From: "Marek Marczykowski-Górecki" <marmarek@invisiblethingslab.com>
To: Jiri Slaby <jslaby@suse.cz>
Cc: Luis Henriques <luis.henriques@canonical.com>,
stable@vger.kernel.org, linux-kernel@vger.kernel.org,
David Vrabel <david.vrabel@citrix.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH 3.12 49/82] xen/gntdevt: Fix race condition in gntdev_release()
Date: Tue, 25 Aug 2015 16:08:53 +0200 [thread overview]
Message-ID: <20150825140853.GC1345@mail-itl> (raw)
In-Reply-To: <55DC6B19.10001@suse.cz>
[-- Attachment #1: Type: text/plain, Size: 3073 bytes --]
On Tue, Aug 25, 2015 at 03:18:17PM +0200, Jiri Slaby wrote:
> On 08/25/2015, 01:52 PM, Marek Marczykowski-Górecki wrote:
> >>> --- a/drivers/xen/gntdev.c +++ b/drivers/xen/gntdev.c @@
> >>> -529,12 +529,14 @@ static int gntdev_release(struct inode
> >>> *inode, struct file *flip)
> >>>
> >>> pr_debug("priv %p\n", priv);
> >>>
> >>> + mutex_lock(&priv->lock);
> >>
> >> Since 3.12 doesn't seem to include 1401c00e59ea ("xen/gntdev:
> >> convert priv->lock to a mutex"), this shouldn't be applied as
> >> priv->lock is actually a spinlock. So, you'll need to pick
> >> 1401c00e59ea or backport this patch using the appropriate locking
> >> directives. Not sure what's the best solution. Maybe Marek or
> >> David can help...?
> >
> > I've used spinlock approach for some time (on 3.18.x) and it works
> > ok. This applies also to 3.10 and 3.14 of course.
> >
> > Patch here:
> > https://raw.githubusercontent.com/QubesOS/qubes-linux-kernel/stable-3.
> 18/patches.xen/0001-xen-grant-fix-race-condition-in-gntdev_release.patch
> >
> > and here:
> >
> > From b876e14888bdafa112c3265e6420543fa74aa709 Mon Sep 17 00:00:00
> > 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
> > <marmarek@invisiblethingslab.com> Date: Fri, 26 Jun 2015 02:16:49
> > +0200 Subject: [PATCH] xen/grant: fix race condition in
> > gntdev_release MIME-Version: 1.0 Content-Type: text/plain;
> > charset=UTF-8 Content-Transfer-Encoding: 8bit Organization:
> > Invisible Things Lab Cc: Marek Marczykowski-Górecki
> > <marmarek@invisiblethingslab.com>
> >
> > While gntdev_release is called, MMU notifier is still registered
> > and will traverse priv->maps list even if no pages are mapped
> > (which is the case - gntdev_release is called after all). But
> > gntdev_release will clear that list, so make sure that only one of
> > those things happens at the same time.
> >
> > Signed-off-by: Marek Marczykowski-Górecki
> > <marmarek@invisiblethingslab.com> --- drivers/xen/gntdev.c | 2 ++ 1
> > file changed, 2 insertions(+)
> >
> > diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c index
> > 8927485..4bd23bb 100644 --- a/drivers/xen/gntdev.c +++
> > b/drivers/xen/gntdev.c @@ -568,12 +568,14 @@ static int
> > gntdev_release(struct inode *inode, struct file *flip)
> >
> > pr_debug("priv %p\n", priv);
> >
> > + spin_lock(&priv->lock); while (!list_empty(&priv->maps)) { map =
> > list_entry(priv->maps.next, struct grant_map, next);
> > list_del(&map->next); gntdev_put_map(NULL /* already removed */,
> > map); } WARN_ON(!list_empty(&priv->freeable_maps)); +
> > spin_unlock(&priv->lock);
>
> Hmm, but e.g.
> gntdev_put_map
> -> gntdev_free_map
> -> free_xenballooned_pages
> -> mutex_lock
>
> means sleep inside atomic, right?
Indeed, you're probably right. But I haven't hit that problem ever...
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
[-- Attachment #2: Type: application/pgp-signature, Size: 473 bytes --]
next prev parent reply other threads:[~2015-08-25 14:08 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-24 9:09 [PATCH 3.12 00/82] 3.12.47-stable review Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 01/82] efi: fix 32bit kernel boot failed problem using efi Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 02/82] futex: Fix a race condition between REQUEUE_PI and task death Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 03/82] HID: usbhid: add Chicony/Pixart usb optical mouse that needs QUIRK_ALWAYS_POLL Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 04/82] mm: avoid setting up anonymous pages into file mapping Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 05/82] freeing unlinked file indefinitely delayed Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 06/82] s390/sclp: clear upper register halves in _sclp_print_early Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 07/82] ARC: make sure instruction_pointer() returns unsigned value Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 08/82] genirq: Prevent resend to interrupts marked IRQ_NESTED_THREAD Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 09/82] ALSA: usb-audio: Add MIDI support for Steinberg MI2/MI4 Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 10/82] ALSA: usb-audio: add dB range mapping for some devices Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 11/82] ALSA: hda - Fix MacBook Pro 5,2 quirk Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 12/82] st: null pointer dereference panic caused by use after kref_put by st_open Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 13/82] mac80211: clear subdir_stations when removing debugfs Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 14/82] mmc: sdhci-esdhc: Make 8BIT bus work Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 15/82] mmc: sdhci-pxav3: fix platform_data is not initialized Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 16/82] md/raid1: fix test for 'was read error from last working device' Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 17/82] tile: use free_bootmem_late() for initrd Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 18/82] Input: usbtouchscreen - avoid unresponsive TSC-30 touch screen Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 19/82] blkcg: fix gendisk reference leak in blkg_conf_prep() Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 20/82] ata: pmp: add quirk for Marvell 4140 SATA PMP Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 21/82] usb-storage: ignore ZTE MF 823 card reader in mode 0x1225 Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 22/82] xhci: Calculate old endpoints correctly on device reset Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 23/82] xhci: report U3 when link is in resume state Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 24/82] xhci: prevent bus_suspend if SS port resuming in phase 1 Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 25/82] xhci: do not report PLC when link is in internal resume state Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 26/82] rds: rds_ib_device.refcount overflow Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 27/82] vhost: actually track log eventfd file Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 28/82] iscsi-target: Fix use-after-free during TPG session shutdown Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 29/82] iscsi-target: Fix iser explicit logout TX kthread leak Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 30/82] 3w-xxxx: fix mis-aligned struct accesses Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 31/82] hwrng: via-rng - Mark device ID table as __maybe_unused Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 32/82] ARM: realview: fix sparsemem build Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 33/82] MIPS: Fix sched_getaffinity with MT FPAFF enabled Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 34/82] MIPS: Make set_pte() SMP safe Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 35/82] fsnotify: fix oops in fsnotify_clear_marks_by_group_flags() Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 36/82] drm/radeon/combios: add some validation of lvds values Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 37/82] ipr: Fix locking for unit attention handling Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 38/82] ipr: Fix incorrect trace indexing Jiri Slaby
2015-08-24 9:08 ` [PATCH 3.12 39/82] ipr: Fix invalid array indexing for HRRQ Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 40/82] xhci: fix off by one error in TRB DMA address boundary check Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 41/82] USB: sierra: add 1199:68AB device ID Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 42/82] ima: add support for new "euid" policy condition Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 43/82] ima: extend "mask" policy matching support Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 44/82] ipmi: fix timeout calculation when bmc is disconnected Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 45/82] sparc64: Fix userspace FPU register corruptions Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 46/82] md: use kzalloc() when bitmap is disabled Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 47/82] ASoC: pcm1681: Fix setting de-emphasis sampling rate selection Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 48/82] x86/xen: Probe target addresses in set_aliased_prot() before the hypercall Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 49/82] xen/gntdevt: Fix race condition in gntdev_release() Jiri Slaby
2015-08-25 11:35 ` Luis Henriques
2015-08-25 11:52 ` Marek Marczykowski-Górecki
2015-08-25 13:18 ` Jiri Slaby
2015-08-25 14:08 ` Marek Marczykowski-Górecki [this message]
2015-08-27 7:59 ` Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 50/82] crypto: ixp4xx - Remove bogus BUG_ON on scattered dst buffer Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 51/82] ARM: OMAP2+: hwmod: Fix _wait_target_ready() for hwmods without sysc Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 52/82] iscsi-target: Fix iscsit_start_kthreads failure OOPs Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 53/82] ALSA: hda - fix cs4210_spdif_automute() Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 54/82] ipc: modify message queue accounting to not take kernel data structures into account Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 55/82] ocfs2: fix BUG in ocfs2_downconvert_thread_do_work() Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 56/82] md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 57/82] x86/nmi: Enable nested do_nmi() handling for 64-bit kernels Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 58/82] x86/nmi/64: Remove asm code that saves CR2 Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 59/82] x86/nmi/64: Switch stacks on userspace NMI entry Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 60/82] arch: Introduce smp_load_acquire(), smp_store_release() Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 61/82] rcu: Provide counterpart to rcu_dereference() for non-RCU situations Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 62/82] rcu: Move lockless_dereference() out of rcupdate.h Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 63/82] x86/ldt: Make modify_ldt synchronous Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 64/82] x86/ldt: Correct LDT access in single stepping logic Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 65/82] x86/ldt: Correct FPU emulation access to LDT Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 66/82] x86/ldt: Further fix FPU emulation Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 67/82] signalfd: fix information leak in signalfd_copyinfo Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 68/82] signal: fix information leak in copy_siginfo_to_user Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 69/82] signal: fix information leak in copy_siginfo_from_user32 Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 70/82] path_openat(): fix double fput() Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 71/82] md/bitmap: return an error when bitmap superblock is corrupt Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 72/82] mm, vmscan: Do not wait for page writeback for GFP_NOFS allocations Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 73/82] ipc/sem.c: update/correct memory barriers Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 74/82] ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 75/82] mm/hwpoison: fix page refcount of unknown non LRU page Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 76/82] xen-blkfront: don't add indirect pages to list when !feature_persistent Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 77/82] perf: Fix fasync handling on inherited events Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 78/82] dm thin metadata: delete btrees when releasing metadata snapshot Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 79/82] localmodconfig: Use Kbuild files too Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 80/82] EDAC, ppc4xx: Access mci->csrows array elements properly Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 81/82] drm/radeon: add new OLAND pci id Jiri Slaby
2015-08-24 9:09 ` [PATCH 3.12 82/82] rbd: fix copyup completion race Jiri Slaby
2015-08-24 16:09 ` [PATCH 3.12 00/82] 3.12.47-stable review Guenter Roeck
2015-08-27 8:10 ` Jiri Slaby
2015-08-24 23:36 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150825140853.GC1345@mail-itl \
--to=marmarek@invisiblethingslab.com \
--cc=david.vrabel@citrix.com \
--cc=gregkh@linuxfoundation.org \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=luis.henriques@canonical.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).