From: "Marek Marczykowski-Górecki" <marmarek@invisiblethingslab.com>
To: Luis Henriques <luis.henriques@canonical.com>
Cc: Jiri Slaby <jslaby@suse.cz>,
stable@vger.kernel.org, linux-kernel@vger.kernel.org,
David Vrabel <david.vrabel@citrix.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH 3.12 49/82] xen/gntdevt: Fix race condition in gntdev_release()
Date: Tue, 25 Aug 2015 13:52:11 +0200 [thread overview]
Message-ID: <20150825115211.GB1345@mail-itl> (raw)
In-Reply-To: <20150825113559.GD14096@ares>
[-- Attachment #1: Type: text/plain, Size: 3823 bytes --]
On Tue, Aug 25, 2015 at 12:35:59PM +0100, Luis Henriques wrote:
> [ Adding Greg has he seems to have this patch queued for 3.10 and 3.14 ]
>
> On Mon, Aug 24, 2015 at 11:09:09AM +0200, Jiri Slaby wrote:
> > From: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
> >
> > 3.12-stable review patch. If anyone has any objections, please let me know.
> >
> > ===============
> >
> > commit 30b03d05e07467b8c6ec683ea96b5bffcbcd3931 upstream.
> >
> > While gntdev_release() is called the MMU notifier is still registered
> > and can traverse priv->maps list even if no pages are mapped (which is
> > the case -- gntdev_release() is called after all). But
> > gntdev_release() will clear that list, so make sure that only one of
> > those things happens at the same time.
> >
> > Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
> > Signed-off-by: David Vrabel <david.vrabel@citrix.com>
> > Signed-off-by: Jiri Slaby <jslaby@suse.cz>
> > ---
> > drivers/xen/gntdev.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
> > index e41c79c986ea..f2ca8d0af55f 100644
> > --- a/drivers/xen/gntdev.c
> > +++ b/drivers/xen/gntdev.c
> > @@ -529,12 +529,14 @@ static int gntdev_release(struct inode *inode, struct file *flip)
> >
> > pr_debug("priv %p\n", priv);
> >
> > + mutex_lock(&priv->lock);
>
> Since 3.12 doesn't seem to include 1401c00e59ea ("xen/gntdev: convert
> priv->lock to a mutex"), this shouldn't be applied as priv->lock is
> actually a spinlock. So, you'll need to pick 1401c00e59ea or backport
> this patch using the appropriate locking directives. Not sure what's
> the best solution. Maybe Marek or David can help...?
I've used spinlock approach for some time (on 3.18.x) and it works ok. This applies
also to 3.10 and 3.14 of course.
Patch here:
https://raw.githubusercontent.com/QubesOS/qubes-linux-kernel/stable-3.18/patches.xen/0001-xen-grant-fix-race-condition-in-gntdev_release.patch
and here:
From b876e14888bdafa112c3265e6420543fa74aa709 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
<marmarek@invisiblethingslab.com>
Date: Fri, 26 Jun 2015 02:16:49 +0200
Subject: [PATCH] xen/grant: fix race condition in gntdev_release
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Organization: Invisible Things Lab
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
While gntdev_release is called, MMU notifier is still registered and
will traverse priv->maps list even if no pages are mapped (which is the
case - gntdev_release is called after all). But gntdev_release will
clear that list, so make sure that only one of those things happens at
the same time.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
drivers/xen/gntdev.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
index 8927485..4bd23bb 100644
--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -568,12 +568,14 @@ static int gntdev_release(struct inode *inode, struct file *flip)
pr_debug("priv %p\n", priv);
+ spin_lock(&priv->lock);
while (!list_empty(&priv->maps)) {
map = list_entry(priv->maps.next, struct grant_map, next);
list_del(&map->next);
gntdev_put_map(NULL /* already removed */, map);
}
WARN_ON(!list_empty(&priv->freeable_maps));
+ spin_unlock(&priv->lock);
if (use_ptemod)
mmu_notifier_unregister(&priv->mn, priv->mm);
--
1.9.3
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
[-- Attachment #2: Type: application/pgp-signature, Size: 473 bytes --]
next prev parent reply other threads:[~2015-08-25 11:52 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-24 9:09 [PATCH 3.12 00/82] 3.12.47-stable review Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 01/82] efi: fix 32bit kernel boot failed problem using efi Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 02/82] futex: Fix a race condition between REQUEUE_PI and task death Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 03/82] HID: usbhid: add Chicony/Pixart usb optical mouse that needs QUIRK_ALWAYS_POLL Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 04/82] mm: avoid setting up anonymous pages into file mapping Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 05/82] freeing unlinked file indefinitely delayed Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 06/82] s390/sclp: clear upper register halves in _sclp_print_early Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 07/82] ARC: make sure instruction_pointer() returns unsigned value Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 08/82] genirq: Prevent resend to interrupts marked IRQ_NESTED_THREAD Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 09/82] ALSA: usb-audio: Add MIDI support for Steinberg MI2/MI4 Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 10/82] ALSA: usb-audio: add dB range mapping for some devices Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 11/82] ALSA: hda - Fix MacBook Pro 5,2 quirk Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 12/82] st: null pointer dereference panic caused by use after kref_put by st_open Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 13/82] mac80211: clear subdir_stations when removing debugfs Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 14/82] mmc: sdhci-esdhc: Make 8BIT bus work Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 15/82] mmc: sdhci-pxav3: fix platform_data is not initialized Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 16/82] md/raid1: fix test for 'was read error from last working device' Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 17/82] tile: use free_bootmem_late() for initrd Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 18/82] Input: usbtouchscreen - avoid unresponsive TSC-30 touch screen Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 19/82] blkcg: fix gendisk reference leak in blkg_conf_prep() Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 20/82] ata: pmp: add quirk for Marvell 4140 SATA PMP Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 21/82] usb-storage: ignore ZTE MF 823 card reader in mode 0x1225 Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 22/82] xhci: Calculate old endpoints correctly on device reset Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 23/82] xhci: report U3 when link is in resume state Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 24/82] xhci: prevent bus_suspend if SS port resuming in phase 1 Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 25/82] xhci: do not report PLC when link is in internal resume state Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 26/82] rds: rds_ib_device.refcount overflow Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 27/82] vhost: actually track log eventfd file Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 28/82] iscsi-target: Fix use-after-free during TPG session shutdown Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 29/82] iscsi-target: Fix iser explicit logout TX kthread leak Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 30/82] 3w-xxxx: fix mis-aligned struct accesses Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 31/82] hwrng: via-rng - Mark device ID table as __maybe_unused Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 32/82] ARM: realview: fix sparsemem build Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 33/82] MIPS: Fix sched_getaffinity with MT FPAFF enabled Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 34/82] MIPS: Make set_pte() SMP safe Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 35/82] fsnotify: fix oops in fsnotify_clear_marks_by_group_flags() Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 36/82] drm/radeon/combios: add some validation of lvds values Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 37/82] ipr: Fix locking for unit attention handling Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 38/82] ipr: Fix incorrect trace indexing Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 39/82] ipr: Fix invalid array indexing for HRRQ Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 40/82] xhci: fix off by one error in TRB DMA address boundary check Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 41/82] USB: sierra: add 1199:68AB device ID Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 42/82] ima: add support for new "euid" policy condition Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 43/82] ima: extend "mask" policy matching support Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 44/82] ipmi: fix timeout calculation when bmc is disconnected Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 45/82] sparc64: Fix userspace FPU register corruptions Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 46/82] md: use kzalloc() when bitmap is disabled Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 47/82] ASoC: pcm1681: Fix setting de-emphasis sampling rate selection Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 48/82] x86/xen: Probe target addresses in set_aliased_prot() before the hypercall Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 49/82] xen/gntdevt: Fix race condition in gntdev_release() Jiri Slaby
2015-08-25 11:35 ` Luis Henriques
2015-08-25 11:52 ` Marek Marczykowski-Górecki [this message]
2015-08-25 13:18 ` Jiri Slaby
2015-08-25 14:08 ` Marek Marczykowski-Górecki
2015-08-27 7:59 ` Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 50/82] crypto: ixp4xx - Remove bogus BUG_ON on scattered dst buffer Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 51/82] ARM: OMAP2+: hwmod: Fix _wait_target_ready() for hwmods without sysc Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 52/82] iscsi-target: Fix iscsit_start_kthreads failure OOPs Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 53/82] ALSA: hda - fix cs4210_spdif_automute() Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 54/82] ipc: modify message queue accounting to not take kernel data structures into account Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 55/82] ocfs2: fix BUG in ocfs2_downconvert_thread_do_work() Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 56/82] md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 57/82] x86/nmi: Enable nested do_nmi() handling for 64-bit kernels Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 58/82] x86/nmi/64: Remove asm code that saves CR2 Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 59/82] x86/nmi/64: Switch stacks on userspace NMI entry Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 60/82] arch: Introduce smp_load_acquire(), smp_store_release() Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 61/82] rcu: Provide counterpart to rcu_dereference() for non-RCU situations Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 62/82] rcu: Move lockless_dereference() out of rcupdate.h Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 63/82] x86/ldt: Make modify_ldt synchronous Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 64/82] x86/ldt: Correct LDT access in single stepping logic Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 65/82] x86/ldt: Correct FPU emulation access to LDT Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 66/82] x86/ldt: Further fix FPU emulation Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 67/82] signalfd: fix information leak in signalfd_copyinfo Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 68/82] signal: fix information leak in copy_siginfo_to_user Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 69/82] signal: fix information leak in copy_siginfo_from_user32 Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 70/82] path_openat(): fix double fput() Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 71/82] md/bitmap: return an error when bitmap superblock is corrupt Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 72/82] mm, vmscan: Do not wait for page writeback for GFP_NOFS allocations Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 73/82] ipc/sem.c: update/correct memory barriers Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 74/82] ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 75/82] mm/hwpoison: fix page refcount of unknown non LRU page Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 76/82] xen-blkfront: don't add indirect pages to list when !feature_persistent Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 77/82] perf: Fix fasync handling on inherited events Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 78/82] dm thin metadata: delete btrees when releasing metadata snapshot Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 79/82] localmodconfig: Use Kbuild files too Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 80/82] EDAC, ppc4xx: Access mci->csrows array elements properly Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 81/82] drm/radeon: add new OLAND pci id Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 82/82] rbd: fix copyup completion race Jiri Slaby
2015-08-24 16:09 ` [PATCH 3.12 00/82] 3.12.47-stable review Guenter Roeck
2015-08-27 8:10 ` Jiri Slaby
2015-08-24 23:36 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150825115211.GB1345@mail-itl \
--to=marmarek@invisiblethingslab.com \
--cc=david.vrabel@citrix.com \
--cc=gregkh@linuxfoundation.org \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=luis.henriques@canonical.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox