* [PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling
@ 2018-03-15 2:43 Simon Gaiser
2018-03-15 2:43 ` [PATCH v2 2/3] xen: xenbus: Catch closing of non existent transactions Simon Gaiser
` (7 more replies)
0 siblings, 8 replies; 14+ messages in thread
From: Simon Gaiser @ 2018-03-15 2:43 UTC (permalink / raw)
To: xen-devel
Cc: Simon Gaiser, stable, Boris Ostrovsky, Juergen Gross, linux-kernel
Commit fd8aa9095a95 ("xen: optimize xenbus driver for multiple
concurrent xenstore accesses") made a subtle change to the semantic of
xenbus_dev_request_and_reply() and xenbus_transaction_end().
Before on an error response to XS_TRANSACTION_END
xenbus_dev_request_and_reply() would not decrement the active
transaction counter. But xenbus_transaction_end() has always counted the
transaction as finished regardless of the response.
The new behavior is that xenbus_dev_request_and_reply() and
xenbus_transaction_end() will always count the transaction as finished
regardless the response code (handled in xs_request_exit()).
But xenbus_dev_frontend tries to end a transaction on closing of the
device if the XS_TRANSACTION_END failed before. Trying to close the
transaction twice corrupts the reference count. So fix this by also
considering a transaction closed if we have sent XS_TRANSACTION_END once
regardless of the return code.
Cc: <stable@vger.kernel.org> # 4.11
Fixes: fd8aa9095a95 ("xen: optimize xenbus driver for multiple concurrent xenstore accesses")
Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com>
---
drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c
index a493e99bed21..81a84b3c1c50 100644
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -365,7 +365,7 @@ void xenbus_dev_queue_reply(struct xb_req_data *req)
if (WARN_ON(rc))
goto out;
}
- } else if (req->msg.type == XS_TRANSACTION_END) {
+ } else if (req->type == XS_TRANSACTION_END) {
trans = xenbus_get_transaction(u, req->msg.tx_id);
if (WARN_ON(!trans))
goto out;
--
2.16.2
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v2 2/3] xen: xenbus: Catch closing of non existent transactions
2018-03-15 2:43 [PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling Simon Gaiser
2018-03-15 2:43 ` [PATCH v2 2/3] xen: xenbus: Catch closing of non existent transactions Simon Gaiser
@ 2018-03-15 2:43 ` Simon Gaiser
2018-03-15 10:34 ` Juergen Gross
2018-03-15 10:34 ` Juergen Gross
2018-03-15 2:43 ` [PATCH v2 3/3] xen: xenbus_dev_frontend: Verify body of XS_TRANSACTION_END Simon Gaiser
` (5 subsequent siblings)
7 siblings, 2 replies; 14+ messages in thread
From: Simon Gaiser @ 2018-03-15 2:43 UTC (permalink / raw)
To: xen-devel; +Cc: Simon Gaiser, Boris Ostrovsky, Juergen Gross, linux-kernel
Users of the xenbus functions should never close a non existent
transaction (for example by trying to closing the same transaction
twice) but better catch it in xs_request_exit() than to corrupt the
reference counter.
Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com>
---
drivers/xen/xenbus/xenbus_xs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c
index 3f3b29398ab8..49a3874ae6bb 100644
--- a/drivers/xen/xenbus/xenbus_xs.c
+++ b/drivers/xen/xenbus/xenbus_xs.c
@@ -140,7 +140,9 @@ void xs_request_exit(struct xb_req_data *req)
spin_lock(&xs_state_lock);
xs_state_users--;
if ((req->type == XS_TRANSACTION_START && req->msg.type == XS_ERROR) ||
- req->type == XS_TRANSACTION_END)
+ (req->type == XS_TRANSACTION_END &&
+ !WARN_ON_ONCE(req->msg.type == XS_ERROR &&
+ !strcmp(req->body, "ENOENT"))))
xs_state_users--;
spin_unlock(&xs_state_lock);
--
2.16.2
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v2 2/3] xen: xenbus: Catch closing of non existent transactions
2018-03-15 2:43 [PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling Simon Gaiser
@ 2018-03-15 2:43 ` Simon Gaiser
2018-03-15 2:43 ` Simon Gaiser
` (6 subsequent siblings)
7 siblings, 0 replies; 14+ messages in thread
From: Simon Gaiser @ 2018-03-15 2:43 UTC (permalink / raw)
To: xen-devel; +Cc: Simon Gaiser, Juergen Gross, Boris Ostrovsky, linux-kernel
Users of the xenbus functions should never close a non existent
transaction (for example by trying to closing the same transaction
twice) but better catch it in xs_request_exit() than to corrupt the
reference counter.
Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com>
---
drivers/xen/xenbus/xenbus_xs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c
index 3f3b29398ab8..49a3874ae6bb 100644
--- a/drivers/xen/xenbus/xenbus_xs.c
+++ b/drivers/xen/xenbus/xenbus_xs.c
@@ -140,7 +140,9 @@ void xs_request_exit(struct xb_req_data *req)
spin_lock(&xs_state_lock);
xs_state_users--;
if ((req->type == XS_TRANSACTION_START && req->msg.type == XS_ERROR) ||
- req->type == XS_TRANSACTION_END)
+ (req->type == XS_TRANSACTION_END &&
+ !WARN_ON_ONCE(req->msg.type == XS_ERROR &&
+ !strcmp(req->body, "ENOENT"))))
xs_state_users--;
spin_unlock(&xs_state_lock);
--
2.16.2
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v2 3/3] xen: xenbus_dev_frontend: Verify body of XS_TRANSACTION_END
2018-03-15 2:43 [PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling Simon Gaiser
` (2 preceding siblings ...)
2018-03-15 2:43 ` [PATCH v2 3/3] xen: xenbus_dev_frontend: Verify body of XS_TRANSACTION_END Simon Gaiser
@ 2018-03-15 2:43 ` Simon Gaiser
2018-03-15 10:34 ` Juergen Gross
2018-03-15 10:34 ` Juergen Gross
2018-03-15 10:33 ` [PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling Juergen Gross
` (3 subsequent siblings)
7 siblings, 2 replies; 14+ messages in thread
From: Simon Gaiser @ 2018-03-15 2:43 UTC (permalink / raw)
To: xen-devel; +Cc: Simon Gaiser, Boris Ostrovsky, Juergen Gross, linux-kernel
By guaranteeing that the argument of XS_TRANSACTION_END is valid we can
assume that the transaction has been closed when we get an XS_ERROR
response from xenstore (Note that we already verify that it's a valid
transaction id).
Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com>
---
drivers/xen/xenbus/xenbus_dev_frontend.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c
index 81a84b3c1c50..0d6d9264d6a9 100644
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -429,6 +429,10 @@ static int xenbus_write_transaction(unsigned msg_type,
{
int rc;
struct xenbus_transaction_holder *trans = NULL;
+ struct {
+ struct xsd_sockmsg hdr;
+ char body[];
+ } *msg = (void *)u->u.buffer;
if (msg_type == XS_TRANSACTION_START) {
trans = kzalloc(sizeof(*trans), GFP_KERNEL);
@@ -437,11 +441,15 @@ static int xenbus_write_transaction(unsigned msg_type,
goto out;
}
list_add(&trans->list, &u->transactions);
- } else if (u->u.msg.tx_id != 0 &&
- !xenbus_get_transaction(u, u->u.msg.tx_id))
+ } else if (msg->hdr.tx_id != 0 &&
+ !xenbus_get_transaction(u, msg->hdr.tx_id))
return xenbus_command_reply(u, XS_ERROR, "ENOENT");
+ else if (msg_type == XS_TRANSACTION_END &&
+ !(msg->hdr.len == 2 &&
+ (!strcmp(msg->body, "T") || !strcmp(msg->body, "F"))))
+ return xenbus_command_reply(u, XS_ERROR, "EINVAL");
- rc = xenbus_dev_request_and_reply(&u->u.msg, u);
+ rc = xenbus_dev_request_and_reply(&msg->hdr, u);
if (rc && trans) {
list_del(&trans->list);
kfree(trans);
--
2.16.2
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v2 3/3] xen: xenbus_dev_frontend: Verify body of XS_TRANSACTION_END
2018-03-15 2:43 [PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling Simon Gaiser
2018-03-15 2:43 ` [PATCH v2 2/3] xen: xenbus: Catch closing of non existent transactions Simon Gaiser
2018-03-15 2:43 ` Simon Gaiser
@ 2018-03-15 2:43 ` Simon Gaiser
2018-03-15 2:43 ` Simon Gaiser
` (4 subsequent siblings)
7 siblings, 0 replies; 14+ messages in thread
From: Simon Gaiser @ 2018-03-15 2:43 UTC (permalink / raw)
To: xen-devel; +Cc: Simon Gaiser, Juergen Gross, Boris Ostrovsky, linux-kernel
By guaranteeing that the argument of XS_TRANSACTION_END is valid we can
assume that the transaction has been closed when we get an XS_ERROR
response from xenstore (Note that we already verify that it's a valid
transaction id).
Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com>
---
drivers/xen/xenbus/xenbus_dev_frontend.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c
index 81a84b3c1c50..0d6d9264d6a9 100644
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -429,6 +429,10 @@ static int xenbus_write_transaction(unsigned msg_type,
{
int rc;
struct xenbus_transaction_holder *trans = NULL;
+ struct {
+ struct xsd_sockmsg hdr;
+ char body[];
+ } *msg = (void *)u->u.buffer;
if (msg_type == XS_TRANSACTION_START) {
trans = kzalloc(sizeof(*trans), GFP_KERNEL);
@@ -437,11 +441,15 @@ static int xenbus_write_transaction(unsigned msg_type,
goto out;
}
list_add(&trans->list, &u->transactions);
- } else if (u->u.msg.tx_id != 0 &&
- !xenbus_get_transaction(u, u->u.msg.tx_id))
+ } else if (msg->hdr.tx_id != 0 &&
+ !xenbus_get_transaction(u, msg->hdr.tx_id))
return xenbus_command_reply(u, XS_ERROR, "ENOENT");
+ else if (msg_type == XS_TRANSACTION_END &&
+ !(msg->hdr.len == 2 &&
+ (!strcmp(msg->body, "T") || !strcmp(msg->body, "F"))))
+ return xenbus_command_reply(u, XS_ERROR, "EINVAL");
- rc = xenbus_dev_request_and_reply(&u->u.msg, u);
+ rc = xenbus_dev_request_and_reply(&msg->hdr, u);
if (rc && trans) {
list_del(&trans->list);
kfree(trans);
--
2.16.2
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling
2018-03-15 2:43 [PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling Simon Gaiser
` (4 preceding siblings ...)
2018-03-15 10:33 ` [PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling Juergen Gross
@ 2018-03-15 10:33 ` Juergen Gross
2018-03-21 21:13 ` Boris Ostrovsky
2018-03-21 21:13 ` Boris Ostrovsky
7 siblings, 0 replies; 14+ messages in thread
From: Juergen Gross @ 2018-03-15 10:33 UTC (permalink / raw)
To: Simon Gaiser, xen-devel; +Cc: stable, Boris Ostrovsky, linux-kernel
On 15/03/18 03:43, Simon Gaiser wrote:
> Commit fd8aa9095a95 ("xen: optimize xenbus driver for multiple
> concurrent xenstore accesses") made a subtle change to the semantic of
> xenbus_dev_request_and_reply() and xenbus_transaction_end().
>
> Before on an error response to XS_TRANSACTION_END
> xenbus_dev_request_and_reply() would not decrement the active
> transaction counter. But xenbus_transaction_end() has always counted the
> transaction as finished regardless of the response.
>
> The new behavior is that xenbus_dev_request_and_reply() and
> xenbus_transaction_end() will always count the transaction as finished
> regardless the response code (handled in xs_request_exit()).
>
> But xenbus_dev_frontend tries to end a transaction on closing of the
> device if the XS_TRANSACTION_END failed before. Trying to close the
> transaction twice corrupts the reference count. So fix this by also
> considering a transaction closed if we have sent XS_TRANSACTION_END once
> regardless of the return code.
>
> Cc: <stable@vger.kernel.org> # 4.11
> Fixes: fd8aa9095a95 ("xen: optimize xenbus driver for multiple concurrent xenstore accesses")
> Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Juergen
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling
2018-03-15 2:43 [PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling Simon Gaiser
` (3 preceding siblings ...)
2018-03-15 2:43 ` Simon Gaiser
@ 2018-03-15 10:33 ` Juergen Gross
2018-03-15 10:33 ` Juergen Gross
` (2 subsequent siblings)
7 siblings, 0 replies; 14+ messages in thread
From: Juergen Gross @ 2018-03-15 10:33 UTC (permalink / raw)
To: Simon Gaiser, xen-devel; +Cc: Boris Ostrovsky, linux-kernel, stable
On 15/03/18 03:43, Simon Gaiser wrote:
> Commit fd8aa9095a95 ("xen: optimize xenbus driver for multiple
> concurrent xenstore accesses") made a subtle change to the semantic of
> xenbus_dev_request_and_reply() and xenbus_transaction_end().
>
> Before on an error response to XS_TRANSACTION_END
> xenbus_dev_request_and_reply() would not decrement the active
> transaction counter. But xenbus_transaction_end() has always counted the
> transaction as finished regardless of the response.
>
> The new behavior is that xenbus_dev_request_and_reply() and
> xenbus_transaction_end() will always count the transaction as finished
> regardless the response code (handled in xs_request_exit()).
>
> But xenbus_dev_frontend tries to end a transaction on closing of the
> device if the XS_TRANSACTION_END failed before. Trying to close the
> transaction twice corrupts the reference count. So fix this by also
> considering a transaction closed if we have sent XS_TRANSACTION_END once
> regardless of the return code.
>
> Cc: <stable@vger.kernel.org> # 4.11
> Fixes: fd8aa9095a95 ("xen: optimize xenbus driver for multiple concurrent xenstore accesses")
> Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Juergen
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 2/3] xen: xenbus: Catch closing of non existent transactions
2018-03-15 2:43 ` Simon Gaiser
2018-03-15 10:34 ` Juergen Gross
@ 2018-03-15 10:34 ` Juergen Gross
1 sibling, 0 replies; 14+ messages in thread
From: Juergen Gross @ 2018-03-15 10:34 UTC (permalink / raw)
To: Simon Gaiser, xen-devel; +Cc: Boris Ostrovsky, linux-kernel
On 15/03/18 03:43, Simon Gaiser wrote:
> Users of the xenbus functions should never close a non existent
> transaction (for example by trying to closing the same transaction
> twice) but better catch it in xs_request_exit() than to corrupt the
> reference counter.
>
> Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Juergen
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 2/3] xen: xenbus: Catch closing of non existent transactions
2018-03-15 2:43 ` Simon Gaiser
@ 2018-03-15 10:34 ` Juergen Gross
2018-03-15 10:34 ` Juergen Gross
1 sibling, 0 replies; 14+ messages in thread
From: Juergen Gross @ 2018-03-15 10:34 UTC (permalink / raw)
To: Simon Gaiser, xen-devel; +Cc: Boris Ostrovsky, linux-kernel
On 15/03/18 03:43, Simon Gaiser wrote:
> Users of the xenbus functions should never close a non existent
> transaction (for example by trying to closing the same transaction
> twice) but better catch it in xs_request_exit() than to corrupt the
> reference counter.
>
> Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Juergen
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 3/3] xen: xenbus_dev_frontend: Verify body of XS_TRANSACTION_END
2018-03-15 2:43 ` Simon Gaiser
2018-03-15 10:34 ` Juergen Gross
@ 2018-03-15 10:34 ` Juergen Gross
1 sibling, 0 replies; 14+ messages in thread
From: Juergen Gross @ 2018-03-15 10:34 UTC (permalink / raw)
To: Simon Gaiser, xen-devel; +Cc: Boris Ostrovsky, linux-kernel
On 15/03/18 03:43, Simon Gaiser wrote:
> By guaranteeing that the argument of XS_TRANSACTION_END is valid we can
> assume that the transaction has been closed when we get an XS_ERROR
> response from xenstore (Note that we already verify that it's a valid
> transaction id).
>
> Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Juergen
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 3/3] xen: xenbus_dev_frontend: Verify body of XS_TRANSACTION_END
2018-03-15 2:43 ` Simon Gaiser
@ 2018-03-15 10:34 ` Juergen Gross
2018-03-15 10:34 ` Juergen Gross
1 sibling, 0 replies; 14+ messages in thread
From: Juergen Gross @ 2018-03-15 10:34 UTC (permalink / raw)
To: Simon Gaiser, xen-devel; +Cc: Boris Ostrovsky, linux-kernel
On 15/03/18 03:43, Simon Gaiser wrote:
> By guaranteeing that the argument of XS_TRANSACTION_END is valid we can
> assume that the transaction has been closed when we get an XS_ERROR
> response from xenstore (Note that we already verify that it's a valid
> transaction id).
>
> Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Juergen
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling
2018-03-15 2:43 [PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling Simon Gaiser
` (6 preceding siblings ...)
2018-03-21 21:13 ` Boris Ostrovsky
@ 2018-03-21 21:13 ` Boris Ostrovsky
7 siblings, 0 replies; 14+ messages in thread
From: Boris Ostrovsky @ 2018-03-21 21:13 UTC (permalink / raw)
To: Simon Gaiser, xen-devel; +Cc: stable, Juergen Gross, linux-kernel
On 03/14/2018 10:43 PM, Simon Gaiser wrote:
> Commit fd8aa9095a95 ("xen: optimize xenbus driver for multiple
> concurrent xenstore accesses") made a subtle change to the semantic of
> xenbus_dev_request_and_reply() and xenbus_transaction_end().
>
> Before on an error response to XS_TRANSACTION_END
> xenbus_dev_request_and_reply() would not decrement the active
> transaction counter. But xenbus_transaction_end() has always counted the
> transaction as finished regardless of the response.
>
> The new behavior is that xenbus_dev_request_and_reply() and
> xenbus_transaction_end() will always count the transaction as finished
> regardless the response code (handled in xs_request_exit()).
>
> But xenbus_dev_frontend tries to end a transaction on closing of the
> device if the XS_TRANSACTION_END failed before. Trying to close the
> transaction twice corrupts the reference count. So fix this by also
> considering a transaction closed if we have sent XS_TRANSACTION_END once
> regardless of the return code.
>
> Cc: <stable@vger.kernel.org> # 4.11
> Fixes: fd8aa9095a95 ("xen: optimize xenbus driver for multiple concurrent xenstore accesses")
> Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com>
Applied the series to for-linus-4.17
-boris
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling
2018-03-15 2:43 [PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling Simon Gaiser
` (5 preceding siblings ...)
2018-03-15 10:33 ` Juergen Gross
@ 2018-03-21 21:13 ` Boris Ostrovsky
2018-03-21 21:13 ` Boris Ostrovsky
7 siblings, 0 replies; 14+ messages in thread
From: Boris Ostrovsky @ 2018-03-21 21:13 UTC (permalink / raw)
To: Simon Gaiser, xen-devel; +Cc: Juergen Gross, linux-kernel, stable
On 03/14/2018 10:43 PM, Simon Gaiser wrote:
> Commit fd8aa9095a95 ("xen: optimize xenbus driver for multiple
> concurrent xenstore accesses") made a subtle change to the semantic of
> xenbus_dev_request_and_reply() and xenbus_transaction_end().
>
> Before on an error response to XS_TRANSACTION_END
> xenbus_dev_request_and_reply() would not decrement the active
> transaction counter. But xenbus_transaction_end() has always counted the
> transaction as finished regardless of the response.
>
> The new behavior is that xenbus_dev_request_and_reply() and
> xenbus_transaction_end() will always count the transaction as finished
> regardless the response code (handled in xs_request_exit()).
>
> But xenbus_dev_frontend tries to end a transaction on closing of the
> device if the XS_TRANSACTION_END failed before. Trying to close the
> transaction twice corrupts the reference count. So fix this by also
> considering a transaction closed if we have sent XS_TRANSACTION_END once
> regardless of the return code.
>
> Cc: <stable@vger.kernel.org> # 4.11
> Fixes: fd8aa9095a95 ("xen: optimize xenbus driver for multiple concurrent xenstore accesses")
> Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com>
Applied the series to for-linus-4.17
-boris
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling
@ 2018-03-15 2:43 Simon Gaiser
0 siblings, 0 replies; 14+ messages in thread
From: Simon Gaiser @ 2018-03-15 2:43 UTC (permalink / raw)
To: xen-devel
Cc: Simon Gaiser, Juergen Gross, Boris Ostrovsky, linux-kernel, stable
Commit fd8aa9095a95 ("xen: optimize xenbus driver for multiple
concurrent xenstore accesses") made a subtle change to the semantic of
xenbus_dev_request_and_reply() and xenbus_transaction_end().
Before on an error response to XS_TRANSACTION_END
xenbus_dev_request_and_reply() would not decrement the active
transaction counter. But xenbus_transaction_end() has always counted the
transaction as finished regardless of the response.
The new behavior is that xenbus_dev_request_and_reply() and
xenbus_transaction_end() will always count the transaction as finished
regardless the response code (handled in xs_request_exit()).
But xenbus_dev_frontend tries to end a transaction on closing of the
device if the XS_TRANSACTION_END failed before. Trying to close the
transaction twice corrupts the reference count. So fix this by also
considering a transaction closed if we have sent XS_TRANSACTION_END once
regardless of the return code.
Cc: <stable@vger.kernel.org> # 4.11
Fixes: fd8aa9095a95 ("xen: optimize xenbus driver for multiple concurrent xenstore accesses")
Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com>
---
drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c
index a493e99bed21..81a84b3c1c50 100644
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -365,7 +365,7 @@ void xenbus_dev_queue_reply(struct xb_req_data *req)
if (WARN_ON(rc))
goto out;
}
- } else if (req->msg.type == XS_TRANSACTION_END) {
+ } else if (req->type == XS_TRANSACTION_END) {
trans = xenbus_get_transaction(u, req->msg.tx_id);
if (WARN_ON(!trans))
goto out;
--
2.16.2
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply related [flat|nested] 14+ messages in thread
end of thread, other threads:[~2018-03-21 21:11 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-15 2:43 [PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling Simon Gaiser
2018-03-15 2:43 ` [PATCH v2 2/3] xen: xenbus: Catch closing of non existent transactions Simon Gaiser
2018-03-15 2:43 ` Simon Gaiser
2018-03-15 10:34 ` Juergen Gross
2018-03-15 10:34 ` Juergen Gross
2018-03-15 2:43 ` [PATCH v2 3/3] xen: xenbus_dev_frontend: Verify body of XS_TRANSACTION_END Simon Gaiser
2018-03-15 2:43 ` Simon Gaiser
2018-03-15 10:34 ` Juergen Gross
2018-03-15 10:34 ` Juergen Gross
2018-03-15 10:33 ` [PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling Juergen Gross
2018-03-15 10:33 ` Juergen Gross
2018-03-21 21:13 ` Boris Ostrovsky
2018-03-21 21:13 ` Boris Ostrovsky
2018-03-15 2:43 Simon Gaiser
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.