An RCU reference is always dropped for the transitive grant in
__release_grant_for_copy(). The __acquire fastpath needs to match the
slowpath in terms of number of references taken.
This is only not an XSA by luck. rcu_unlock_domain() is a nop other than
decrementing the preempt count, and nothing reads the preempt count outside of
a debug build.
Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com>
---
CC: George Dunlap <george.dun...@eu.citrix.com>
CC: Jan Beulich <jbeul...@suse.com>
CC: Stefano Stabellini <sstabell...@kernel.org>
CC: Tim Deegan <t...@xen.org>
CC: Wei Liu <wei.l...@citrix.com>
Whether to take this patch or not depends on which version of the transitive
refcounting fix gets taken.
---
xen/common/grant_table.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index 706cd90..512581f 100644
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -2345,6 +2345,12 @@ __acquire_grant_for_copy(
* non-zero refcount and hence a valid owner.
*/
ASSERT(td);
+
+ if ( td != rd )
+ {
+ ASSERT(td == act->trans_domain);
+ rcu_lock_domain(td);
+ }
}
act->pin += readonly ? GNTPIN_hstr_inc : GNTPIN_hstw_inc;
--
2.1.4
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
