Re: [Xen-devel] [PATCH] xen/hvm: fix hypervisor crash with hvm_save_one()

2017-05-02 Thread Jan Beulich
>>> On 02.05.17 at 16:13, wrote: > So you would prefer something like this? Not exactly: > --- a/xen/common/hvm/save.c > +++ b/xen/common/hvm/save.c > @@ -113,6 +113,10 @@ int hvm_save_one(struct domain *d, uint16_t > typecode, uint16_t instance, > const struct hvm_save_descriptor *desc

Re: [Xen-devel] [PATCH] xen/hvm: fix hypervisor crash with hvm_save_one()

2017-05-02 Thread Andrew Cooper
On 02/05/17 15:13, Razvan Cojocaru wrote: > On 05/02/17 17:09, Jan Beulich wrote: > On 02.05.17 at 15:54, wrote: >>> On 05/02/17 16:48, Jan Beulich wrote: >>> On 02.05.17 at 15:25, wrote: > --- a/xen/common/hvm/save.c > +++ b/xen/common/hvm/save.c > @@ -113,7 +113,7 @@ int hvm

Re: [Xen-devel] [PATCH] xen/hvm: fix hypervisor crash with hvm_save_one()

2017-05-02 Thread Razvan Cojocaru
On 05/02/17 17:09, Jan Beulich wrote: On 02.05.17 at 15:54, wrote: >> On 05/02/17 16:48, Jan Beulich wrote: >> On 02.05.17 at 15:25, wrote: --- a/xen/common/hvm/save.c +++ b/xen/common/hvm/save.c @@ -113,7 +113,7 @@ int hvm_save_one(struct domain *d, uint16_t typecode, >>

Re: [Xen-devel] [PATCH] xen/hvm: fix hypervisor crash with hvm_save_one()

2017-05-02 Thread Jan Beulich
>>> On 02.05.17 at 15:54, wrote: > On 05/02/17 16:48, Jan Beulich wrote: > On 02.05.17 at 15:25, wrote: >>> --- a/xen/common/hvm/save.c >>> +++ b/xen/common/hvm/save.c >>> @@ -113,7 +113,7 @@ int hvm_save_one(struct domain *d, uint16_t typecode, >>> uint16_t instance, >>> const stru

Re: [Xen-devel] [PATCH] xen/hvm: fix hypervisor crash with hvm_save_one()

2017-05-02 Thread Andrew Cooper
On 02/05/17 14:48, Jan Beulich wrote: On 02.05.17 at 15:25, wrote: >> hvm_save_cpu_ctxt() does a memset(&ctxt, 0, sizeof(ctxt)), which >> can lead to ctxt.cur being 0. This can then crash the hypervisor >> (with FATAL PAGE FAULT) in hvm_save_one() via the >> "off < (ctxt.cur - sizeof(*desc))"

Re: [Xen-devel] [PATCH] xen/hvm: fix hypervisor crash with hvm_save_one()

2017-05-02 Thread Razvan Cojocaru
On 05/02/17 16:48, Jan Beulich wrote: On 02.05.17 at 15:25, wrote: >> hvm_save_cpu_ctxt() does a memset(&ctxt, 0, sizeof(ctxt)), which >> can lead to ctxt.cur being 0. This can then crash the hypervisor >> (with FATAL PAGE FAULT) in hvm_save_one() via the >> "off < (ctxt.cur - sizeof(*desc))"

Re: [Xen-devel] [PATCH] xen/hvm: fix hypervisor crash with hvm_save_one()

2017-05-02 Thread Jan Beulich
>>> On 02.05.17 at 15:25, wrote: > hvm_save_cpu_ctxt() does a memset(&ctxt, 0, sizeof(ctxt)), which > can lead to ctxt.cur being 0. This can then crash the hypervisor > (with FATAL PAGE FAULT) in hvm_save_one() via the > "off < (ctxt.cur - sizeof(*desc))" for() test. This has happened > in practic

Re: [Xen-devel] [PATCH] xen/hvm: fix hypervisor crash with hvm_save_one()

2017-05-02 Thread Razvan Cojocaru
On 05/02/17 16:41, Tim Deegan wrote: > Hi, > > At 16:25 +0300 on 02 May (1493742339), Razvan Cojocaru wrote: >> hvm_save_cpu_ctxt() does a memset(&ctxt, 0, sizeof(ctxt)), which >> can lead to ctxt.cur being 0. This can then crash the hypervisor >> (with FATAL PAGE FAULT) in hvm_save_one() via the

Re: [Xen-devel] [PATCH] xen/hvm: fix hypervisor crash with hvm_save_one()

2017-05-02 Thread Tim Deegan
Hi, At 16:25 +0300 on 02 May (1493742339), Razvan Cojocaru wrote: > hvm_save_cpu_ctxt() does a memset(&ctxt, 0, sizeof(ctxt)), which > can lead to ctxt.cur being 0. This can then crash the hypervisor > (with FATAL PAGE FAULT) in hvm_save_one() via the > "off < (ctxt.cur - sizeof(*desc))" for() tes

Re: [Xen-devel] [PATCH] xen/hvm: fix hypervisor crash with hvm_save_one()

2017-05-02 Thread Andrew Cooper
On 02/05/17 14:25, Razvan Cojocaru wrote: > hvm_save_cpu_ctxt() does a memset(&ctxt, 0, sizeof(ctxt)), which > can lead to ctxt.cur being 0. Unfortunately, different objects both named ctxt. > This can then crash the hypervisor > (with FATAL PAGE FAULT) in hvm_save_one() via the > "off < (ctxt.c

[Xen-devel] [PATCH] xen/hvm: fix hypervisor crash with hvm_save_one()

2017-05-02 Thread Razvan Cojocaru
hvm_save_cpu_ctxt() does a memset(&ctxt, 0, sizeof(ctxt)), which can lead to ctxt.cur being 0. This can then crash the hypervisor (with FATAL PAGE FAULT) in hvm_save_one() via the "off < (ctxt.cur - sizeof(*desc))" for() test. This has happened in practice with a Linux VM queried around shutdown: