From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
"Marek Marczykowski-Górecki" <marmarek@invisiblethingslab.com>,
"Jason Andryuk" <jason.andryuk@amd.com>,
"Juergen Gross" <jgross@suse.com>
Subject: [PATCH 5.15 30/54] xenbus: Use kref to track req lifetime
Date: Mon, 12 May 2025 19:29:42 +0200 [thread overview]
Message-ID: <20250512172016.856026684@linuxfoundation.org> (raw)
In-Reply-To: <20250512172015.643809034@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Andryuk <jason.andryuk@amd.com>
commit 1f0304dfd9d217c2f8b04a9ef4b3258a66eedd27 upstream.
Marek reported seeing a NULL pointer fault in the xenbus_thread
callstack:
BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: e030:__wake_up_common+0x4c/0x180
Call Trace:
<TASK>
__wake_up_common_lock+0x82/0xd0
process_msg+0x18e/0x2f0
xenbus_thread+0x165/0x1c0
process_msg+0x18e is req->cb(req). req->cb is set to xs_wake_up(), a
thin wrapper around wake_up(), or xenbus_dev_queue_reply(). It seems
like it was xs_wake_up() in this case.
It seems like req may have woken up the xs_wait_for_reply(), which
kfree()ed the req. When xenbus_thread resumes, it faults on the zero-ed
data.
Linux Device Drivers 2nd edition states:
"Normally, a wake_up call can cause an immediate reschedule to happen,
meaning that other processes might run before wake_up returns."
... which would match the behaviour observed.
Change to keeping two krefs on each request. One for the caller, and
one for xenbus_thread. Each will kref_put() when finished, and the last
will free it.
This use of kref matches the description in
Documentation/core-api/kref.rst
Link: https://lore.kernel.org/xen-devel/ZO0WrR5J0xuwDIxW@mail-itl/
Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Fixes: fd8aa9095a95 ("xen: optimize xenbus driver for multiple concurrent xenstore accesses")
Cc: stable@vger.kernel.org
Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20250506210935.5607-1-jason.andryuk@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/xenbus/xenbus.h | 2 ++
drivers/xen/xenbus/xenbus_comms.c | 9 ++++-----
drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +-
drivers/xen/xenbus/xenbus_xs.c | 18 ++++++++++++++++--
4 files changed, 23 insertions(+), 8 deletions(-)
--- a/drivers/xen/xenbus/xenbus.h
+++ b/drivers/xen/xenbus/xenbus.h
@@ -77,6 +77,7 @@ enum xb_req_state {
struct xb_req_data {
struct list_head list;
wait_queue_head_t wq;
+ struct kref kref;
struct xsd_sockmsg msg;
uint32_t caller_req_id;
enum xsd_sockmsg_type type;
@@ -103,6 +104,7 @@ int xb_init_comms(void);
void xb_deinit_comms(void);
int xs_watch_msg(struct xs_watch_event *event);
void xs_request_exit(struct xb_req_data *req);
+void xs_free_req(struct kref *kref);
int xenbus_match(struct device *_dev, struct device_driver *_drv);
int xenbus_dev_probe(struct device *_dev);
--- a/drivers/xen/xenbus/xenbus_comms.c
+++ b/drivers/xen/xenbus/xenbus_comms.c
@@ -309,8 +309,8 @@ static int process_msg(void)
virt_wmb();
req->state = xb_req_state_got_reply;
req->cb(req);
- } else
- kfree(req);
+ }
+ kref_put(&req->kref, xs_free_req);
}
mutex_unlock(&xs_response_mutex);
@@ -386,14 +386,13 @@ static int process_writes(void)
state.req->msg.type = XS_ERROR;
state.req->err = err;
list_del(&state.req->list);
- if (state.req->state == xb_req_state_aborted)
- kfree(state.req);
- else {
+ if (state.req->state != xb_req_state_aborted) {
/* write err, then update state */
virt_wmb();
state.req->state = xb_req_state_got_reply;
wake_up(&state.req->wq);
}
+ kref_put(&state.req->kref, xs_free_req);
mutex_unlock(&xb_write_mutex);
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -406,7 +406,7 @@ void xenbus_dev_queue_reply(struct xb_re
mutex_unlock(&u->reply_mutex);
kfree(req->body);
- kfree(req);
+ kref_put(&req->kref, xs_free_req);
kref_put(&u->kref, xenbus_file_free);
--- a/drivers/xen/xenbus/xenbus_xs.c
+++ b/drivers/xen/xenbus/xenbus_xs.c
@@ -112,6 +112,12 @@ static void xs_suspend_exit(void)
wake_up_all(&xs_state_enter_wq);
}
+void xs_free_req(struct kref *kref)
+{
+ struct xb_req_data *req = container_of(kref, struct xb_req_data, kref);
+ kfree(req);
+}
+
static uint32_t xs_request_enter(struct xb_req_data *req)
{
uint32_t rq_id;
@@ -237,6 +243,12 @@ static void xs_send(struct xb_req_data *
req->caller_req_id = req->msg.req_id;
req->msg.req_id = xs_request_enter(req);
+ /*
+ * Take 2nd ref. One for this thread, and the second for the
+ * xenbus_thread.
+ */
+ kref_get(&req->kref);
+
mutex_lock(&xb_write_mutex);
list_add_tail(&req->list, &xb_write_list);
notify = list_is_singular(&xb_write_list);
@@ -261,8 +273,8 @@ static void *xs_wait_for_reply(struct xb
if (req->state == xb_req_state_queued ||
req->state == xb_req_state_wait_reply)
req->state = xb_req_state_aborted;
- else
- kfree(req);
+
+ kref_put(&req->kref, xs_free_req);
mutex_unlock(&xb_write_mutex);
return ret;
@@ -291,6 +303,7 @@ int xenbus_dev_request_and_reply(struct
req->cb = xenbus_dev_queue_reply;
req->par = par;
req->user_req = true;
+ kref_init(&req->kref);
xs_send(req, msg);
@@ -319,6 +332,7 @@ static void *xs_talkv(struct xenbus_tran
req->num_vecs = num_vecs;
req->cb = xs_wake_up;
req->user_req = false;
+ kref_init(&req->kref);
msg.req_id = 0;
msg.tx_id = t.id;
next prev parent reply other threads:[~2025-05-12 17:32 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-12 17:29 [PATCH 5.15 00/54] 5.15.183-rc1 review Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 01/54] can: mcan: m_can_class_unregister(): fix order of unregistration calls Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 02/54] can: mcp251xfd: mcp251xfd_remove(): " Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 03/54] openvswitch: Fix unsafe attribute parsing in output_userspace() Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 04/54] gre: Fix again IPv6 link-local address generation Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 05/54] can: gw: use call_rcu() instead of costly synchronize_rcu() Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 06/54] rcu/kvfree: Add kvfree_rcu_mightsleep() and kfree_rcu_mightsleep() Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 07/54] can: gw: fix RCU/BH usage in cgw_create_job() Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 08/54] netfilter: ipset: fix region locking in hash types Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 09/54] net: dsa: b53: allow leaky reserved multicast Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 10/54] net: dsa: b53: fix clearing PVID of a port Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 11/54] net: dsa: b53: fix flushing old pvid VLAN on pvid change Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 12/54] net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 13/54] net: dsa: b53: always rejoin default untagged VLAN " Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 14/54] net: dsa: b53: fix learning on VLAN unaware bridges Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 15/54] Input: synaptics - enable InterTouch on Dynabook Portege X30-D Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 16/54] Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 17/54] Input: synaptics - enable InterTouch on Dell Precision M3800 Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 18/54] Input: synaptics - enable SMBus for HP Elitebook 850 G1 Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 19/54] Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 20/54] staging: iio: adc: ad7816: Correct conditional logic for store mode Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 21/54] staging: axis-fifo: Remove hardware resets for user errors Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 22/54] staging: axis-fifo: Correct handling of tx_fifo_depth for size validation Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 23/54] x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 24/54] iio: adc: ad7606: fix serial register access Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 25/54] iio: adis16201: Correct inclinometer channel resolution Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 26/54] iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 27/54] iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 28/54] drm/amd/display: Fix wrong handling for AUX_DEFER case Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 29/54] usb: uhci-platform: Make the clock really optional Greg Kroah-Hartman
2025-05-12 17:29 ` Greg Kroah-Hartman [this message]
2025-05-12 17:29 ` [PATCH 5.15 31/54] module: ensure that kobject_put() is safe for module type kobjects Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 32/54] ocfs2: switch osb->disable_recovery to enum Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 33/54] ocfs2: implement handshaking with ocfs2 recovery thread Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 34/54] ocfs2: stop quota recovery before disabling quotas Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 35/54] usb: cdnsp: Fix issue with resuming from L1 Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 36/54] usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 37/54] usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 38/54] usb: host: tegra: Prevent host controller crash when OTG port is used Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 39/54] usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 40/54] usb: typec: ucsi: displayport: Fix NULL pointer access Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 41/54] USB: usbtmc: use interruptible sleep in usbtmc_read Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 42/54] usb: usbtmc: Fix erroneous get_stb ioctl error returns Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 43/54] usb: usbtmc: Fix erroneous wait_srq ioctl return Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 44/54] usb: usbtmc: Fix erroneous generic_read " Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 45/54] types: Complement the aligned types with signed 64-bit one Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 46/54] iio: adc: dln2: Use aligned_s64 for timestamp Greg Kroah-Hartman
2025-05-12 17:29 ` [PATCH 5.15 47/54] MIPS: Fix MAX_REG_OFFSET Greg Kroah-Hartman
2025-05-12 17:30 ` [PATCH 5.15 48/54] drm/panel: simple: Update timings for AUO G101EVN010 Greg Kroah-Hartman
2025-05-12 17:30 ` [PATCH 5.15 49/54] nvme: unblock ctrl state transition for firmware update Greg Kroah-Hartman
2025-05-12 17:30 ` [PATCH 5.15 50/54] do_umount(): add missing barrier before refcount checks in sync case Greg Kroah-Hartman
2025-05-12 17:30 ` [PATCH 5.15 51/54] Revert "net: phy: microchip: force IRQ polling mode for lan88xx" Greg Kroah-Hartman
2025-05-12 17:30 ` [PATCH 5.15 52/54] x86/bpf: Call branch history clearing sequence on exit Greg Kroah-Hartman
2025-05-12 17:30 ` [PATCH 5.15 53/54] x86/bpf: Add IBHF call at end of classic BPF Greg Kroah-Hartman
2025-05-12 17:30 ` [PATCH 5.15 54/54] x86/bhi: Do not set BHI_DIS_S in 32-bit mode Greg Kroah-Hartman
2025-05-12 20:56 ` [PATCH 5.15 00/54] 5.15.183-rc1 review Jon Hunter
2025-05-13 9:29 ` Florian Fainelli
2025-05-13 9:48 ` Mark Brown
2025-05-13 10:14 ` Ron Economos
2025-05-13 16:17 ` Naresh Kamboju
2025-05-13 17:33 ` Shuah Khan
2025-05-14 5:23 ` Vijayendra Suman
2025-05-14 17:14 ` Hardik Garg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250512172016.856026684@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jason.andryuk@amd.com \
--cc=jgross@suse.com \
--cc=marmarek@invisiblethingslab.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.