|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v2] mce: Fix race condition in mctelem_xchg_head
Frediano Ziglio wrote: > The function (mctelem_xchg_head()) used to exchange mce telemetry > list heads is racy. It may write to the head twice, with the second > write linking to an element in the wrong state. > > If there are two threads, T1 inserting on committed list; and T2 > trying to consume it. > > 1. T1 starts inserting an element (A), sets prev pointer (mcte_prev). > 2. T1 is interrupted after the cmpxchg succeeded. > 3. T2 gets the list and changes element A and updates the commit list > head. > 4. T1 resumes, reads pointer to prev again and compare with result > from the cmpxchg which succeeded but in the meantime prev changed > in memory. > 5. T1 thinks the cmpxchg failed and goes around the loop again, > linking head to A again. > > To solve the race use temporary variable for prev pointer. > > *linkp (which point to a field in the element) must be updated before > the cmpxchg() as after a successful cmpxchg the element might be > immediately removed and reinitialized. > > The wmb() prior to the cmpchgptr() call is not necessary since it is > already a full memory barrier. This wmb() is thus removed. > > Signed-off-by: Frediano Ziglio <frediano.ziglio@xxxxxxxxxx> Reviewed-by: Liu Jinsong <jinsong.liu@xxxxxxxxx> _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |