From 5bc4fb77d952db98f05c684b1295552dd8cad9d1 Mon Sep 17 00:00:00 2001
From: "kaf24@scramble.cl.cam.ac.uk" <kaf24@scramble.cl.cam.ac.uk>
Date: Tue, 20 Jul 2004 10:04:22 +0000
Subject: [PATCH] bitkeeper revision 1.1108.2.6
 (40fcee26SlLNF75UslNc1VnkUjVwiQ)

Fix a really nasty network backend bug.
---
 .../arch/xen/drivers/netif/backend/main.c     | 32 +++++++-----------
 xen/arch/x86/memory.c                         |  7 ++--
 xen/arch/x86/x86_32/emulate.c                 | 33 +++++++++++++++++--
 3 files changed, 46 insertions(+), 26 deletions(-)

diff --git a/linux-2.4.26-xen-sparse/arch/xen/drivers/netif/backend/main.c b/linux-2.4.26-xen-sparse/arch/xen/drivers/netif/backend/main.c
index 868f7d0a81..11452a4b8b 100644
--- a/linux-2.4.26-xen-sparse/arch/xen/drivers/netif/backend/main.c
+++ b/linux-2.4.26-xen-sparse/arch/xen/drivers/netif/backend/main.c
@@ -252,31 +252,23 @@ static void net_rx_action(unsigned long unused)
         mdata   = ((mmu[2].ptr & PAGE_MASK) |
                    ((unsigned long)skb->data & ~PAGE_MASK));
         
+        phys_to_machine_mapping[__pa(skb->data) >> PAGE_SHIFT] = new_mfn;
+        
+        atomic_set(&(skb_shinfo(skb)->dataref), 1);
+        skb_shinfo(skb)->nr_frags = 0;
+        skb_shinfo(skb)->frag_list = NULL;
+
+        netif->stats.rx_bytes += size;
+        netif->stats.rx_packets++;
+
         /* Check the reassignment error code. */
+        status = NETIF_RSP_OKAY;
         if ( unlikely(mcl[1].args[5] != 0) )
         {
-            DPRINTK("Failed MMU update transferring to DOM%u\n",
-                    netif->domid);
-            (void)HYPERVISOR_update_va_mapping(
-                (unsigned long)skb->head >> PAGE_SHIFT,
-                (pte_t) { (mdata & PAGE_MASK) | __PAGE_KERNEL },
-                UVMF_INVLPG);
-            dealloc_mfn(new_mfn);
+            DPRINTK("Failed MMU update transferring to DOM%u\n", netif->domid);
+            dealloc_mfn(mdata >> PAGE_SHIFT);
             status = NETIF_RSP_ERROR;
         }
-        else
-        {
-            phys_to_machine_mapping[__pa(skb->data) >> PAGE_SHIFT] = new_mfn;
-
-            atomic_set(&(skb_shinfo(skb)->dataref), 1);
-            skb_shinfo(skb)->nr_frags = 0;
-            skb_shinfo(skb)->frag_list = NULL;
-
-            netif->stats.rx_bytes += size;
-            netif->stats.rx_packets++;
-
-            status = NETIF_RSP_OKAY;
-        }
 
         evtchn = netif->evtchn;
         id = netif->rx->ring[MASK_NETIF_RX_IDX(netif->rx_resp_prod)].req.id;
diff --git a/xen/arch/x86/memory.c b/xen/arch/x86/memory.c
index f40c1688cb..960bf5aaf4 100644
--- a/xen/arch/x86/memory.c
+++ b/xen/arch/x86/memory.c
@@ -840,7 +840,7 @@ static int do_extended_command(unsigned long ptr, unsigned long val)
 
         if ( unlikely((e = percpu_info[cpu].gps) == NULL) )
         {
-            MEM_LOG("No GPS to reassign pfn %08lx to\n", pfn);
+            MEM_LOG("No GPS to reassign pfn %08lx to", pfn);
             okay = 0;
             break;
         }
@@ -865,6 +865,7 @@ static int do_extended_command(unsigned long ptr, unsigned long val)
         if ( unlikely(test_bit(DF_DYING, &e->flags)) ||
              unlikely(IS_XEN_HEAP_FRAME(page)) )
         {
+            MEM_LOG("Reassignment page is Xen heap, or dest dom is dying.");
             okay = 0;
             goto reassign_fail;
         }
@@ -1051,8 +1052,8 @@ int do_mmu_update(mmu_update_t *ureqs, int count, int *success_count)
              * If in log-dirty mode, mark the corresponding pseudo-physical
              * page as dirty.
              */
-            if( unlikely(current->mm.shadow_mode == SHM_logdirty) )
-                mark_dirty( &current->mm, pfn );
+            if ( unlikely(current->mm.shadow_mode == SHM_logdirty) )
+                mark_dirty(&current->mm, pfn);
 
             put_page(&frame_table[pfn]);
             break;
diff --git a/xen/arch/x86/x86_32/emulate.c b/xen/arch/x86/x86_32/emulate.c
index 3856f25ab1..08fb036cc0 100644
--- a/xen/arch/x86/x86_32/emulate.c
+++ b/xen/arch/x86/x86_32/emulate.c
@@ -30,6 +30,10 @@
 #include <xen/perfc.h>
 #include <asm/processor.h>
 
+/* Make the scary benign errors go away. */
+#undef  DPRINTK
+#define DPRINTK(_f, _a...) ((void)0)
+
 /*
  * Obtain the base and limit associated with the given segment selector.
  * The selector must identify a 32-bit code or data segment. Any segment that
@@ -495,9 +499,34 @@ int gpf_emulate_4gb(struct pt_regs *regs)
         goto undecodeable;
     }
 
+#if 0
+    {
+        char str1[] = { 0x65,0x8b,0x00,0x8b,0x30 };
+        char str2[] = { 0x65,0x8b,0x02,0x8b,0x40,0x0c };
+        char str3[] = { 0x65,0x8b,0x30,0x85,0xf6 };
+        char str4[] = { 0x65,0x8b,0x00,0x5d,0x8b,0x00 };
+        char str5[] = { 0x65,0x89,0x30,0x8b,0x45,0x08 };
+        char str6[] = { 0x65,0x8b,0x00,0x8b,0x50,0x0c };
+        char str7[] = { 0x65,0x89,0x51,0x00,0x83,0xc8,0xff };
+        if ( (memcmp(eip,str1,5) == 0) ||
+             (memcmp(eip,str2,6) == 0) ) goto out;
+        if ( (memcmp(eip,str3,5) == 0) ||
+             (memcmp(eip,str4,6) == 0) ) goto out;
+        if ( (memcmp(eip,str5,6) == 0) ||
+             (memcmp(eip,str6,6) == 0) ) goto out;
+        if ( (memcmp(eip,str7,7) == 0) ||
+             (memcmp(eip,str7,7) == 0) ) goto out;
+    }
+    printk(" .byte 0x%02x,0x%02x,0x%02x,0x%02x,0x%02x,0x%02x,0x%02x,0x%02x\n",
+           eip[-8],eip[-7],eip[-6],eip[-5],eip[-4],eip[-3],eip[-2],eip[-1]);
+    printk(" .byte 0x%02x,0x%02x,0x%02x,0x%02x,0x%02x,0x%02x,0x%02x,0x%02x\n",
+           eip[0],eip[1],eip[2],eip[3],eip[4],eip[5],eip[6],eip[7]);
+    printk(" @ %04x:%08lx\n", regs->xcs, regs->eip);
+#endif
+
     /* Success! */
-    regs->eip += pb - eip;
     perfc_incrc(emulations);
+    regs->eip += pb - eip;
     return 1;
 
  undecodeable:
@@ -530,5 +559,3 @@ int gpf_emulate_4gb(struct pt_regs *regs)
         d->shared_info->vcpu_data[0].evtchn_upcall_mask = 1;
     return 1;
 }
-
-
-- 
2.30.2