 Home |
Products |
Support |
Community |
News |
xen-devel
[Xen-devel] [PATCH 1/3] xen/pv-on-hvm kexec: prevent crash in xenwatch_t
| To: | linux-kernel@xxxxxxxxxxxxxxx, Jeremy Fitzhardinge <jeremy@xxxxxxxx>, Konrad <konrad.wilk@xxxxxxxxxx> |
|---|---|
| Subject: | [Xen-devel] [PATCH 1/3] xen/pv-on-hvm kexec: prevent crash in xenwatch_thread() when stale watch events arrive |
| From: | Olaf Hering <olaf@xxxxxxxxx> |
| Date: | Tue, 16 Aug 2011 15:16:51 +0200 |
| Cc: | xen-devel@xxxxxxxxxxxxxxxxxxx |
| Delivery-date: | Tue, 16 Aug 2011 06:19:36 -0700 |
| Dkim-signature: | v=1; a=rsa-sha1; c=relaxed/relaxed; t=1313500650; l=1619; s=domk; d=aepfle.de; h=References:In-Reply-To:Date:Subject:Cc:To:From:X-RZG-CLASS-ID: X-RZG-AUTH; bh=nD064YvpXPNgbt48Mv9LkDaFqkY=; b=ZJFIOnBT10RP5mTCtKPvtPuyAV2MrKVEoNCoEmhjZJ6NVu2GnrtK156D0FBnXpISX8b 2p37xxKnAwFRUlszO2qvgMy/hVQGBhySXqIH2xzxyDysN+sMrb2fotryHuPJuLJKh/VrH a74cHELsNQZhrsiio4KEiVTCeyo8tQPKgG8= |
| Envelope-to: | www-data@xxxxxxxxxxxxxxxxxxx |
| In-reply-to: | <1313500613-21394-1-git-send-email-olaf@xxxxxxxxx> |
| List-help: | <mailto:xen-devel-request@lists.xensource.com?subject=help> |
| List-id: | Xen developer discussion <xen-devel.lists.xensource.com> |
| List-post: | <mailto:xen-devel@lists.xensource.com> |
| List-subscribe: | <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe> |
| List-unsubscribe: | <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe> |
| References: | <1313500613-21394-1-git-send-email-olaf@xxxxxxxxx> |
| Sender: | xen-devel-bounces@xxxxxxxxxxxxxxxxxxx |
During repeated kexec boots xenwatch_thread() can crash because
xenbus_watch->callback is cleared by xenbus_watch_path() if a node/token
combo for a new watch happens to match an already registered watch from
an old kernel. In this case xs_watch returns -EEXISTS, then
register_xenbus_watch() does not remove the to-be-registered watch from
the list of active watches but returns the -EEXISTS to the caller
anyway.
Because the watch is still active in xenstored it will cause an event
which will arrive in the new kernel. process_msg() will find the
encapsulated struct xenbus_watch in its list of registered watches and
puts the "empty" watch handle in the queue for xenwatch_thread().
xenwatch_thread() then calls ->callback which was cleared earlier by
xenbus_watch_path().
To prevent that crash in a guest running on an old xen toolstack, add a
check wether xenbus_watch->callback is active.
Signed-off-by: Olaf Hering <olaf@xxxxxxxxx>
---
drivers/xen/xenbus/xenbus_xs.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c
index 5534690..64248b2 100644
--- a/drivers/xen/xenbus/xenbus_xs.c
+++ b/drivers/xen/xenbus/xenbus_xs.c
@@ -828,7 +828,7 @@ static int process_msg(void)
spin_lock(&watches_lock);
msg->u.watch.handle = find_watch(
msg->u.watch.vec[XS_WATCH_TOKEN]);
- if (msg->u.watch.handle != NULL) {
+ if (msg->u.watch.handle && msg->u.watch.handle->callback) {
spin_lock(&watch_events_lock);
list_add_tail(&msg->list, &watch_events);
wake_up(&watch_events_waitq);
--
1.7.3.4
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | [Xen-devel] [PATCH 3/3] xen/pv-on-hvm kexec+kdump: reset PV devices in kexec or crash kernel, Olaf Hering |
|---|---|
| Next by Date: | [Xen-devel] [PATCH 0/3] [v5] kexec and kdump for Xen PVonHVM guests, Olaf Hering |
| Previous by Thread: | [Xen-devel] [PATCH 3/3] xen/pv-on-hvm kexec+kdump: reset PV devices in kexec or crash kernel, Olaf Hering |
| Next by Thread: | Re: [Xen-devel] [PATCH 1/3] xen/pv-on-hvm kexec: prevent crash in xenwatch_thread() when stale watch events arrive, Ian Campbell |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
