From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dongli Zhang <dongli.zhang@oracle.com>,
Julien Grall <jgrall@amazon.com>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 16/65] xenbus: req->body should be updated before req->state
Date: Tue, 24 Mar 2020 14:10:37 +0100 [thread overview]
Message-ID: <20200324130758.990070566@linuxfoundation.org> (raw)
In-Reply-To: <20200324130756.679112147@linuxfoundation.org>
From: Dongli Zhang <dongli.zhang@oracle.com>
[ Upstream commit 1b6a51e86cce38cf4d48ce9c242120283ae2f603 ]
The req->body should be updated before req->state is updated and the
order should be guaranteed by a barrier.
Otherwise, read_reply() might return req->body = NULL.
Below is sample callstack when the issue is reproduced on purpose by
reordering the updates of req->body and req->state and adding delay in
code between updates of req->state and req->body.
[ 22.356105] general protection fault: 0000 [#1] SMP PTI
[ 22.361185] CPU: 2 PID: 52 Comm: xenwatch Not tainted 5.5.0xen+ #6
[ 22.366727] Hardware name: Xen HVM domU, BIOS ...
[ 22.372245] RIP: 0010:_parse_integer_fixup_radix+0x6/0x60
... ...
[ 22.392163] RSP: 0018:ffffb2d64023fdf0 EFLAGS: 00010246
[ 22.395933] RAX: 0000000000000000 RBX: 75746e7562755f6d RCX: 0000000000000000
[ 22.400871] RDX: 0000000000000000 RSI: ffffb2d64023fdfc RDI: 75746e7562755f6d
[ 22.405874] RBP: 0000000000000000 R08: 00000000000001e8 R09: 0000000000cdcdcd
[ 22.410945] R10: ffffb2d6402ffe00 R11: ffff9d95395eaeb0 R12: ffff9d9535935000
[ 22.417613] R13: ffff9d9526d4a000 R14: ffff9d9526f4f340 R15: ffff9d9537654000
[ 22.423726] FS: 0000000000000000(0000) GS:ffff9d953bc80000(0000) knlGS:0000000000000000
[ 22.429898] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 22.434342] CR2: 000000c4206a9000 CR3: 00000001ea3fc002 CR4: 00000000001606e0
[ 22.439645] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 22.444941] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 22.450342] Call Trace:
[ 22.452509] simple_strtoull+0x27/0x70
[ 22.455572] xenbus_transaction_start+0x31/0x50
[ 22.459104] netback_changed+0x76c/0xcc1 [xen_netfront]
[ 22.463279] ? find_watch+0x40/0x40
[ 22.466156] xenwatch_thread+0xb4/0x150
[ 22.469309] ? wait_woken+0x80/0x80
[ 22.472198] kthread+0x10e/0x130
[ 22.474925] ? kthread_park+0x80/0x80
[ 22.477946] ret_from_fork+0x35/0x40
[ 22.480968] Modules linked in: xen_kbdfront xen_fbfront(+) xen_netfront xen_blkfront
[ 22.486783] ---[ end trace a9222030a747c3f7 ]---
[ 22.490424] RIP: 0010:_parse_integer_fixup_radix+0x6/0x60
The virt_rmb() is added in the 'true' path of test_reply(). The "while"
is changed to "do while" so that test_reply() is used as a read memory
barrier.
Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
Link: https://lore.kernel.org/r/20200303221423.21962-1-dongli.zhang@oracle.com
Reviewed-by: Julien Grall <jgrall@amazon.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/xen/xenbus/xenbus_comms.c | 2 ++
drivers/xen/xenbus/xenbus_xs.c | 9 ++++++---
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/xen/xenbus/xenbus_comms.c b/drivers/xen/xenbus/xenbus_comms.c
index d239fc3c5e3de..852ed161fc2a7 100644
--- a/drivers/xen/xenbus/xenbus_comms.c
+++ b/drivers/xen/xenbus/xenbus_comms.c
@@ -313,6 +313,8 @@ static int process_msg(void)
req->msg.type = state.msg.type;
req->msg.len = state.msg.len;
req->body = state.body;
+ /* write body, then update state */
+ virt_wmb();
req->state = xb_req_state_got_reply;
req->cb(req);
} else
diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c
index ddc18da61834e..3a06eb699f333 100644
--- a/drivers/xen/xenbus/xenbus_xs.c
+++ b/drivers/xen/xenbus/xenbus_xs.c
@@ -191,8 +191,11 @@ static bool xenbus_ok(void)
static bool test_reply(struct xb_req_data *req)
{
- if (req->state == xb_req_state_got_reply || !xenbus_ok())
+ if (req->state == xb_req_state_got_reply || !xenbus_ok()) {
+ /* read req->state before all other fields */
+ virt_rmb();
return true;
+ }
/* Make sure to reread req->state each time. */
barrier();
@@ -202,7 +205,7 @@ static bool test_reply(struct xb_req_data *req)
static void *read_reply(struct xb_req_data *req)
{
- while (req->state != xb_req_state_got_reply) {
+ do {
wait_event(req->wq, test_reply(req));
if (!xenbus_ok())
@@ -216,7 +219,7 @@ static void *read_reply(struct xb_req_data *req)
if (req->err)
return ERR_PTR(req->err);
- }
+ } while (req->state != xb_req_state_got_reply);
return req->body;
}
--
2.20.1
next prev parent reply other threads:[~2020-03-24 13:12 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-24 13:10 [PATCH 4.19 00/65] 4.19.113-rc1 review Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 01/65] drm/mediatek: Find the cursor plane instead of hard coding it Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 02/65] spi: qup: call spi_qup_pm_resume_runtime before suspending Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 03/65] powerpc: Include .BTF section Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 04/65] ARM: dts: dra7: Add "dma-ranges" property to PCIe RC DT nodes Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 05/65] spi: pxa2xx: Add CS control clock quirk Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 06/65] spi/zynqmp: remove entry that causes a cs glitch Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 07/65] drm/exynos: dsi: propagate error value and silence meaningless warning Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 08/65] drm/exynos: dsi: fix workaround for the legacy clock name Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 09/65] drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 10/65] altera-stapl: altera_get_note: prevent write beyond end of key Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 11/65] dm bio record: save/restore bi_end_io and bi_integrity Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 12/65] dm integrity: use dm_bio_record and dm_bio_restore Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 13/65] riscv: avoid the PIC offset of static percpu data in module beyond 2G limits Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 14/65] drm/amd/display: Clear link settings on MST disable connector Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 15/65] drm/amd/display: fix dcc swath size calculations on dcn1 Greg Kroah-Hartman
2020-03-24 13:10 ` Greg Kroah-Hartman [this message]
2020-03-24 13:10 ` [PATCH 4.19 17/65] xenbus: req->err should be updated before req->state Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 18/65] block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group() Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 19/65] parse-maintainers: Mark as executable Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 20/65] USB: Disable LPM on WD19s Realtek Hub Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 21/65] usb: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 22/65] USB: serial: option: add ME910G1 ECM composition 0x110b Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 23/65] usb: host: xhci-plat: add a shutdown Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 24/65] USB: serial: pl2303: add device-id for HP LD381 Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 25/65] usb: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 26/65] ALSA: line6: Fix endless MIDI read loop Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 27/65] ALSA: seq: virmidi: Fix running status after receiving sysex Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 28/65] ALSA: seq: oss: " Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 29/65] ALSA: pcm: oss: Avoid plugin buffer overflow Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 30/65] ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 31/65] iio: st_sensors: remap SMO8840 to LIS2DH12 Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 32/65] iio: trigger: stm32-timer: disable master mode when stopping Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 33/65] iio: magnetometer: ak8974: Fix negative raw values in sysfs Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 34/65] iio: adc: at91-sama5d2_adc: fix differential channels in triggered mode Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 35/65] mmc: rtsx_pci: Fix support for speed-modes that relies on tuning Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 36/65] mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 37/65] staging: rtl8188eu: Add device id for MERCUSYS MW150US v2 Greg Kroah-Hartman
2020-03-24 13:10 ` [PATCH 4.19 38/65] staging: greybus: loopback_test: fix poll-mask build breakage Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 39/65] staging/speakup: fix get_word non-space look-ahead Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 40/65] intel_th: Fix user-visible error codes Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 41/65] intel_th: pci: Add Elkhart Lake CPU support Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 42/65] rtc: max8907: add missing select REGMAP_IRQ Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 43/65] xhci: Do not open code __print_symbolic() in xhci trace events Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 44/65] btrfs: fix log context list corruption after rename whiteout error Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 45/65] drm/amd/amdgpu: Fix GPR read from debugfs (v2) Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 46/65] drm/lease: fix WARNING in idr_destroy Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 47/65] memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 48/65] mm: slub: be more careful about the double cmpxchg of freelist Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 49/65] mm, slub: prevent kmalloc_node crashes and memory leaks Greg Kroah-Hartman
2020-03-24 13:11 ` Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 50/65] page-flags: fix a crash at SetPageError(THP_SWAP) Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 51/65] x86/mm: split vmalloc_sync_all() Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 52/65] USB: cdc-acm: fix close_delay and closing_wait units in TIOCSSERIAL Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 53/65] USB: cdc-acm: fix rounding error " Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 54/65] iio: light: vcnl4000: update sampling periods for vcnl4200 Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 55/65] kbuild: Disable -Wpointer-to-enum-cast Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 56/65] futex: Fix inode life-time issue Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 57/65] futex: Unbreak futex hashing Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 58/65] Revert "vrf: mark skb for multicast or link-local as enslaved to VRF" Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 59/65] Revert "ipv6: Fix handling of LLA with VRF and sockets bound " Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 60/65] ALSA: hda/realtek: Fix pop noise on ALC225 Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 61/65] arm64: smp: fix smp_send_stop() behaviour Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 62/65] arm64: smp: fix crash_smp_send_stop() behaviour Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 63/65] drm/bridge: dw-hdmi: fix AVI frame colorimetry Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 64/65] staging: greybus: loopback_test: fix potential path truncation Greg Kroah-Hartman
2020-03-24 13:11 ` [PATCH 4.19 65/65] staging: greybus: loopback_test: fix potential path truncations Greg Kroah-Hartman
2020-03-24 15:53 ` [PATCH 4.19 00/65] 4.19.113-rc1 review Chris Paterson
2020-03-24 19:51 ` shuah
2020-03-24 20:55 ` Guenter Roeck
2020-03-25 4:50 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200324130758.990070566@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=boris.ostrovsky@oracle.com \
--cc=dongli.zhang@oracle.com \
--cc=jgrall@amazon.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.