From 70ccddb14a99ada447602ca01250a1183363bc49 Mon Sep 17 00:00:00 2001 From: David Vrabel Date: Mon, 25 Nov 2013 11:15:05 +0100 Subject: [PATCH] evtchn/fifo: only set READY for new heads Setting a queue's READY bit for every event added to the queue introduces a race. If an event is added to the tail of a queue, the guest may consume the newly added event and leave an empty queue before the READY is set. The guest may then see a stale HEAD value and if the event at the stale head became linked onto a different queue, the guest would consume events from the wrong queue (corrupting it). As noted in section 4.1.2 of the design document, only set READY if a new HEAD is set. This ensures that if the guest sees a READY bit set the corresponding HEAD is valid. Signed-off-by: David Vrabel --- xen/common/event_fifo.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/xen/common/event_fifo.c b/xen/common/event_fifo.c index 9106c55f9a..6048784bc6 100644 --- a/xen/common/event_fifo.c +++ b/xen/common/event_fifo.c @@ -161,8 +161,9 @@ static void evtchn_fifo_set_pending(struct vcpu *v, struct evtchn *evtchn) spin_unlock_irqrestore(&q->lock, flags); - if ( !test_and_set_bit(q->priority, - &v->evtchn_fifo->control_block->ready) ) + if ( !linked + && !test_and_set_bit(q->priority, + &v->evtchn_fifo->control_block->ready) ) vcpu_mark_events_pending(v); } -- 2.30.2