[PATCH] xenbus: don't BUG() on user mode induced condition

[PATCH] xenbus: don't BUG() on user mode induced condition

[Jan Beulich]

Inability to locate a user mode specified transaction ID should not
lead to a kernel crash. For other than XS_TRANSACTION_START also
don't issue anything to xenbus if the specified ID doesn't match that
of any active transaction.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
 drivers/xen/xenbus/xenbus_dev_frontend.c |   14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

--- 4.7-rc6-xen.orig/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ 4.7-rc6-xen/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -316,11 +316,18 @@ static int xenbus_write_transaction(unsi
 			rc = -ENOMEM;
 			goto out;
 		}
+	} else {
+		list_for_each_entry(trans, &u->transactions, list)
+			if (trans->handle.id == u->u.msg.tx_id)
+				break;
+		if (&trans->list == &u->transactions)
+			return -ESRCH;
 	}
 
 	reply = xenbus_dev_request_and_reply(&u->u.msg);
 	if (IS_ERR(reply)) {
-		kfree(trans);
+		if (msg_type == XS_TRANSACTION_START)
+			kfree(trans);
 		rc = PTR_ERR(reply);
 		goto out;
 	}
@@ -333,12 +340,7 @@ static int xenbus_write_transaction(unsi
 			list_add(&trans->list, &u->transactions);
 		}
 	} else if (u->u.msg.type == XS_TRANSACTION_END) {
-		list_for_each_entry(trans, &u->transactions, list)
-			if (trans->handle.id == u->u.msg.tx_id)
-				break;
-		BUG_ON(&trans->list == &u->transactions);
 		list_del(&trans->list);
-
 		kfree(trans);
 	}
 

[PATCH] xenbus: don't BUG() on user mode induced condition

[Jan Beulich]

Inability to locate a user mode specified transaction ID should not
lead to a kernel crash. For other than XS_TRANSACTION_START also
don't issue anything to xenbus if the specified ID doesn't match that
of any active transaction.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
 drivers/xen/xenbus/xenbus_dev_frontend.c |   14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

--- 4.7-rc6-xen.orig/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ 4.7-rc6-xen/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -316,11 +316,18 @@ static int xenbus_write_transaction(unsi
 			rc = -ENOMEM;
 			goto out;
 		}
+	} else {
+		list_for_each_entry(trans, &u->transactions, list)
+			if (trans->handle.id == u->u.msg.tx_id)
+				break;
+		if (&trans->list == &u->transactions)
+			return -ESRCH;
 	}
 
 	reply = xenbus_dev_request_and_reply(&u->u.msg);
 	if (IS_ERR(reply)) {
-		kfree(trans);
+		if (msg_type == XS_TRANSACTION_START)
+			kfree(trans);
 		rc = PTR_ERR(reply);
 		goto out;
 	}
@@ -333,12 +340,7 @@ static int xenbus_write_transaction(unsi
 			list_add(&trans->list, &u->transactions);
 		}
 	} else if (u->u.msg.type == XS_TRANSACTION_END) {
-		list_for_each_entry(trans, &u->transactions, list)
-			if (trans->handle.id == u->u.msg.tx_id)
-				break;
-		BUG_ON(&trans->list == &u->transactions);
 		list_del(&trans->list);
-
 		kfree(trans);
 	}
 




_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xenbus: don't BUG() on user mode induced condition

[David Vrabel]

On 07/07/16 08:23, Jan Beulich wrote:
> Inability to locate a user mode specified transaction ID should not
> lead to a kernel crash. For other than XS_TRANSACTION_START also
> don't issue anything to xenbus if the specified ID doesn't match that
> of any active transaction.

Applied to for-linus-4.7b and Cc'd to stable, thanks.

David

Re: [PATCH] xenbus: don't BUG() on user mode induced condition

[David Vrabel]

On 07/07/16 08:23, Jan Beulich wrote:
> Inability to locate a user mode specified transaction ID should not
> lead to a kernel crash. For other than XS_TRANSACTION_START also
> don't issue anything to xenbus if the specified ID doesn't match that
> of any active transaction.

Applied to for-linus-4.7b and Cc'd to stable, thanks.

David

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xenbus: don't BUG() on user mode induced condition

[Sylvain Munaut]

Hi,

> --- 4.7-rc6-xen.orig/drivers/xen/xenbus/xenbus_dev_frontend.c
> +++ 4.7-rc6-xen/drivers/xen/xenbus/xenbus_dev_frontend.c
> @@ -316,11 +316,18 @@ static int xenbus_write_transaction(unsi
>                         rc = -ENOMEM;
>                         goto out;
>                 }
> +       } else {
> +               list_for_each_entry(trans, &u->transactions, list)
> +                       if (trans->handle.id == u->u.msg.tx_id)
> +                               break;
> +               if (&trans->list == &u->transactions)
> +                       return -ESRCH;
>         }

Shouldn't there be some tolerance in there in case the tx_id is zero ?
(i.e. no transaction).

I'm trying to find out why just doing "xenstore-ls" doesn't work on my
4.4.20 kernel and when stracing it, I see it doing :

access("/dev/xen/xenbus", F_OK)         = 0
stat("/dev/xen/xenbus", {st_mode=S_IFCHR|0600, st_rdev=makedev(10,
60), ...}) = 0
open("/dev/xen/xenbus", O_RDWR)         = 3
brk(0)                                  = 0x18e4000
brk(0x1905000)                          = 0x1905000
rt_sigaction(SIGPIPE, {SIG_IGN, [], SA_RESTORER, 0x7fe4dd98e0e0},
{SIG_DFL, [], 0}, 8) = 0
write(3, "\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 16) = 16
write(3, "/\0", 2)                      = -1 ESRCH (No such process)


So either what xenstore-ls does is invalid, or that condition
requiring a transaction is too strict.

Or am I missing something here ?


Cheers,

    Sylvain Munaut

Re: [PATCH] xenbus: don't BUG() on user mode induced condition

[Sylvain Munaut]

Hi,

> --- 4.7-rc6-xen.orig/drivers/xen/xenbus/xenbus_dev_frontend.c
> +++ 4.7-rc6-xen/drivers/xen/xenbus/xenbus_dev_frontend.c
> @@ -316,11 +316,18 @@ static int xenbus_write_transaction(unsi
>                         rc = -ENOMEM;
>                         goto out;
>                 }
> +       } else {
> +               list_for_each_entry(trans, &u->transactions, list)
> +                       if (trans->handle.id == u->u.msg.tx_id)
> +                               break;
> +               if (&trans->list == &u->transactions)
> +                       return -ESRCH;
>         }

Shouldn't there be some tolerance in there in case the tx_id is zero ?
(i.e. no transaction).

I'm trying to find out why just doing "xenstore-ls" doesn't work on my
4.4.20 kernel and when stracing it, I see it doing :

access("/dev/xen/xenbus", F_OK)         = 0
stat("/dev/xen/xenbus", {st_mode=S_IFCHR|0600, st_rdev=makedev(10,
60), ...}) = 0
open("/dev/xen/xenbus", O_RDWR)         = 3
brk(0)                                  = 0x18e4000
brk(0x1905000)                          = 0x1905000
rt_sigaction(SIGPIPE, {SIG_IGN, [], SA_RESTORER, 0x7fe4dd98e0e0},
{SIG_DFL, [], 0}, 8) = 0
write(3, "\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 16) = 16
write(3, "/\0", 2)                      = -1 ESRCH (No such process)


So either what xenstore-ls does is invalid, or that condition
requiring a transaction is too strict.

Or am I missing something here ?


Cheers,

    Sylvain Munaut

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH] xenbus: don't BUG() on user mode induced condition

[Christoph Moench-Tegeder]

## Sylvain Munaut (s.munaut@whatever-company.com):

> I'm trying to find out why just doing "xenstore-ls" doesn't work on my
> 4.4.20 kernel and when stracing it, I see it doing :

That looks like the same brokeness I reported earlier:
https://lists.xenproject.org/archives/html/xen-devel/2016-08/msg02496.html
Luckily I'm not alone with that :)

Regards,
Christoph

-- 
Spare Space

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH] xenbus: don't BUG() on user mode induced condition

[Sylvain Munaut]

Hi,

>> I'm trying to find out why just doing "xenstore-ls" doesn't work on my
>> 4.4.20 kernel and when stracing it, I see it doing :
>
> That looks like the same brokeness I reported earlier:
> https://lists.xenproject.org/archives/html/xen-devel/2016-08/msg02496.html
> Luckily I'm not alone with that :)

Yes indeed, looks like the same root cause, although my symptoms were
a bit different.
I had googled around a bit before posting but didn't find you post, I
guess my google-fu failed me.

As for the fix, I went with the patch below ... no idea if it's really
correct, but it seemed right to me.
Hopfully someone more knowledgeable will come up with the right fix.


diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c
b/drivers/xen/xenbus/xenbus_dev_frontend.c
index 531e764..a60eec6 100644
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -316,7 +316,7 @@ static int xenbus_write_transaction(unsigned msg_type,
                        rc = -ENOMEM;
                        goto out;
                }
-       } else {
+       } else if (u->u.msg.tx_id || msg_type == XS_TRANSACTION_END) {
                list_for_each_entry(trans, &u->transactions, list)
                        if (trans->handle.id == u->u.msg.tx_id)
                                break;


Cheers,

    Sylvain

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xenbus: don't BUG() on user mode induced condition

[Jan Beulich]

>>> On 21.08.16 at 21:36, <s.munaut@whatever-company.com> wrote:
>> --- 4.7-rc6-xen.orig/drivers/xen/xenbus/xenbus_dev_frontend.c
>> +++ 4.7-rc6-xen/drivers/xen/xenbus/xenbus_dev_frontend.c
>> @@ -316,11 +316,18 @@ static int xenbus_write_transaction(unsi
>>                         rc = -ENOMEM;
>>                         goto out;
>>                 }
>> +       } else {
>> +               list_for_each_entry(trans, &u->transactions, list)
>> +                       if (trans->handle.id == u->u.msg.tx_id)
>> +                               break;
>> +               if (&trans->list == &u->transactions)
>> +                       return -ESRCH;
>>         }
> 
> Shouldn't there be some tolerance in there in case the tx_id is zero ?
> (i.e. no transaction).
> 
> I'm trying to find out why just doing "xenstore-ls" doesn't work on my
> 4.4.20 kernel and when stracing it, I see it doing :
> 
> access("/dev/xen/xenbus", F_OK)         = 0
> stat("/dev/xen/xenbus", {st_mode=S_IFCHR|0600, st_rdev=makedev(10,
> 60), ...}) = 0
> open("/dev/xen/xenbus", O_RDWR)         = 3
> brk(0)                                  = 0x18e4000
> brk(0x1905000)                          = 0x1905000
> rt_sigaction(SIGPIPE, {SIG_IGN, [], SA_RESTORER, 0x7fe4dd98e0e0},
> {SIG_DFL, [], 0}, 8) = 0
> write(3, "\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 16) = 16
> write(3, "/\0", 2)                      = -1 ESRCH (No such process)
> 
> 
> So either what xenstore-ls does is invalid, or that condition
> requiring a transaction is too strict.
> 
> Or am I missing something here ?

See https://patchwork.kernel.org/patch/9281193/.

Jan

Re: [PATCH] xenbus: don't BUG() on user mode induced condition

[Jan Beulich]

>>> On 21.08.16 at 21:36, <s.munaut@whatever-company.com> wrote:
>> --- 4.7-rc6-xen.orig/drivers/xen/xenbus/xenbus_dev_frontend.c
>> +++ 4.7-rc6-xen/drivers/xen/xenbus/xenbus_dev_frontend.c
>> @@ -316,11 +316,18 @@ static int xenbus_write_transaction(unsi
>>                         rc = -ENOMEM;
>>                         goto out;
>>                 }
>> +       } else {
>> +               list_for_each_entry(trans, &u->transactions, list)
>> +                       if (trans->handle.id == u->u.msg.tx_id)
>> +                               break;
>> +               if (&trans->list == &u->transactions)
>> +                       return -ESRCH;
>>         }
> 
> Shouldn't there be some tolerance in there in case the tx_id is zero ?
> (i.e. no transaction).
> 
> I'm trying to find out why just doing "xenstore-ls" doesn't work on my
> 4.4.20 kernel and when stracing it, I see it doing :
> 
> access("/dev/xen/xenbus", F_OK)         = 0
> stat("/dev/xen/xenbus", {st_mode=S_IFCHR|0600, st_rdev=makedev(10,
> 60), ...}) = 0
> open("/dev/xen/xenbus", O_RDWR)         = 3
> brk(0)                                  = 0x18e4000
> brk(0x1905000)                          = 0x1905000
> rt_sigaction(SIGPIPE, {SIG_IGN, [], SA_RESTORER, 0x7fe4dd98e0e0},
> {SIG_DFL, [], 0}, 8) = 0
> write(3, "\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 16) = 16
> write(3, "/\0", 2)                      = -1 ESRCH (No such process)
> 
> 
> So either what xenstore-ls does is invalid, or that condition
> requiring a transaction is too strict.
> 
> Or am I missing something here ?

See https://patchwork.kernel.org/patch/9281193/.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xenbus: don't BUG() on user mode induced condition

[Sylvain Munaut]

Hi Jan,

> See https://patchwork.kernel.org/patch/9281193/.

Thanks for the pointer !

I had checked the kernel git tree for a potential fix, but didn't
think of patchwork.


Cheers,

    Sylvain Munaut

Re: [PATCH] xenbus: don't BUG() on user mode induced condition

[Sylvain Munaut]

Hi Jan,

> See https://patchwork.kernel.org/patch/9281193/.

Thanks for the pointer !

I had checked the kernel git tree for a potential fix, but didn't
think of patchwork.


Cheers,

    Sylvain Munaut

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel