On Thu, Aug 27, 2015 at 11:37:44AM -0400, Sasha Levin wrote: > From: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx> > > This patch has been added to the 3.18 stable tree. If you have any > objections, please let us know. On 3.18 it should be spin_lock, not mutex_lock. Modified patch here: https://raw.githubusercontent.com/QubesOS/qubes-linux-kernel/stable-3.18/patches.xen/0001-xen-grant-fix-race-condition-in-gntdev_release.patch > =============== > > [ Upstream commit 30b03d05e07467b8c6ec683ea96b5bffcbcd3931 ] > > While gntdev_release() is called the MMU notifier is still registered > and can traverse priv->maps list even if no pages are mapped (which is > the case -- gntdev_release() is called after all). But > gntdev_release() will clear that list, so make sure that only one of > those things happens at the same time. > > Signed-off-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx> > Cc: <stable@xxxxxxxxxxxxxxx> > Signed-off-by: David Vrabel <david.vrabel@xxxxxxxxxx> > Signed-off-by: Sasha Levin <sasha.levin@xxxxxxxxxx> > --- > drivers/xen/gntdev.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c > index 073b4a1..ff3c98f 100644 > --- a/drivers/xen/gntdev.c > +++ b/drivers/xen/gntdev.c > @@ -529,12 +529,14 @@ static int gntdev_release(struct inode *inode, struct file *flip) > > pr_debug("priv %p\n", priv); > > + mutex_lock(&priv->lock); > while (!list_empty(&priv->maps)) { > map = list_entry(priv->maps.next, struct grant_map, next); > list_del(&map->next); > gntdev_put_map(NULL /* already removed */, map); > } > WARN_ON(!list_empty(&priv->freeable_maps)); > + mutex_unlock(&priv->lock); > > if (use_ptemod) > mmu_notifier_unregister(&priv->mn, priv->mm); -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Attachment:
pgpjaN7Ih7aiO.pgp
Description: PGP signature