Xen project Mailing List

Re: [PATCH v2] xen/events: Fix race in set_evtchn_to_irq

From: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>

Date: Thu, 12 Aug 2021 16:23:27 -0400

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+cHFl4S4x3A3CoBLHrWAHSPt4KftRBb3k0RmckBdrUk=; b=mGHfZrJZP6rPl2hfnCGZta2czULK7+5i191yMhwwRJUvEiuASmT4Pycv7EpD6RbE7HNS08EoAjz4PNWxjqSk4g93EZfAcDmhKigq9WSKI4WE7niEVLs0MNOr0hrzErrfxNUqllmoSerJQAkPEobd6hmD7cdYZZjsM1anLu8W4R8M+rnfJKFMoEbflerZox4RYRWq7LsWE7aGQzLXpqMr/jFmWM1Ro/SBrPV2jzHq7JK7PAB8LNc8OSD8yXlYZLlf9+BYFDRrs6wkS1bFF2H9dl30WdLv+8yCDwCZg0ZoQL1wxj/Y3IHkFYWuVx0qwe6xrOcy7GQGPu2yf9O5YACQqg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZyuI+zMJniSEt2I6ZzFxdAfcIvZHBTP1GLgTQcvNA1OUUG6PEbwnRuriQhle21jb0oTVIM3ichx3cP8gkixIkTgbgTbn3zXKK2Ie1kShAINcYAQivSaweQxySRXnl8bH0vHu197HUjL5nY+XWp/HhUFUGifamhdMJvw+Pn3v9ZIH6mPVUtifVajKnPBjbgZ636srTIsk3WSIQL8cmydQ0JgC6r4QrVliZRxtCrtIKNioqnAvHxCFXQXdd0gcQ7zvtq8AwR7tpCEwhiy7J4g97rABHaSDuPNIJnan4yQfL3S3SH90lgUeduvNVLrSZf1yG2Ux8ZF7EeBrhsh0Ha0KAA==

Authentication-results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com;

Cc: Amit Shah <aams@xxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu@xxxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Malcolm Crossley <malcolm.crossley@xxxxxxxxxx>, David Vrabel <david.vrabel@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx

Delivery-date: Thu, 12 Aug 2021 20:24:12 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 8/12/21 9:09 AM, Maximilian Heyne wrote: > There is a TOCTOU issue in set_evtchn_to_irq. Rows in the evtchn_to_irq > mapping are lazily allocated in this function. The check whether the row > is already present and the row initialization is not synchronized. Two > threads can at the same time allocate a new row for evtchn_to_irq and > add the irq mapping to the their newly allocated row. One thread will > overwrite what the other has set for evtchn_to_irq[row] and therefore > the irq mapping is lost. This will trigger a BUG_ON later in > bind_evtchn_to_cpu: > > INFO: pci 0000:1a:15.4: [1d0f:8061] type 00 class 0x010802 > INFO: nvme 0000:1a:12.1: enabling device (0000 -> 0002) > INFO: nvme nvme77: 1/0/0 default/read/poll queues > CRIT: kernel BUG at drivers/xen/events/events_base.c:427! > WARN: invalid opcode: 0000 [#1] SMP NOPTI > WARN: Workqueue: nvme-reset-wq nvme_reset_work [nvme] > WARN: RIP: e030:bind_evtchn_to_cpu+0xc2/0xd0 > WARN: Call Trace: > WARN: set_affinity_irq+0x121/0x150 > WARN: irq_do_set_affinity+0x37/0xe0 > WARN: irq_setup_affinity+0xf6/0x170 > WARN: irq_startup+0x64/0xe0 > WARN: __setup_irq+0x69e/0x740 > WARN: ? request_threaded_irq+0xad/0x160 > WARN: request_threaded_irq+0xf5/0x160 > WARN: ? nvme_timeout+0x2f0/0x2f0 [nvme] > WARN: pci_request_irq+0xa9/0xf0 > WARN: ? pci_alloc_irq_vectors_affinity+0xbb/0x130 > WARN: queue_request_irq+0x4c/0x70 [nvme] > WARN: nvme_reset_work+0x82d/0x1550 [nvme] > WARN: ? check_preempt_wakeup+0x14f/0x230 > WARN: ? check_preempt_curr+0x29/0x80 > WARN: ? nvme_irq_check+0x30/0x30 [nvme] > WARN: process_one_work+0x18e/0x3c0 > WARN: worker_thread+0x30/0x3a0 > WARN: ? process_one_work+0x3c0/0x3c0 > WARN: kthread+0x113/0x130 > WARN: ? kthread_park+0x90/0x90 > WARN: ret_from_fork+0x3a/0x50 > > This patch sets evtchn_to_irq rows via a cmpxchg operation so that they > will be set only once. The row is now cleared before writing it to > evtchn_to_irq in order to not create a race once the row is visible for > other threads. > > While at it, do not require the page to be zeroed, because it will be > overwritten with -1's in clear_evtchn_to_irq_row anyway. > > Signed-off-by: Maximilian Heyne <mheyne@xxxxxxxxx> > Fixes: d0b075ffeede ("xen/events: Refactor evtchn_to_irq array to be > dynamically allocated") Reviewed-by: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.