qiurui
/
Centos-kernel-stream-9
mirror of https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Centos-kernel-stream-9/drivers/xen
History
Frank Liang b6875e88b9 xen/events: replace evtchn_rwlock with RCU 
JIRA: https://issues.redhat.com/browse/RHEL-91670

commit 87797fad6cce28ec9be3c13f031776ff4f104cfc
Author: Juergen Gross <jgross@suse.com>
Date:   Mon Aug 28 08:09:47 2023 +0200

    xen/events: replace evtchn_rwlock with RCU

    In unprivileged Xen guests event handling can cause a deadlock with
    Xen console handling. The evtchn_rwlock and the hvc_lock are taken in
    opposite sequence in __hvc_poll() and in Xen console IRQ handling.
    Normally this is no problem, as the evtchn_rwlock is taken as a reader
    in both paths, but as soon as an event channel is being closed, the
    lock will be taken as a writer, which will cause read_lock() to block:

    CPU0                     CPU1                CPU2
    (IRQ handling)           (__hvc_poll())      (closing event channel)

    read_lock(evtchn_rwlock)
                             spin_lock(hvc_lock)
                                                 write_lock(evtchn_rwlock)
                                                     [blocks]
    spin_lock(hvc_lock)
        [blocks]
                            read_lock(evtchn_rwlock)
                                [blocks due to writer waiting,
                                 and not in_interrupt()]

    This issue can be avoided by replacing evtchn_rwlock with RCU in
    xen_free_irq(). Note that RCU is used only to delay freeing of the
    irq_info memory. There is no RCU based dereferencing or replacement of
    pointers involved.

    In order to avoid potential races between removing the irq_info
    reference and handling of interrupts, set the irq_info pointer to NULL
    only when freeing its memory. The IRQ itself must be freed at that
    time, too, as otherwise the same IRQ number could be allocated again
    before handling of the old instance would have been finished.

    This is XSA-441 / CVE-2023-34324.

    Fixes: 54c9de8989 ("xen/events: add a new "late EOI" evtchn framework")
    Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Reviewed-by: Julien Grall <jgrall@amazon.com>
    Signed-off-by: Juergen Gross <jgross@suse.com>

Signed-off-by: Frank Liang <xiliang@redhat.com>
 		2025-06-06 23:29:43 +08:00
..
events xen/events: replace evtchn_rwlock with RCU 2025-06-06 23:29:43 +08:00
xen-pciback
xenbus
xenfs
Kconfig
Makefile
acpi.c
arm-device.c
balloon.c
biomerge.c
cpu_hotplug.c
dbgp.c
efi.c
evtchn.c
features.c
gntalloc.c
gntdev-common.h
gntdev-dmabuf.c
gntdev-dmabuf.h
gntdev.c
grant-dma-ops.c
grant-table.c
manage.c
mcelog.c
mem-reservation.c
pci.c
pcpu.c
platform-pci.c
privcmd-buf.c
privcmd.c mm: ptep_get() conversion 2024-09-05 20:36:52 -04:00
privcmd.h
pvcalls-back.c net: change proto and proto_ops accept type 2024-12-02 11:12:33 -05:00
pvcalls-front.c
pvcalls-front.h
swiotlb-xen.c swiotlb: reduce swiotlb pool lookups 2024-09-20 12:29:01 -07:00
sys-hypervisor.c
time.c
unpopulated-alloc.c
xen-acpi-pad.c
xen-acpi-processor.c
xen-balloon.c
xen-front-pgdir-shbuf.c
xen-scsiback.c
xlate_mmu.c xen: unexport __init-annotated xen_xlate_map_ballooned_pages() 2024-06-17 14:17:28 -04:00