Xen project Mailing List

Re: [PATCH] xenbus: Use kref to track req lifetime

To: Jason Andryuk <jason.andryuk@xxxxxxx>

From: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

Date: Thu, 8 May 2025 22:18:32 +0200

Cc: Juergen Gross <jgross@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, stable@xxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx

Delivery-date: Thu, 08 May 2025 20:18:57 +0000

Feedback-id: i1568416f:Fastmail

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Tue, May 06, 2025 at 05:09:33PM -0400, Jason Andryuk wrote: > Marek reported seeing a NULL pointer fault in the xenbus_thread > callstack: > BUG: kernel NULL pointer dereference, address: 0000000000000000 > RIP: e030:__wake_up_common+0x4c/0x180 > Call Trace: > <TASK> > __wake_up_common_lock+0x82/0xd0 > process_msg+0x18e/0x2f0 > xenbus_thread+0x165/0x1c0 > > process_msg+0x18e is req->cb(req). req->cb is set to xs_wake_up(), a > thin wrapper around wake_up(), or xenbus_dev_queue_reply(). It seems > like it was xs_wake_up() in this case. > > It seems like req may have woken up the xs_wait_for_reply(), which > kfree()ed the req. When xenbus_thread resumes, it faults on the zero-ed > data. > > Linux Device Drivers 2nd edition states: > "Normally, a wake_up call can cause an immediate reschedule to happen, > meaning that other processes might run before wake_up returns." > ... which would match the behaviour observed. > > Change to keeping two krefs on each request. One for the caller, and > one for xenbus_thread. Each will kref_put() when finished, and the last > will free it. > > This use of kref matches the description in > Documentation/core-api/kref.rst > > Link: https://lore.kernel.org/xen-devel/ZO0WrR5J0xuwDIxW@mail-itl/ > Reported-by: "Marek Marczykowski-Górecki" <marmarek@xxxxxxxxxxxxxxxxxxxxxx> > Fixes: fd8aa9095a95 ("xen: optimize xenbus driver for multiple concurrent > xenstore accesses") > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Jason Andryuk <jason.andryuk@xxxxxxx> > --- > Kinda RFC-ish as I don't know if it fixes Marek's issue. This does seem > like the correct approach if we are seeing req free()ed out from under > xenbus_thread. Thanks for the patch! I don't have easy way to test if it definitely fixes the issues (due to poor reproduction rate), but it looks very likely. I did run it through our CI and at least there it didn't crash (but again, it doesn't happen often). -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.