From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Olaf Hering <olaf@aepfle.de>,
Juergen Gross <jgross@suse.com>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.9 50/59] xen: avoid crash in disable_hotplug_cpu
Date: Mon, 8 Oct 2018 20:31:57 +0200 [thread overview]
Message-ID: <20181008175552.299730400@linuxfoundation.org> (raw)
In-Reply-To: <20181008175546.620836256@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Olaf Hering <olaf@aepfle.de>
[ Upstream commit 3366cdb6d350d95466ee430ac50f3c8415ca8f46 ]
The command 'xl vcpu-set 0 0', issued in dom0, will crash dom0:
BUG: unable to handle kernel NULL pointer dereference at 00000000000002d8
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 7 PID: 65 Comm: xenwatch Not tainted 4.19.0-rc2-1.ga9462db-default #1 openSUSE Tumbleweed (unreleased)
Hardware name: Intel Corporation S5520UR/S5520UR, BIOS S5500.86B.01.00.0050.050620101605 05/06/2010
RIP: e030:device_offline+0x9/0xb0
Code: 77 24 00 e9 ce fe ff ff 48 8b 13 e9 68 ff ff ff 48 8b 13 e9 29 ff ff ff 48 8b 13 e9 ea fe ff ff 90 66 66 66 66 90 41 54 55 53 <f6> 87 d8 02 00 00 01 0f 85 88 00 00 00 48 c7 c2 20 09 60 81 31 f6
RSP: e02b:ffffc90040f27e80 EFLAGS: 00010203
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff8801f3800000 RSI: ffffc90040f27e70 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff820e47b3 R09: 0000000000000000
R10: 0000000000007ff0 R11: 0000000000000000 R12: ffffffff822e6d30
R13: dead000000000200 R14: dead000000000100 R15: ffffffff8158b4e0
FS: 00007ffa595158c0(0000) GS:ffff8801f39c0000(0000) knlGS:0000000000000000
CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000002d8 CR3: 00000001d9602000 CR4: 0000000000002660
Call Trace:
handle_vcpu_hotplug_event+0xb5/0xc0
xenwatch_thread+0x80/0x140
? wait_woken+0x80/0x80
kthread+0x112/0x130
? kthread_create_worker_on_cpu+0x40/0x40
ret_from_fork+0x3a/0x50
This happens because handle_vcpu_hotplug_event is called twice. In the
first iteration cpu_present is still true, in the second iteration
cpu_present is false which causes get_cpu_device to return NULL.
In case of cpu#0, cpu_online is apparently always true.
Fix this crash by checking if the cpu can be hotplugged, which is false
for a cpu that was just removed.
Also check if the cpu was actually offlined by device_remove, otherwise
leave the cpu_present state as it is.
Rearrange to code to do all work with device_hotplug_lock held.
Signed-off-by: Olaf Hering <olaf@aepfle.de>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/cpu_hotplug.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
--- a/drivers/xen/cpu_hotplug.c
+++ b/drivers/xen/cpu_hotplug.c
@@ -18,15 +18,16 @@ static void enable_hotplug_cpu(int cpu)
static void disable_hotplug_cpu(int cpu)
{
- if (cpu_online(cpu)) {
- lock_device_hotplug();
+ if (!cpu_is_hotpluggable(cpu))
+ return;
+ lock_device_hotplug();
+ if (cpu_online(cpu))
device_offline(get_cpu_device(cpu));
- unlock_device_hotplug();
- }
- if (cpu_present(cpu))
+ if (!cpu_online(cpu) && cpu_present(cpu)) {
xen_arch_unregister_cpu(cpu);
-
- set_cpu_present(cpu, false);
+ set_cpu_present(cpu, false);
+ }
+ unlock_device_hotplug();
}
static int vcpu_online(unsigned int cpu)
next prev parent reply other threads:[~2018-10-08 18:40 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-08 18:31 [PATCH 4.9 00/59] 4.9.132-stable review Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 01/59] serial: mvebu-uart: Fix reporting of effective CSIZE to userspace Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 02/59] time: Introduce jiffies64_to_nsecs() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 03/59] mac80211: Run TXQ teardown code before de-registering interfaces Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 04/59] KVM: PPC: Book3S HV: Dont truncate HPTE index in xlate function Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 05/59] mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 06/59] mac80211_hwsim: " Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 07/59] gpio: adp5588: Fix sleep-in-atomic-context bug Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 08/59] mac80211: mesh: fix HWMP sequence numbering to follow standard Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 09/59] net: hns: add netif_carrier_off before change speed and duplex Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 10/59] cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 11/59] gpio: Fix crash due to registration race Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 12/59] ARC: atomics: unbork atomic_fetch_##op() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 13/59] RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0 Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 14/59] i2c: uniphier: issue STOP only for last message or I2C_M_STOP Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 15/59] i2c: uniphier-f: " Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 16/59] net: cadence: Fix a sleep-in-atomic-context bug in macb_halt_tx() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 17/59] fs/cifs: dont translate SFM_SLASH (U+F026) to backslash Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 18/59] cfg80211: fix a type issue in ieee80211_chandef_to_operating_class() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 19/59] mac80211: fix a race between restart and CSA flows Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 20/59] mac80211: Fix station bandwidth setting after channel switch Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 21/59] mac80211: dont Tx a deauth frame if the AP forbade Tx Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 22/59] mac80211: shorten the IBSS debug messages Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 23/59] tools/vm/slabinfo.c: fix sign-compare warning Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 24/59] tools/vm/page-types.c: fix "defined but not used" warning Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 25/59] mm: madvise(MADV_DODUMP): allow hugetlbfs pages Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 26/59] HID: add support for Apple Magic Keyboards Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 27/59] usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i] Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 28/59] pinctrl: msm: Really mask level interrupts to prevent latching Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 29/59] HID: hid-saitek: Add device ID for RAT 7 Contagion Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 30/59] perf evsel: Fix potential null pointer dereference in perf_evsel__new_idx() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 31/59] perf probe powerpc: Ignore SyS symbols irrespective of endianness Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 32/59] RDMA/ucma: check fd type in ucma_migrate_id() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 33/59] USB: yurex: Check for truncation in yurex_read() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 34/59] nvmet-rdma: fix possible bogus dereference under heavy load Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 35/59] net/mlx5: Consider PCI domain in search for next dev Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 36/59] drm/nouveau/TBDdevinit: dont fail when PMU/PRE_OS is missing from VBIOS Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 37/59] dm raid: fix rebuild of specific devices by updating superblock Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 38/59] fs/cifs: suppress a string overflow warning Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 39/59] net: ena: fix driver when PAGE_SIZE == 64kB Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 40/59] perf/x86/intel: Add support/quirk for the MISPREDICT bit on Knights Landing CPUs Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 41/59] dm thin metadata: try to avoid ever aborting transactions Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 42/59] arch/hexagon: fix kernel/dma.c build warning Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 43/59] hexagon: modify ffs() and fls() to return int Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 44/59] arm64: jump_label.h: use asm_volatile_goto macro instead of "asm goto" Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 45/59] r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 46/59] s390/qeth: use vzalloc for QUERY OAT buffer Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 47/59] s390/qeth: dont dump past end of unknown HW header Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 48/59] cifs: read overflow in is_valid_oplock_break() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 49/59] xen/manage: dont complain about an empty value in control/sysrq node Greg Kroah-Hartman
2018-10-08 18:31 ` Greg Kroah-Hartman [this message]
2018-10-08 18:31 ` [PATCH 4.9 51/59] xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.9 52/59] sysfs: Do not return POSIX ACL xattrs via listxattr Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.9 53/59] smb2: fix missing files in root share directory listing Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.9 54/59] ALSA: hda/realtek - Cannot adjust speakers volume on Dell XPS 27 7760 Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.9 55/59] crypto: qat - Fix KASAN stack-out-of-bounds bug in adf_probe() Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.9 56/59] crypto: mxs-dcp - Fix wait logic on chan threads Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.9 57/59] gpiolib: Free the last requested descriptor Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.9 58/59] proc: restrict kernel stack dumps to root Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.9 59/59] ocfs2: fix locking for res->tracking and dlm->tracking_list Greg Kroah-Hartman
2018-10-08 23:22 ` [PATCH 4.9 00/59] 4.9.132-stable review Shuah Khan
2018-10-09 1:30 ` Nathan Chancellor
2018-10-09 9:26 ` Greg Kroah-Hartman
2018-10-09 21:05 ` Guenter Roeck
2018-10-10 4:15 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181008175552.299730400@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@microsoft.com \
--cc=boris.ostrovsky@oracle.com \
--cc=jgross@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=olaf@aepfle.de \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox