[thirdparty/kernel/stable-queue.git] / releases / 3.10.87 / xen-gntdevt-fix-race-condition-in-gntdev_release.patch

From 30b03d05e07467b8c6ec683ea96b5bffcbcd3931 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= <marmarek@invisiblethingslab.com>
Date: Fri, 26 Jun 2015 03:28:24 +0200
Subject: xen/gntdevt: Fix race condition in gntdev_release()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= <marmarek@invisiblethingslab.com>

commit 30b03d05e07467b8c6ec683ea96b5bffcbcd3931 upstream.

While gntdev_release() is called the MMU notifier is still registered
and can traverse priv->maps list even if no pages are mapped (which is
the case -- gntdev_release() is called after all). But
gntdev_release() will clear that list, so make sure that only one of
those things happens at the same time.

Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/xen/gntdev.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -534,12 +534,14 @@ static int gntdev_release(struct inode *
 
 	pr_debug("priv %p\n", priv);
 
+	mutex_lock(&priv->lock);
 	while (!list_empty(&priv->maps)) {
 		map = list_entry(priv->maps.next, struct grant_map, next);
 		list_del(&map->next);
 		gntdev_put_map(NULL /* already removed */, map);
 	}
 	WARN_ON(!list_empty(&priv->freeable_maps));
+	mutex_unlock(&priv->lock);
 
 	if (use_ptemod)
 		mmu_notifier_unregister(&priv->mn, priv->mm);
Commit	Line	Data
5f00fb13	1	From 30b03d05e07467b8c6ec683ea96b5bffcbcd3931 Mon Sep 17 00:00:00 2001
5dd4eba1	2	From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= <marmarek@invisiblethingslab.com>
5f00fb13 GKH	3	Date: Fri, 26 Jun 2015 03:28:24 +0200
	4	Subject: xen/gntdevt: Fix race condition in gntdev_release()
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
5dd4eba1	9	From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= <marmarek@invisiblethingslab.com>
5f00fb13 GKH	10
	11	commit 30b03d05e07467b8c6ec683ea96b5bffcbcd3931 upstream.
	12
	13	While gntdev_release() is called the MMU notifier is still registered
	14	and can traverse priv->maps list even if no pages are mapped (which is
	15	the case -- gntdev_release() is called after all). But
	16	gntdev_release() will clear that list, so make sure that only one of
	17	those things happens at the same time.
	18
	19	Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
	20	Signed-off-by: David Vrabel <david.vrabel@citrix.com>
	21	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	22
	23	---
	24	drivers/xen/gntdev.c \| 2 ++
	25	1 file changed, 2 insertions(+)
	26
	27	--- a/drivers/xen/gntdev.c
	28	+++ b/drivers/xen/gntdev.c
	29	@@ -534,12 +534,14 @@ static int gntdev_release(struct inode *
	30
	31	pr_debug("priv %p\n", priv);
	32
	33	+ mutex_lock(&priv->lock);
	34	while (!list_empty(&priv->maps)) {
	35	map = list_entry(priv->maps.next, struct grant_map, next);
	36	list_del(&map->next);
	37	gntdev_put_map(NULL /* already removed */, map);
	38	}
	39	WARN_ON(!list_empty(&priv->freeable_maps));
	40	+ mutex_unlock(&priv->lock);
	41
	42	if (use_ptemod)
	43	mmu_notifier_unregister(&priv->mn, priv->mm);