[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Re: [PATCH] Fix wild ptr deref during device destruction.

On Thu, 2010-02-25 at 04:57 -0500, Daniel Stodden wrote:
> On Thu, 2010-02-25 at 03:28 -0500, Jan Beulich wrote:
> > Wouldn't it be better to move blk_cleanup_queue() even before del_gendisk()?
> 
> No.

Well, I beg you to differ. Maybe this changed, after all this is 2.6.3x.

Cheers,
Daniel

> [2009-09-22 12:48:58 UTC] Call Trace:
> [2009-09-22 12:48:58 UTC]  [<c01d0186>] ? sysfs_remove_dir+0x46/0xa0
> [2009-09-22 12:48:58 UTC]  [<c020180f>] ? kobject_del+0xf/0x30
> [2009-09-22 12:48:58 UTC]  [<c01f107c>] ? __elv_unregister_queue+0x1c/0x20
> [2009-09-22 12:48:58 UTC]  [<c01f108f>] ? elv_unregister_queue+0xf/0x20
> [2009-09-22 12:48:58 UTC]  [<c01f512a>] ? blk_unregister_queue+0x2a/0x70
> [2009-09-22 12:48:58 UTC]  [<c01fa55a>] ? unlink_gendisk+0x2a/0x40
> [2009-09-22 12:48:58 UTC]  [<c01c9b10>] ? del_gendisk+0x60/0xd0
> [2009-09-22 12:48:58 UTC]  [<c028066e>] ? destroy_backdev+0x7e/0x100
> [2009-09-22 12:48:58 UTC]  [<c027f05b>] ? tap_blkif_schedule+0x5cb/0x830
> [2009-09-22 12:48:58 UTC]  [<c011ed51>] ? pick_next_task_fair+0x91/0xd0
> [2009-09-22 12:48:58 UTC]  [<c013dd70>] ? autoremove_wake_function+0x0/0x50
> [2009-09-22 12:48:58 UTC]  [<c027ea90>] ? tap_blkif_schedule+0x0/0x830
> [2009-09-22 12:48:58 UTC]  [<c013da12>] ? kthread+0x42/0x70
> [2009-09-22 12:48:58 UTC]  [<c013d9d0>] ? kthread+0x0/0x70
> [2009-09-22 12:48:58 UTC]  [<c010561b>] ? kernel_thread_helper+0x7/0x10
> 
> changeset:   660:88fe4866b738
> user:        Daniel Stodden <daniel.stodden@xxxxxxxxxx>
> date:        Wed Oct 07 13:54:16 2009 -0700
> files:       CA-32943-wild-ptr-deref.diff series
> description:
> CA-33070: Fix and reenable my broken CA-30953.diff & co.
> 
> A del_gendisk() definitely wants to find a queue on the disk. Which
> in turn will have dropped to zero right after the cleanup
> call. Because that crackbrained gendisk, as the only queue holder
> which really matters in that entire game, is also the single entity
> left short of maintaining that ref on its own here.
> 
> In summary, it apparently has to be *this* particular order.
> 
> +diff -r ebd0574c414a drivers/xen/blktap/backdev.c
> +--- a/drivers/xen/blktap/backdev.c   Mon Sep 21 16:09:37 2009 -0700
> ++++ b/drivers/xen/blktap/backdev.c   Tue Sep 22 17:16:52 2009 -0700
> +@@ -99,10 +99,9 @@
>       spin_unlock_irq(&backdev_io_lock);
>   
> +     del_gendisk(info->gd);
>  +    blk_cleanup_queue(info->gd->queue);
> -+
> -     del_gendisk(info->gd);
>       put_disk(info->gd);
>   
>  -    blk_cleanup_queue(info->gd->queue);
> 
> 



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.