[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] x86 spinlock: Fix memory corruption on completing completions

To: Sasha Levin <sasha.levin@xxxxxxxxxx>
From: Oleg Nesterov <oleg@xxxxxxxxxx>
Date: Sun, 8 Feb 2015 18:14:57 +0100
Cc: jeremy@xxxxxxxx, Raghavendra K T <raghavendra.kt@xxxxxxxxxxxxxxxxxx>, kvm@xxxxxxxxxxxxxxx, peterz@xxxxxxxxxxxxx, jasowang@xxxxxxxxxx, virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx, paul.gortmaker@xxxxxxxxxxxxx, hpa@xxxxxxxxx, ak@xxxxxxxxxxxxxxx, a.ryabinin@xxxxxxxxxxx, x86@xxxxxxxxxx, borntraeger@xxxxxxxxxx, mingo@xxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx, paulmck@xxxxxxxxxxxxxxxxxx, davej@xxxxxxxxxx, tglx@xxxxxxxxxxxxx, waiman.long@xxxxxx, linux-kernel@xxxxxxxxxxxxxxx, pbonzini@xxxxxxxxxx, akpm@xxxxxxxxxxxxxxxxxxxx, torvalds@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Sun, 08 Feb 2015 17:17:20 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 02/06, Sasha Levin wrote:
>
> Can we modify it slightly to avoid potentially accessing invalid memory:
> 
> diff --git a/arch/x86/include/asm/spinlock.h b/arch/x86/include/asm/spinlock.h
> index 5315887..cd22d73 100644
> --- a/arch/x86/include/asm/spinlock.h
> +++ b/arch/x86/include/asm/spinlock.h
> @@ -144,13 +144,13 @@ static __always_inline void 
> arch_spin_unlock(arch_spinlock_t *lock
>         if (TICKET_SLOWPATH_FLAG &&
>                 static_key_false(&paravirt_ticketlocks_enabled)) {
>                 __ticket_t prev_head;
> -
> +               bool needs_kick = lock->tickets.tail & TICKET_SLOWPATH_FLAG;
>                 prev_head = lock->tickets.head;
>                 add_smp(&lock->tickets.head, TICKET_LOCK_INC);
> 
>                 /* add_smp() is a full mb() */
> 
> -               if (unlikely(lock->tickets.tail & TICKET_SLOWPATH_FLAG)) {
> +               if (unlikely(needs_kick)) {

This doesn't look right too...

We need to guarantee that either unlock() sees TICKET_SLOWPATH_FLAG, or
the calller of __ticket_enter_slowpath() sees the result of add_smp().

Suppose that kvm_lock_spinning() is called right before add_smp() and it
sets SLOWPATH. It will block then because .head != want, and it needs
__ticket_unlock_kick().

Oleg.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH] x86 spinlock: Fix memory corruption on completing completions
  - From: Raghavendra K T
- Re: [Xen-devel] [PATCH] x86 spinlock: Fix memory corruption on completing completions
  - From: Sasha Levin

Prev by Date: [Xen-devel] [PATCH] tools/ocaml: remove uint32 use added by 674ad2b
Next by Date: Re: [Xen-devel] [PATCH] x86 spinlock: Fix memory corruption on completing completions
Previous by thread: Re: [Xen-devel] [PATCH] x86 spinlock: Fix memory corruption on completing completions
Next by thread: Re: [Xen-devel] [PATCH] x86 spinlock: Fix memory corruption on completing completions
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.