archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-09 20:36:39 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/drivers/xen
History
Jason Andryuk 1f0304dfd9 xenbus: Use kref to track req lifetime 
Marek reported seeing a NULL pointer fault in the xenbus_thread
callstack:
BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: e030:__wake_up_common+0x4c/0x180
Call Trace:
 <TASK>
 __wake_up_common_lock+0x82/0xd0
 process_msg+0x18e/0x2f0
 xenbus_thread+0x165/0x1c0

process_msg+0x18e is req->cb(req).  req->cb is set to xs_wake_up(), a
thin wrapper around wake_up(), or xenbus_dev_queue_reply().  It seems
like it was xs_wake_up() in this case.

It seems like req may have woken up the xs_wait_for_reply(), which
kfree()ed the req.  When xenbus_thread resumes, it faults on the zero-ed
data.

Linux Device Drivers 2nd edition states:
"Normally, a wake_up call can cause an immediate reschedule to happen,
meaning that other processes might run before wake_up returns."
... which would match the behaviour observed.

Change to keeping two krefs on each request.  One for the caller, and
one for xenbus_thread.  Each will kref_put() when finished, and the last
will free it.

This use of kref matches the description in
Documentation/core-api/kref.rst

Link: https://lore.kernel.org/xen-devel/ZO0WrR5J0xuwDIxW@mail-itl/
Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Fixes: fd8aa9095a ("xen: optimize xenbus driver for multiple concurrent xenstore accesses")
Cc: stable@vger.kernel.org
Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20250506210935.5607-1-jason.andryuk@amd.com>
2025-05-07 16:21:41 +02:00
..
events x86/apic: Convert to IRQCHIP_MOVE_DEFERRED 2025-01-15 21:38:53 +01:00
xen-pciback xen/pciback: Remove unused pcistub_get_pci_dev 2025-03-14 11:19:49 +01:00
xenbus xenbus: Use kref to track req lifetime 2025-05-07 16:21:41 +02:00
xenfs xenfs/xensyms: respect hypervisor's "next" indication 2025-03-14 11:18:59 +01:00
acpi.c xen: Remove dependency between pciback and privcmd 2024-10-18 11:59:04 +02:00
arm-device.c
balloon.c x86/xen: fix balloon target initialization for PVH dom0 2025-04-07 11:24:12 +02:00
biomerge.c
cpu_hotplug.c
dbgp.c
efi.c efi: Apply allowlist to EFI configuration tables when running under Xen 2023-01-23 11:33:24 +01:00
evtchn.c [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
features.c x86/xen: Remove undefined behavior in setup_features() 2022-06-21 16:36:11 +02:00
gntalloc.c xen/gntalloc: Replace UAPI 1-element array 2024-02-13 09:06:48 +01:00
gntdev-common.h xen/gntdev: Accommodate VMA splitting 2022-10-06 10:40:21 +02:00
gntdev-dmabuf.c module: Convert symbol namespace to string literal 2024-12-02 11:34:44 -08:00
gntdev-dmabuf.h
gntdev.c mm: replace vma->vm_flags direct modifications with modifier calls 2023-02-09 16:51:39 -08:00
grant-dma-iommu.c Get rid of 'remove_new' relic from platform driver struct 2024-12-01 15:12:43 -08:00
grant-dma-ops.c change alloc_pages name in dma_map_ops to avoid name conflicts 2024-04-25 20:55:53 -07:00
grant-table.c locking/atomic, xen: Use sync_try_cmpxchg() instead of sync_cmpxchg() 2023-10-09 18:14:34 +02:00
Kconfig xen: Change xen-acpi-processor dom0 dependency 2025-04-07 11:22:40 +02:00
Makefile xen/grant-dma-iommu: Introduce stub IOMMU driver 2022-06-06 16:07:30 +02:00
manage.c xen/manage: Constify struct shutdown_handler 2024-07-01 08:47:53 +02:00
mcelog.c [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
mem-reservation.c x86/xen: remove 32-bit pv leftovers 2021-11-02 08:03:43 -05:00
pci.c xen/pci: Do not register devices with segments >= 0x10000 2025-03-21 08:15:26 +01:00
pcpu.c xen: pcpu: remove unnecessary __ref annotation 2025-01-20 09:44:39 +01:00
platform-pci.c xen: Add support for XenServer 6.1 platform device 2025-03-14 11:04:25 +01:00
privcmd-buf.c xen: add missing MODULE_DESCRIPTION() macros 2024-07-02 09:41:46 +02:00
privcmd.c the bulk of struct fd memory safety stuff 2024-11-18 12:24:06 -08:00
privcmd.h
pvcalls-back.c net: change proto and proto_ops accept type 2024-05-13 18:19:09 -06:00
pvcalls-front.c xen: update pvcalls_front_accept prototype 2025-01-22 16:32:08 +01:00
pvcalls-front.h xen: update pvcalls_front_accept prototype 2025-01-22 16:32:08 +01:00
swiotlb-xen.c xen: swiotlb: Use swiotlb bouncing if kmalloc allocation demands it 2025-05-07 15:27:42 +02:00
sys-hypervisor.c xen: sysfs: make kobj_type structure constant 2023-02-18 16:50:21 +01:00
time.c x86/paravirt: Switch time pvops functions to use static_call() 2021-03-11 16:17:52 +01:00
unpopulated-alloc.c xen/balloon: don't use PV mode extra memory for zone device allocations 2022-04-07 15:08:37 -05:00
xen-acpi-pad.c ACPI: make remove callback of ACPI driver void 2022-11-23 19:11:22 +01:00
xen-acpi-processor.c xen: Switch to use kmemdup() helper 2023-08-21 09:54:05 +02:00
xen-balloon.c xen: balloon: make balloon_subsys const 2024-02-13 09:03:34 +01:00
xen-front-pgdir-shbuf.c xen/shbuf: eliminate 17 kernel-doc warnings 2023-11-13 08:14:42 +01:00
xen-scsiback.c scsi: target: Have drivers report if they support direct submissions 2023-10-13 15:53:57 -04:00
xlate_mmu.c xen: unexport __init-annotated xen_xlate_map_ballooned_pages() 2022-06-07 08:11:35 +02:00