Muenchen Company details: ts.fujitsu.com/imprint.html _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel