* [Patch] Incoming XPC channel messages can come in after the channel's partition structures have been torn down.
@ 2010-10-18 13:35 Robin Holt
2010-10-18 19:40 ` Andrew Morton
0 siblings, 1 reply; 3+ messages in thread
From: Robin Holt @ 2010-10-18 13:35 UTC (permalink / raw)
To: Andrew Morton; +Cc: linux-kernel
Under some workloads, some channel messages have been observed being
delayed on the sending side past the point where the receiving side
has been able to tear down its partition structures. This condition is
already detected in xpc_handle_activate_IRQ_uv(), but that information
is not given to xpc_handle_activate_mq_msg_uv(). As a result,
xpc_handle_activate_mq_msg_uv() assumes the structures still exist and
references them.
Signed-off-by: Robin Holt <holt@sgi.com>
---
drivers/misc/sgi-xp/xpc_uv.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/drivers/misc/sgi-xp/xpc_uv.c b/drivers/misc/sgi-xp/xpc_uv.c
index 1f59ee2..17bbacb 100644
--- a/drivers/misc/sgi-xp/xpc_uv.c
+++ b/drivers/misc/sgi-xp/xpc_uv.c
@@ -417,6 +417,7 @@ xpc_process_activate_IRQ_rcvd_uv(void)
static void
xpc_handle_activate_mq_msg_uv(struct xpc_partition *part,
struct xpc_activate_mq_msghdr_uv *msg_hdr,
+ int part_setup,
int *wakeup_hb_checker)
{
unsigned long irq_flags;
@@ -481,6 +482,9 @@ xpc_handle_activate_mq_msg_uv(struct xpc_partition *part,
case XPC_ACTIVATE_MQ_MSG_CHCTL_CLOSEREQUEST_UV: {
struct xpc_activate_mq_msg_chctl_closerequest_uv *msg;
+ if (!part_setup)
+ break;
+
msg = container_of(msg_hdr, struct
xpc_activate_mq_msg_chctl_closerequest_uv,
hdr);
@@ -497,6 +501,9 @@ xpc_handle_activate_mq_msg_uv(struct xpc_partition *part,
case XPC_ACTIVATE_MQ_MSG_CHCTL_CLOSEREPLY_UV: {
struct xpc_activate_mq_msg_chctl_closereply_uv *msg;
+ if (!part_setup)
+ break;
+
msg = container_of(msg_hdr, struct
xpc_activate_mq_msg_chctl_closereply_uv,
hdr);
@@ -511,6 +518,9 @@ xpc_handle_activate_mq_msg_uv(struct xpc_partition *part,
case XPC_ACTIVATE_MQ_MSG_CHCTL_OPENREQUEST_UV: {
struct xpc_activate_mq_msg_chctl_openrequest_uv *msg;
+ if (!part_setup)
+ break;
+
msg = container_of(msg_hdr, struct
xpc_activate_mq_msg_chctl_openrequest_uv,
hdr);
@@ -528,6 +538,9 @@ xpc_handle_activate_mq_msg_uv(struct xpc_partition *part,
case XPC_ACTIVATE_MQ_MSG_CHCTL_OPENREPLY_UV: {
struct xpc_activate_mq_msg_chctl_openreply_uv *msg;
+ if (!part_setup)
+ break;
+
msg = container_of(msg_hdr, struct
xpc_activate_mq_msg_chctl_openreply_uv, hdr);
args = &part->remote_openclose_args[msg->ch_number];
@@ -545,6 +558,9 @@ xpc_handle_activate_mq_msg_uv(struct xpc_partition *part,
case XPC_ACTIVATE_MQ_MSG_CHCTL_OPENCOMPLETE_UV: {
struct xpc_activate_mq_msg_chctl_opencomplete_uv *msg;
+ if (!part_setup)
+ break;
+
msg = container_of(msg_hdr, struct
xpc_activate_mq_msg_chctl_opencomplete_uv, hdr);
spin_lock_irqsave(&part->chctl_lock, irq_flags);
@@ -621,6 +637,7 @@ xpc_handle_activate_IRQ_uv(int irq, void *dev_id)
part_referenced = xpc_part_ref(part);
xpc_handle_activate_mq_msg_uv(part, msg_hdr,
+ part_referenced,
&wakeup_hb_checker);
if (part_referenced)
xpc_part_deref(part);
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Patch] Incoming XPC channel messages can come in after the channel's partition structures have been torn down.
2010-10-18 13:35 [Patch] Incoming XPC channel messages can come in after the channel's partition structures have been torn down Robin Holt
@ 2010-10-18 19:40 ` Andrew Morton
2010-10-18 19:52 ` Robin Holt
0 siblings, 1 reply; 3+ messages in thread
From: Andrew Morton @ 2010-10-18 19:40 UTC (permalink / raw)
To: Robin Holt; +Cc: linux-kernel
On Mon, 18 Oct 2010 08:35:08 -0500
Robin Holt <holt@sgi.com> wrote:
> Under some workloads, some channel messages have been observed being
> delayed on the sending side past the point where the receiving side
> has been able to tear down its partition structures. This condition is
> already detected in xpc_handle_activate_IRQ_uv(), but that information
> is not given to xpc_handle_activate_mq_msg_uv(). As a result,
> xpc_handle_activate_mq_msg_uv() assumes the structures still exist and
> references them.
With what result? Machine goes boom?
Would you consider this a 2.6.36 fix? Backport to -stable?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Patch] Incoming XPC channel messages can come in after the channel's partition structures have been torn down.
2010-10-18 19:40 ` Andrew Morton
@ 2010-10-18 19:52 ` Robin Holt
0 siblings, 0 replies; 3+ messages in thread
From: Robin Holt @ 2010-10-18 19:52 UTC (permalink / raw)
To: Andrew Morton; +Cc: Robin Holt, linux-kernel
On Mon, Oct 18, 2010 at 12:40:55PM -0700, Andrew Morton wrote:
> On Mon, 18 Oct 2010 08:35:08 -0500
> Robin Holt <holt@sgi.com> wrote:
>
> > Under some workloads, some channel messages have been observed being
> > delayed on the sending side past the point where the receiving side
> > has been able to tear down its partition structures. This condition is
> > already detected in xpc_handle_activate_IRQ_uv(), but that information
> > is not given to xpc_handle_activate_mq_msg_uv(). As a result,
> > xpc_handle_activate_mq_msg_uv() assumes the structures still exist and
> > references them.
>
> With what result? Machine goes boom?
>
> Would you consider this a 2.6.36 fix? Backport to -stable?
I would consider it a backport to stable. It is a NULL pointer deref.
This pach applies back to 2.6.32. I did not try older kernels than
that.
Robin
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-10-18 19:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-10-18 13:35 [Patch] Incoming XPC channel messages can come in after the channel's partition structures have been torn down Robin Holt
2010-10-18 19:40 ` Andrew Morton
2010-10-18 19:52 ` Robin Holt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox