| Message ID | 1502800232-26670-3-git-send-email-andrew.cooper3@citrix.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
>>> On 15.08.17 at 14:30, <andrew.cooper3@citrix.com> wrote: > --- a/xen/common/grant_table.c > +++ b/xen/common/grant_table.c > @@ -2345,6 +2345,12 @@ __acquire_grant_for_copy( > * non-zero refcount and hence a valid owner. > */ > ASSERT(td); > + > + if ( td != rd ) > + { > + ASSERT(td == act->trans_domain); > + rcu_lock_domain(td); > + } > } > > act->pin += readonly ? GNTPIN_hstr_inc : GNTPIN_hstw_inc; I think this is superseded by patch 2 of the XSA-226 series just sent. Jan
diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index 706cd90..512581f 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -2345,6 +2345,12 @@ __acquire_grant_for_copy( * non-zero refcount and hence a valid owner. */ ASSERT(td); + + if ( td != rd ) + { + ASSERT(td == act->trans_domain); + rcu_lock_domain(td); + } } act->pin += readonly ? GNTPIN_hstr_inc : GNTPIN_hstw_inc;
An RCU reference is always dropped for the transitive grant in __release_grant_for_copy(). The __acquire fastpath needs to match the slowpath in terms of number of references taken. This is only not an XSA by luck. rcu_unlock_domain() is a nop other than decrementing the preempt count, and nothing reads the preempt count outside of a debug build. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> --- CC: George Dunlap <George.Dunlap@eu.citrix.com> CC: Jan Beulich <JBeulich@suse.com> CC: Stefano Stabellini <sstabellini@kernel.org> CC: Tim Deegan <tim@xen.org> CC: Wei Liu <wei.liu2@citrix.com> Whether to take this patch or not depends on which version of the transitive refcounting fix gets taken. --- xen/common/grant_table.c | 6 ++++++ 1 file changed, 6 insertions(+)