nagai/kernel
3
0
Fork 0
forked from mirrors/linux
Code Pull requests Activity
kernel/drivers/xen
History
Jason Andryuk 1f0304dfd9 xenbus: Use kref to track req lifetime 
Marek reported seeing a NULL pointer fault in the xenbus_thread
callstack:
BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: e030:__wake_up_common+0x4c/0x180
Call Trace:
 <TASK>
 __wake_up_common_lock+0x82/0xd0
 process_msg+0x18e/0x2f0
 xenbus_thread+0x165/0x1c0

process_msg+0x18e is req->cb(req).  req->cb is set to xs_wake_up(), a
thin wrapper around wake_up(), or xenbus_dev_queue_reply().  It seems
like it was xs_wake_up() in this case.

It seems like req may have woken up the xs_wait_for_reply(), which
kfree()ed the req.  When xenbus_thread resumes, it faults on the zero-ed
data.

Linux Device Drivers 2nd edition states:
"Normally, a wake_up call can cause an immediate reschedule to happen,
meaning that other processes might run before wake_up returns."
... which would match the behaviour observed.

Change to keeping two krefs on each request.  One for the caller, and
one for xenbus_thread.  Each will kref_put() when finished, and the last
will free it.

This use of kref matches the description in
Documentation/core-api/kref.rst

Link: https://lore.kernel.org/xen-devel/ZO0WrR5J0xuwDIxW@mail-itl/
Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Fixes: fd8aa9095a ("xen: optimize xenbus driver for multiple concurrent xenstore accesses")
Cc: stable@vger.kernel.org
Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20250506210935.5607-1-jason.andryuk@amd.com>
2025-05-07 16:21:41 +02:00
..
events x86/apic: Convert to IRQCHIP_MOVE_DEFERRED 2025-01-15 21:38:53 +01:00
xen-pciback xen/pciback: Remove unused pcistub_get_pci_dev 2025-03-14 11:19:49 +01:00
xenbus xenbus: Use kref to track req lifetime 2025-05-07 16:21:41 +02:00
xenfs xenfs/xensyms: respect hypervisor's "next" indication 2025-03-14 11:18:59 +01:00
acpi.c xen: Remove dependency between pciback and privcmd 2024-10-18 11:59:04 +02:00
arm-device.c
balloon.c x86/xen: fix balloon target initialization for PVH dom0 2025-04-07 11:24:12 +02:00
biomerge.c
cpu_hotplug.c
dbgp.c
efi.c
evtchn.c [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
features.c
gntalloc.c xen/gntalloc: Replace UAPI 1-element array 2024-02-13 09:06:48 +01:00
gntdev-common.h
gntdev-dmabuf.c module: Convert symbol namespace to string literal 2024-12-02 11:34:44 -08:00
gntdev-dmabuf.h
gntdev.c
grant-dma-iommu.c Get rid of 'remove_new' relic from platform driver struct 2024-12-01 15:12:43 -08:00
grant-dma-ops.c change alloc_pages name in dma_map_ops to avoid name conflicts 2024-04-25 20:55:53 -07:00
grant-table.c
Kconfig xen: Change xen-acpi-processor dom0 dependency 2025-04-07 11:22:40 +02:00
Makefile
manage.c xen/manage: Constify struct shutdown_handler 2024-07-01 08:47:53 +02:00
mcelog.c [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
mem-reservation.c
pci.c xen/pci: Do not register devices with segments >= 0x10000 2025-03-21 08:15:26 +01:00
pcpu.c xen: pcpu: remove unnecessary __ref annotation 2025-01-20 09:44:39 +01:00
platform-pci.c xen: Add support for XenServer 6.1 platform device 2025-03-14 11:04:25 +01:00
privcmd-buf.c xen: add missing MODULE_DESCRIPTION() macros 2024-07-02 09:41:46 +02:00
privcmd.c the bulk of struct fd memory safety stuff 2024-11-18 12:24:06 -08:00
privcmd.h
pvcalls-back.c net: change proto and proto_ops accept type 2024-05-13 18:19:09 -06:00
pvcalls-front.c xen: update pvcalls_front_accept prototype 2025-01-22 16:32:08 +01:00
pvcalls-front.h xen: update pvcalls_front_accept prototype 2025-01-22 16:32:08 +01:00
swiotlb-xen.c xen: swiotlb: Use swiotlb bouncing if kmalloc allocation demands it 2025-05-07 15:27:42 +02:00
sys-hypervisor.c
time.c
unpopulated-alloc.c
xen-acpi-pad.c
xen-acpi-processor.c
xen-balloon.c xen: balloon: make balloon_subsys const 2024-02-13 09:03:34 +01:00
xen-front-pgdir-shbuf.c
xen-scsiback.c
xlate_mmu.c