mirror of
https://github.com/torvalds/linux
synced 2024-09-29 07:50:45 +00:00
1b6a51e86c
The req->body should be updated before req->state is updated and the order should be guaranteed by a barrier. Otherwise, read_reply() might return req->body = NULL. Below is sample callstack when the issue is reproduced on purpose by reordering the updates of req->body and req->state and adding delay in code between updates of req->state and req->body. [ 22.356105] general protection fault: 0000 [#1] SMP PTI [ 22.361185] CPU: 2 PID: 52 Comm: xenwatch Not tainted 5.5.0xen+ #6 [ 22.366727] Hardware name: Xen HVM domU, BIOS ... [ 22.372245] RIP: 0010:_parse_integer_fixup_radix+0x6/0x60 ... ... [ 22.392163] RSP: 0018:ffffb2d64023fdf0 EFLAGS: 00010246 [ 22.395933] RAX: 0000000000000000 RBX: 75746e7562755f6d RCX: 0000000000000000 [ 22.400871] RDX: 0000000000000000 RSI: ffffb2d64023fdfc RDI: 75746e7562755f6d [ 22.405874] RBP: 0000000000000000 R08: 00000000000001e8 R09: 0000000000cdcdcd [ 22.410945] R10: ffffb2d6402ffe00 R11: ffff9d95395eaeb0 R12: ffff9d9535935000 [ 22.417613] R13: ffff9d9526d4a000 R14: ffff9d9526f4f340 R15: ffff9d9537654000 [ 22.423726] FS: 0000000000000000(0000) GS:ffff9d953bc80000(0000) knlGS:0000000000000000 [ 22.429898] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 22.434342] CR2: 000000c4206a9000 CR3: 00000001ea3fc002 CR4: 00000000001606e0 [ 22.439645] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 22.444941] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 22.450342] Call Trace: [ 22.452509] simple_strtoull+0x27/0x70 [ 22.455572] xenbus_transaction_start+0x31/0x50 [ 22.459104] netback_changed+0x76c/0xcc1 [xen_netfront] [ 22.463279] ? find_watch+0x40/0x40 [ 22.466156] xenwatch_thread+0xb4/0x150 [ 22.469309] ? wait_woken+0x80/0x80 [ 22.472198] kthread+0x10e/0x130 [ 22.474925] ? kthread_park+0x80/0x80 [ 22.477946] ret_from_fork+0x35/0x40 [ 22.480968] Modules linked in: xen_kbdfront xen_fbfront(+) xen_netfront xen_blkfront [ 22.486783] ---[ end trace a9222030a747c3f7 ]--- [ 22.490424] RIP: 0010:_parse_integer_fixup_radix+0x6/0x60 The virt_rmb() is added in the 'true' path of test_reply(). The "while" is changed to "do while" so that test_reply() is used as a read memory barrier. Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com> Link: https://lore.kernel.org/r/20200303221423.21962-1-dongli.zhang@oracle.com Reviewed-by: Julien Grall <jgrall@amazon.com> Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> |
||
|---|---|---|
| .. | ||
| events | ||
| xen-pciback | ||
| xenbus | ||
| xenfs | ||
| acpi.c | ||
| arm-device.c | ||
| balloon.c | ||
| biomerge.c | ||
| cpu_hotplug.c | ||
| dbgp.c | ||
| efi.c | ||
| evtchn.c | ||
| features.c | ||
| gntalloc.c | ||
| gntdev-common.h | ||
| gntdev-dmabuf.c | ||
| gntdev-dmabuf.h | ||
| gntdev.c | ||
| grant-table.c | ||
| Kconfig | ||
| Makefile | ||
| manage.c | ||
| mcelog.c | ||
| mem-reservation.c | ||
| pci.c | ||
| pcpu.c | ||
| platform-pci.c | ||
| preempt.c | ||
| privcmd-buf.c | ||
| privcmd.c | ||
| privcmd.h | ||
| pvcalls-back.c | ||
| pvcalls-front.c | ||
| pvcalls-front.h | ||
| swiotlb-xen.c | ||
| sys-hypervisor.c | ||
| time.c | ||
| xen-acpi-cpuhotplug.c | ||
| xen-acpi-memhotplug.c | ||
| xen-acpi-pad.c | ||
| xen-acpi-processor.c | ||
| xen-balloon.c | ||
| xen-front-pgdir-shbuf.c | ||
| xen-scsiback.c | ||
| xen-stub.c | ||
| xlate_mmu.c | ||