Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 441390

Summary: Memory corruption due to VNIF increase
Product: Red Hat Enterprise Linux 5 Reporter: Bill Burns <bburns>
Component: kernel-xenAssignee: Tetsu Yamamoto <tyamamot>
Status: CLOSED ERRATA QA Contact: Martin Jenner <mjenner>
Severity: high Docs Contact:
Priority: high    
Version: 5.2CC: atodorov, dzickus, xen-maint
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0314 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 15:13:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 442298    

Description Bill Burns 2008-04-07 20:23:56 UTC 
The change to increase the VNIF's allowed per guest introduced an error that can
cause memory corruption. Detail follows:

A PV OS has two grant table data structures: the grant table itself and a free 
list.  The free list is composed of an array of pages, which grow dynamically as 
the guest OS requires more grants.  While the grant table contains 8-byte 
entries, the free list contains 4-byte entries.  So we have half as many pages 
in the free list than in the grant table.

There was a bug in the free list allocation code. The free list was indexed as 
if it was the same size as the grant table.  But it's only half as large.  So 
memory got corrupted, and I was seeing crashes in the slab allocator later on.

A patch has been posted upstream.
Comment 2 Mark McLoughlin 2008-04-08 12:17:39 UTC 
Some details on this:

 - bug #297331 and bug #223908 were the original bugs requesting that guests
   be able to have more than 3 VNIFs

 - The upstream fix we backported was:

     http://xenbits.xensource.com/xen-unstable.hg?rev/70f05d642a2e
     http://lists.xensource.com/archives/html/xen-devel/2007-01/msg00166.html

 - This bug is about a potential memory corruption bug with the original patch.
   We have not yet reproduced this memory corruption, but the fix is upstream
   in linux-2.6.18-xen.hg and linus's tree:

     http://xenbits.xensource.com/linux-2.6.18-xen.hg?rev/4018c0da3360
    
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=bbc60c18ed17df75270da504bbd8f7bc4a52d43d
Comment 5 Don Zickus 2008-04-09 18:44:53 UTC 
in kernel-2.6.18-89.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 7 Bill Burns 2008-04-16 11:59:57 UTC 
*** Bug 433755 has been marked as a duplicate of this bug. ***
Comment 9 errata-xmlrpc 2008-05-21 15:13:59 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0314.html