Xen devel - Jul 2013 - [PATCH RFC 1/4] xen-gnt: prevent adding duplicate gnt callbacks

With the current implementation, the callback in the tail of the list
can be added twice, because the check done in
gnttab_request_free_callback is bogus, callback->next can be NULL if
it is the last callback in the list. If we add the same callback twice
we end up with an infinite loop, were callback == callback->next.

Replace this check with a proper one that iterates over the list to
see if the callback has already been added.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
---
 drivers/xen/grant-table.c |   13 +++++++++++--
 1 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
index 04c1b2d..d5418c1 100644
--- a/drivers/xen/grant-table.c
+++ b/drivers/xen/grant-table.c
@@ -729,9 +729,18 @@ void gnttab_request_free_callback(struct
gnttab_free_callback *callback,
 				  void (*fn)(void *), void *arg, u16 count)
 {
 	unsigned long flags;
+	struct gnttab_free_callback *cb;
+
 	spin_lock_irqsave(&gnttab_list_lock, flags);
-	if (callback->next)
-		goto out;
+
+	/* Check if the callback is already on the list */
+	cb = gnttab_free_callback_list;
+	while (cb) {
+		if (cb == callback)
+			goto out;
+		cb = cb->next;
+	}
+
 	callback->fn = fn;
 	callback->arg = arg;
 	callback->count = count;
-- 
1.7.7.5 (Apple Git-26)


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

On 08/07/13 14:03, Roger Pau Monne wrote:
> With the current implementation, the callback in the tail of the list
> can be added twice, because the check done in
> gnttab_request_free_callback is bogus, callback->next can be NULL if
> it is the last callback in the list. If we add the same callback twice
> we end up with an infinite loop, were callback == callback->next.
> 
> Replace this check with a proper one that iterates over the list to
> see if the callback has already been added.
> 
> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> ---
>  drivers/xen/grant-table.c |   13 +++++++++++--
>  1 files changed, 11 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
> index 04c1b2d..d5418c1 100644
> --- a/drivers/xen/grant-table.c
> +++ b/drivers/xen/grant-table.c
> @@ -729,9 +729,18 @@ void gnttab_request_free_callback(struct
gnttab_free_callback *callback,
>  				  void (*fn)(void *), void *arg, u16 count)
>  {
>  	unsigned long flags;
> +	struct gnttab_free_callback *cb;
> +
>  	spin_lock_irqsave(&gnttab_list_lock, flags);
> -	if (callback->next)
> -		goto out;
> +
> +	/* Check if the callback is already on the list */
> +	cb = gnttab_free_callback_list;
> +	while (cb) {
> +		if (cb == callback)
> +			goto out;
> +		cb = cb->next;
> +	}
O(N)?

Suggest using the standard list infrastructure, or using something other
than NULL for the end of the list (e.g., gnttab_free_callback_list).

gnttab_request_free_callback() is also putting the callbacks in the
wrong order -- it should be FIFO not LIFO.  Might be nice to fix this as
well.

David

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

On 11/07/13 15:17, David Vrabel wrote:
> On 08/07/13 14:03, Roger Pau Monne wrote:
>> With the current implementation, the callback in the tail of the list
>> can be added twice, because the check done in
>> gnttab_request_free_callback is bogus, callback->next can be NULL if
>> it is the last callback in the list. If we add the same callback twice
>> we end up with an infinite loop, were callback == callback->next.
>>
>> Replace this check with a proper one that iterates over the list to
>> see if the callback has already been added.
>>
>> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
>> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
>> ---
>>  drivers/xen/grant-table.c |   13 +++++++++++--
>>  1 files changed, 11 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
>> index 04c1b2d..d5418c1 100644
>> --- a/drivers/xen/grant-table.c
>> +++ b/drivers/xen/grant-table.c
>> @@ -729,9 +729,18 @@ void gnttab_request_free_callback(struct
gnttab_free_callback *callback,
>>  				  void (*fn)(void *), void *arg, u16 count)
>>  {
>>  	unsigned long flags;
>> +	struct gnttab_free_callback *cb;
>> +
>>  	spin_lock_irqsave(&gnttab_list_lock, flags);
>> -	if (callback->next)
>> -		goto out;
>> +
>> +	/* Check if the callback is already on the list */
>> +	cb = gnttab_free_callback_list;
>> +	while (cb) {
>> +		if (cb == callback)
>> +			goto out;
>> +		cb = cb->next;
>> +	}
> 
> O(N)?
IMHO we should not worry _that_ much about having a O(N) search here,
the number of elements in the list is probably going to be quite low (5,
maybe 10?). That doesn't mean I oppose to changing the free callback
list code.
> Suggest using the standard list infrastructure, or using something other
> than NULL for the end of the list (e.g., gnttab_free_callback_list).
> 
> gnttab_request_free_callback() is also putting the callbacks in the
> wrong order -- it should be FIFO not LIFO.  Might be nice to fix this as
> well.
Agree, all this free callback list mechanism is pretty ad-hoc, we should
use one of the list types provided by Linux, so bugs like the one I've
found can be avoided and we can use a FIFO list.


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel