[Xen-devel] [PATCH 2/6] common/gnttab: Correct __acquire_grant_for_copy() fastpath for transitive grants

[Andrew Cooper <andrew.cooper3@xxxxxxxxxx>]

An RCU reference is always dropped for the transitive grant in
__release_grant_for_copy().  The __acquire fastpath needs to match the
slowpath in terms of number of references taken.

This is only not an XSA by luck.  rcu_unlock_domain() is a nop other than
decrementing the preempt count, and nothing reads the preempt count outside of
a debug build.

Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
CC: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>
CC: Jan Beulich <JBeulich@xxxxxxxx>
CC: Stefano Stabellini <sstabellini@xxxxxxxxxx>
CC: Tim Deegan <tim@xxxxxxx>
CC: Wei Liu <wei.liu2@xxxxxxxxxx>

Whether to take this patch or not depends on which version of the transitive
refcounting fix gets taken.
---
 xen/common/grant_table.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index 706cd90..512581f 100644
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -2345,6 +2345,12 @@ __acquire_grant_for_copy(
          * non-zero refcount and hence a valid owner.
          */
         ASSERT(td);
+
+        if ( td != rd )
+        {
+            ASSERT(td == act->trans_domain);
+            rcu_lock_domain(td);
+        }
     }
 
     act->pin += readonly ? GNTPIN_hstr_inc : GNTPIN_hstw_inc;
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel