releases/3.10.87/xen-gntdevt-fix-race-condition-in-gntdev_release.patch

   1 From 30b03d05e07467b8c6ec683ea96b5bffcbcd3931 Mon Sep 17 00:00:00 2001
   2 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= <marmarek@invisiblethingslab.com>
   3 Date: Fri, 26 Jun 2015 03:28:24 +0200
   4 Subject: xen/gntdevt: Fix race condition in gntdev_release()
   5 MIME-Version: 1.0
   6 Content-Type: text/plain; charset=UTF-8
   7 Content-Transfer-Encoding: 8bit
   8
   9 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= <marmarek@invisiblethingslab.com>
  10
  11 commit 30b03d05e07467b8c6ec683ea96b5bffcbcd3931 upstream.
  12
  13 While gntdev_release() is called the MMU notifier is still registered
  14 and can traverse priv->maps list even if no pages are mapped (which is
  15 the case -- gntdev_release() is called after all). But
  16 gntdev_release() will clear that list, so make sure that only one of
  17 those things happens at the same time.
  18
  19 Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
  20 Signed-off-by: David Vrabel <david.vrabel@citrix.com>
  21 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  22
  23 ---
  24  drivers/xen/gntdev.c |    2 ++
  25  1 file changed, 2 insertions(+)
  26
  27 --- a/drivers/xen/gntdev.c
  28 +++ b/drivers/xen/gntdev.c
  29 @@ -534,12 +534,14 @@ static int gntdev_release(struct inode *
  30
  31         pr_debug("priv %p\n", priv);
  32
  33 +       mutex_lock(&priv->lock);
  34         while (!list_empty(&priv->maps)) {
  35                 map = list_entry(priv->maps.next, struct grant_map, next);
  36                 list_del(&map->next);
  37                 gntdev_put_map(NULL /* already removed */, map);
  38         }
  39         WARN_ON(!list_empty(&priv->freeable_maps));
  40 +       mutex_unlock(&priv->lock);
  41
  42         if (use_ptemod)
  43                 mmu_notifier_unregister(&priv->mn, priv->mm);