Re: [PATCH/RFC] xen-blkback: set ring->xenblkd to NULL after kthread_stop()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I forgot to write the kernel version.
This is a patch for 4.4.y.

Best regards,
  Nobuhiro

On Thu, Jan 28, 2021 at 06:05:06PM +0900, Nobuhiro Iwamatsu wrote:
> From: Pawel Wieczorkiewicz <wipawel@xxxxxxxxx>
> 
> commit 1c728719a4da6e654afb9cc047164755072ed7c9 upstream.
> 
> When xen_blkif_disconnect() is called, the kernel thread behind the
> block interface is stopped by calling kthread_stop(ring->xenblkd).
> The ring->xenblkd thread pointer being non-NULL determines if the
> thread has been already stopped.
> Normally, the thread's function xen_blkif_schedule() sets the
> ring->xenblkd to NULL, when the thread's main loop ends.
> 
> However, when the thread has not been started yet (i.e.
> wake_up_process() has not been called on it), the xen_blkif_schedule()
> function would not be called yet.
> 
> In such case the kthread_stop() call returns -EINTR and the
> ring->xenblkd remains dangling.
> When this happens, any consecutive call to xen_blkif_disconnect (for
> example in frontend_changed() callback) leads to a kernel crash in
> kthread_stop() (e.g. NULL pointer dereference in exit_creds()).
> 
> This is XSA-350.
> 
> Cc: <stable@xxxxxxxxxxxxxxx> # 4.12
> Fixes: a24fa22ce22a ("xen/blkback: don't use xen_blkif_get() in xen-blkback kthread")
> Reported-by: Olivier Benjamin <oliben@xxxxxxxxxx>
> Reported-by: Pawel Wieczorkiewicz <wipawel@xxxxxxxxx>
> Signed-off-by: Pawel Wieczorkiewicz <wipawel@xxxxxxxxx>
> Reviewed-by: Julien Grall <jgrall@xxxxxxxxxx>
> Reviewed-by: Juergen Gross <jgross@xxxxxxxx>
> Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
> [iwamatsu: change from ring to blkif]
> Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@xxxxxxxxxxxxx>
> ---
>  drivers/block/xen-blkback/xenbus.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/block/xen-blkback/xenbus.c b/drivers/block/xen-blkback/xenbus.c
> index 823f3480ebd19e..f974ed7c33b5df 100644
> --- a/drivers/block/xen-blkback/xenbus.c
> +++ b/drivers/block/xen-blkback/xenbus.c
> @@ -219,6 +219,7 @@ static int xen_blkif_disconnect(struct xen_blkif *blkif)
>  
>  	if (blkif->xenblkd) {
>  		kthread_stop(blkif->xenblkd);
> +		blkif->xenblkd = NULL;
>  		wake_up(&blkif->shutdown_wq);
>  	}
>  
> -- 
> 2.30.0
> 
>
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux