diff mbox

xenbus: don't BUG() on user mode induced condition

Message ID 577E1FAD02000078000FBD88@prv-mh.provo.novell.com (mailing list archive)
State New, archived
Headers show

Commit Message

Jan Beulich July 7, 2016, 7:23 a.m. UTC 
Inability to locate a user mode specified transaction ID should not
lead to a kernel crash. For other than XS_TRANSACTION_START also
don't issue anything to xenbus if the specified ID doesn't match that
of any active transaction.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
 drivers/xen/xenbus/xenbus_dev_frontend.c |   14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

Comments

David Vrabel July 7, 2016, 11:21 a.m. UTC | #1 
On 07/07/16 08:23, Jan Beulich wrote:
> Inability to locate a user mode specified transaction ID should not
> lead to a kernel crash. For other than XS_TRANSACTION_START also
> don't issue anything to xenbus if the specified ID doesn't match that
> of any active transaction.

Applied to for-linus-4.7b and Cc'd to stable, thanks.

David
Sylvain Munaut Aug. 21, 2016, 7:36 p.m. UTC | #2 
Hi,

> --- 4.7-rc6-xen.orig/drivers/xen/xenbus/xenbus_dev_frontend.c
> +++ 4.7-rc6-xen/drivers/xen/xenbus/xenbus_dev_frontend.c
> @@ -316,11 +316,18 @@ static int xenbus_write_transaction(unsi
>                         rc = -ENOMEM;
>                         goto out;
>                 }
> +       } else {
> +               list_for_each_entry(trans, &u->transactions, list)
> +                       if (trans->handle.id == u->u.msg.tx_id)
> +                               break;
> +               if (&trans->list == &u->transactions)
> +                       return -ESRCH;
>         }

Shouldn't there be some tolerance in there in case the tx_id is zero ?
(i.e. no transaction).

I'm trying to find out why just doing "xenstore-ls" doesn't work on my
4.4.20 kernel and when stracing it, I see it doing :

access("/dev/xen/xenbus", F_OK)         = 0
stat("/dev/xen/xenbus", {st_mode=S_IFCHR|0600, st_rdev=makedev(10,
60), ...}) = 0
open("/dev/xen/xenbus", O_RDWR)         = 3
brk(0)                                  = 0x18e4000
brk(0x1905000)                          = 0x1905000
rt_sigaction(SIGPIPE, {SIG_IGN, [], SA_RESTORER, 0x7fe4dd98e0e0},
{SIG_DFL, [], 0}, 8) = 0
write(3, "\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 16) = 16
write(3, "/\0", 2)                      = -1 ESRCH (No such process)


So either what xenstore-ls does is invalid, or that condition
requiring a transaction is too strict.

Or am I missing something here ?


Cheers,

    Sylvain Munaut
Christoph Moench-Tegeder Aug. 21, 2016, 8 p.m. UTC | #3 
## Sylvain Munaut (s.munaut@whatever-company.com):

> I'm trying to find out why just doing "xenstore-ls" doesn't work on my
> 4.4.20 kernel and when stracing it, I see it doing :

That looks like the same brokeness I reported earlier:
https://lists.xenproject.org/archives/html/xen-devel/2016-08/msg02496.html
Luckily I'm not alone with that :)

Regards,
Christoph
Jan Beulich Aug. 22, 2016, 6:45 a.m. UTC | #4 
>>> On 21.08.16 at 21:36, <s.munaut@whatever-company.com> wrote:
>> --- 4.7-rc6-xen.orig/drivers/xen/xenbus/xenbus_dev_frontend.c
>> +++ 4.7-rc6-xen/drivers/xen/xenbus/xenbus_dev_frontend.c
>> @@ -316,11 +316,18 @@ static int xenbus_write_transaction(unsi
>>                         rc = -ENOMEM;
>>                         goto out;
>>                 }
>> +       } else {
>> +               list_for_each_entry(trans, &u->transactions, list)
>> +                       if (trans->handle.id == u->u.msg.tx_id)
>> +                               break;
>> +               if (&trans->list == &u->transactions)
>> +                       return -ESRCH;
>>         }
> 
> Shouldn't there be some tolerance in there in case the tx_id is zero ?
> (i.e. no transaction).
> 
> I'm trying to find out why just doing "xenstore-ls" doesn't work on my
> 4.4.20 kernel and when stracing it, I see it doing :
> 
> access("/dev/xen/xenbus", F_OK)         = 0
> stat("/dev/xen/xenbus", {st_mode=S_IFCHR|0600, st_rdev=makedev(10,
> 60), ...}) = 0
> open("/dev/xen/xenbus", O_RDWR)         = 3
> brk(0)                                  = 0x18e4000
> brk(0x1905000)                          = 0x1905000
> rt_sigaction(SIGPIPE, {SIG_IGN, [], SA_RESTORER, 0x7fe4dd98e0e0},
> {SIG_DFL, [], 0}, 8) = 0
> write(3, "\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 16) = 16
> write(3, "/\0", 2)                      = -1 ESRCH (No such process)
> 
> 
> So either what xenstore-ls does is invalid, or that condition
> requiring a transaction is too strict.
> 
> Or am I missing something here ?

See https://patchwork.kernel.org/patch/9281193/.

Jan
Sylvain Munaut Aug. 22, 2016, 7:21 a.m. UTC | #5 
Hi Jan,

> See https://patchwork.kernel.org/patch/9281193/.

Thanks for the pointer !

I had checked the kernel git tree for a potential fix, but didn't
think of patchwork.


Cheers,

    Sylvain Munaut
diff mbox

Patch

--- 4.7-rc6-xen.orig/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ 4.7-rc6-xen/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -316,11 +316,18 @@  static int xenbus_write_transaction(unsi
 			rc = -ENOMEM;
 			goto out;
 		}
+	} else {
+		list_for_each_entry(trans, &u->transactions, list)
+			if (trans->handle.id == u->u.msg.tx_id)
+				break;
+		if (&trans->list == &u->transactions)
+			return -ESRCH;
 	}
 
 	reply = xenbus_dev_request_and_reply(&u->u.msg);
 	if (IS_ERR(reply)) {
-		kfree(trans);
+		if (msg_type == XS_TRANSACTION_START)
+			kfree(trans);
 		rc = PTR_ERR(reply);
 		goto out;
 	}
@@ -333,12 +340,7 @@  static int xenbus_write_transaction(unsi
 			list_add(&trans->list, &u->transactions);
 		}
 	} else if (u->u.msg.type == XS_TRANSACTION_END) {
-		list_for_each_entry(trans, &u->transactions, list)
-			if (trans->handle.id == u->u.msg.tx_id)
-				break;
-		BUG_ON(&trans->list == &u->transactions);
 		list_del(&trans->list);
-
 		kfree(trans);
 	}