From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
To: David Vrabel <david.vrabel@citrix.com>, xen-devel@lists.xenproject.org
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>,
Dave Scott <dave.scott@citrix.com>
Subject: Re: [PATCH 2/2] xen/gntalloc: safely delete grefs in add_grefs() undo path
Date: Tue, 02 Sep 2014 17:54:34 -0400 [thread overview]
Message-ID: <54063C9A.9010503@oracle.com> (raw)
In-Reply-To: <1409667690-23914-3-git-send-email-david.vrabel@citrix.com>
On 09/02/2014 10:21 AM, David Vrabel wrote:
> If a gref could not be added (perhaps because the limit has been
> reached or there are no more grant references available). The undo
> path may crash because __del_gref() frees the gref while it is being
> used for a list iteration.
Need to fix commit message above.
>
> A comment suggests that using list_for_each_entry() is safe since the
> gref isn't removed from the list being iterated over, but it is freed
> and thus list_for_each_entry_safe() must be used.
I don't read the comment in the code as if it implied anything about safety.
Other than that, for both patches
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
>
> Also, explicitly delete the gref from the local per-file list, even
> though this is not strictly necessary.
>
> Signed-off-by: David Vrabel <david.vrabel@citrix.com>
> ---
> drivers/xen/gntalloc.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/xen/gntalloc.c b/drivers/xen/gntalloc.c
> index 8ed2bb4f..e53fe19 100644
> --- a/drivers/xen/gntalloc.c
> +++ b/drivers/xen/gntalloc.c
> @@ -124,7 +124,7 @@ static int add_grefs(struct ioctl_gntalloc_alloc_gref *op,
> int i, rc, readonly;
> LIST_HEAD(queue_gref);
> LIST_HEAD(queue_file);
> - struct gntalloc_gref *gref;
> + struct gntalloc_gref *gref, *next;
>
> readonly = !(op->flags & GNTALLOC_FLAG_WRITABLE);
> rc = -ENOMEM;
> @@ -160,8 +160,8 @@ undo:
> mutex_lock(&gref_mutex);
> gref_size -= (op->count - i);
>
> - list_for_each_entry(gref, &queue_file, next_file) {
> - /* __del_gref does not remove from queue_file */
> + list_for_each_entry_safe(gref, next, &queue_file, next_file) {
> + list_del(&gref->next_file);
> __del_gref(gref);
> }
>
next prev parent reply other threads:[~2014-09-02 21:54 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-02 14:21 [PATCH 0/2] xen/gntalloc: fix oopses after running out of grant refs David Vrabel
2014-09-02 14:21 ` [PATCH 1/2] xen/gntalloc: fix oops after runnning " David Vrabel
2014-09-02 14:21 ` [PATCH 2/2] xen/gntalloc: safely delete grefs in add_grefs() undo path David Vrabel
2014-09-02 21:54 ` Boris Ostrovsky [this message]
2014-09-08 17:37 ` David Vrabel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54063C9A.9010503@oracle.com \
--to=boris.ostrovsky@oracle.com \
--cc=dave.scott@citrix.com \
--cc=david.vrabel@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.