[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2] Call RingPoll/EvtchnUnmask within the ring lock

  • To: Tu Dinh <ngoc-tu.dinh@xxxxxxxxxx>, "win-pv-devel@xxxxxxxxxxxxxxxxxxxx" <win-pv-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Owen Smith <owen.smith@xxxxxxxxxx>
  • Date: Mon, 13 Apr 2026 10:15:40 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hhGpBLG0G0QghJg9Qmmuph4kUCN08003E6UoA3PZhnA=; b=MFD5bHZswHM5wWjY566TCj7RFLZqnv7YuCTl1TPiiS6Ie56N8aK598BGfFloecGtSEXnRasyaNU1TPFNN3sfaNy9NkKXizjjgEbIDs5R4IrkS8JAbDEKhY8qdCFrVILDp2ku95zir6sEec9bEWXSIj14juPyDKRzzMPOPlMbmM0LFeWpXNdGuLh3nom/NHC8+Vv8FtoMTNM/vm187PXvzB/5onL/JrrZdFJSnV6oytobAOjPx2QBl0HIlbA0ts8sF4Buwd+h09ybmG5ztDFl5nBDdm1TD64UrtCi8YEdQ7Q4GCIxt7VisupZVrl6Wbj4vSmSokmiDkq1HKcjNxwlcA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=K6WwmDtxUwmTJDyDi0tjSfIaDjiMGizkH+z4WFRbIW8NtmDWFWNXRZP2RC5Md8STI3U7wIGTVnCIaPXXMdFkj4ySVT+wfrL6cAFQ9nled7CaazycVeBqjH2gEqT5RiSwpt3oo+M2NOBR8QRQ0DjAAKYgBN7p5YaGmmEqiQPfsP1MJXJhg3Ti95mZGMD22Qv2LYYS4zqWfv+QFU/wMlWIKWuaGkRym/hTJqNdmAHSvjvOFbgNnrwUXz1sURRb7SzALQ8qyaPtk6SPxQH34heJiPy/6kRVwcgHP0brk9KorCSp6thPJCQ0syxUzre0sbyR8wzKrsrPmjl+z7HM/LCH8Q==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=citrix.com header.i="@citrix.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:x-ms-exchange-senderadcheck"
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Delivery-date: Mon, 13 Apr 2026 10:15:48 +0000
  • List-id: Developer list for the Windows PV Drivers subproject <win-pv-devel.lists.xenproject.org>
  • Msip_labels:
  • Thread-index: AQHcwB/W6hRdGdthxEuR3PE/TYeu37Xc3J7M
  • Thread-topic: [PATCH v2] Call RingPoll/EvtchnUnmask within the ring lock
Reviewed-by: Owen Smith <owen.smith@xxxxxxxxxx>

________________________________________
From: Tu Dinh <ngoc-tu.dinh@xxxxxxxxxx>
Sent: 30 March 2026 9:33 AM
To: win-pv-devel@xxxxxxxxxxxxxxxxxxxx
Cc: Tu Dinh; Owen Smith
Subject: [PATCH v2] Call RingPoll/EvtchnUnmask within the ring lock

The call to EvtchnUnmask accesses Channel outside of the ring lock.
Therefore, it can access a stale channel if the DPC is still running
after the channel has been closed in RingDisconnect. Since
RingDisconnect runs at DISPATCH_LEVEL, we cannot use KeFlushQueuedDpcs
and have to guard against the event channel's closure via the Enabled
flag instead.

Note that RingPoll is now also called within the ring lock, since it's
also vulnerable to teardown of the shared ring area. It also gains a
check to Ring->Enabled following the structure of XenVbd.

Signed-off-by: Tu Dinh <ngoc-tu.dinh@xxxxxxxxxx>
---
v2: Invert conditions. Call RingPoll within the lock too. Add a check
    for Ring->Enabled in RingPoll.
---
 src/xencons/ring.c | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/src/xencons/ring.c b/src/xencons/ring.c
index afa9311..866dc74 100644
--- a/src/xencons/ring.c
+++ b/src/xencons/ring.c
@@ -471,6 +471,9 @@ RingPoll(
     PCHAR               Buffer;
     NTSTATUS            status;

+    if (!Ring->Enabled)
+        return FALSE;
+
     for (;;) {
         ULONG           Read;

@@ -567,30 +570,25 @@ RingDpc(
     ASSERT(Ring != NULL);

     for (;;) {
-        BOOLEAN Enabled;
         BOOLEAN Retry;
         KIRQL   Irql;

         KeAcquireSpinLock(&Ring->Lock, &Irql);
-        Enabled = Ring->Enabled;
-        KeReleaseSpinLock(&Ring->Lock, Irql);
+        Retry = RingPoll(Ring);

-        if (!Enabled)
-            break;
+        if (!Retry && Ring->Enabled) {
+            (VOID) XENBUS_EVTCHN(Unmask,
+                                 &Ring->EvtchnInterface,
+                                 Ring->Channel,
+                                 FALSE,
+                                 FALSE);
+        }

-        KeRaiseIrql(DISPATCH_LEVEL, &Irql);
-        Retry = RingPoll(Ring);
-        KeLowerIrql(Irql);
+        KeReleaseSpinLock(&Ring->Lock, Irql);

         if (!Retry)
             break;
     }
-
-    (VOID) XENBUS_EVTCHN(Unmask,
-                         &Ring->EvtchnInterface,
-                         Ring->Channel,
-                         FALSE,
-                         FALSE);
 }

 _Function_class_(KSERVICE_ROUTINE)
--
2.53.0.windows.2


--
Ngoc Tu Dinh | Vates XCP-ng Developer

XCP-ng & Xen Orchestra - Vates solutions

web: https://vates.tech

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.