From fb27cfbcbd2865b0e731c4aae47df71778da805e Mon Sep 17 00:00:00 2001 From: Jeremy Fitzhardinge Date: Wed, 25 Aug 2010 12:19:53 -0700 Subject: [PATCH 1/5] xenfs/xenbus: report partial reads/writes correctly copy_(to|from)_user return the number of uncopied bytes, so a successful return is 0, and any non-zero result indicates some degree of failure. Reported-by: "Jun Zhu (Intern)" Signed-off-by: Jeremy Fitzhardinge --- drivers/xen/xenfs/xenbus.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/xen/xenfs/xenbus.c b/drivers/xen/xenfs/xenbus.c index 9d5b519d2e4c..d2a905826804 100644 --- a/drivers/xen/xenfs/xenbus.c +++ b/drivers/xen/xenfs/xenbus.c @@ -142,7 +142,7 @@ static ssize_t xenbus_file_read(struct file *filp, i += sz - ret; rb->cons += sz - ret; - if (ret != sz) { + if (ret != 0) { if (i == 0) i = -EFAULT; goto out; @@ -453,7 +453,7 @@ static ssize_t xenbus_file_write(struct file *filp, ret = copy_from_user(u->u.buffer + u->len, ubuf, len); - if (ret == len) { + if (ret != 0) { rc = -EFAULT; goto out; } From 6d6df2e412297b8047c407b3abcd045a67c96744 Mon Sep 17 00:00:00 2001 From: Diego Ongaro Date: Wed, 1 Sep 2010 09:18:54 -0700 Subject: [PATCH 2/5] xenbus: allow any xenbus command over /proc/xen/xenbus When xenstored is in another domain, we need to be able to send any command over xenbus. This doesn't pose a security problem because its up to xenstored to determine whether a given client is allowed to use a particular command anyway. From linux-2.5.18-xen.hg 68d582b0ad05. Signed-off-by: Jeremy Fitzhardinge --- drivers/xen/xenfs/xenbus.c | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/drivers/xen/xenfs/xenbus.c b/drivers/xen/xenfs/xenbus.c index d2a905826804..46cf4048e60e 100644 --- a/drivers/xen/xenfs/xenbus.c +++ b/drivers/xen/xenfs/xenbus.c @@ -486,21 +486,6 @@ static ssize_t xenbus_file_write(struct file *filp, msg_type = u->u.msg.type; switch (msg_type) { - case XS_TRANSACTION_START: - case XS_TRANSACTION_END: - case XS_DIRECTORY: - case XS_READ: - case XS_GET_PERMS: - case XS_RELEASE: - case XS_GET_DOMAIN_PATH: - case XS_WRITE: - case XS_MKDIR: - case XS_RM: - case XS_SET_PERMS: - /* Send out a transaction */ - ret = xenbus_write_transaction(msg_type, u); - break; - case XS_WATCH: case XS_UNWATCH: /* (Un)Ask for some path to be watched for changes */ @@ -508,7 +493,8 @@ static ssize_t xenbus_file_write(struct file *filp, break; default: - ret = -EINVAL; + /* Send out a transaction */ + ret = xenbus_write_transaction(msg_type, u); break; } if (ret != 0) From 76ce7618f9a24f7b13958c67f7d5ccfcdab71475 Mon Sep 17 00:00:00 2001 From: Daniel De Graaf Date: Tue, 7 Sep 2010 11:42:18 -0400 Subject: [PATCH 3/5] xenbus: add missing wakeup in concurrent read/write If an application has a dedicated read thread watching xenbus and another thread writes an XS_WATCH message that generates a synthetic "OK" reply, this reply will be enqueued in the buffer without waking up the reader. This can cause a deadlock in the application if it then waits for the read thread to receive the queued message. Signed-off-by: Daniel De Graaf commit e752969f502a511e83f841aa01d6cd332e6d85a0 Author: Daniel De Graaf Date: Tue Sep 7 11:21:52 2010 -0400 xenbus: fix deadlock in concurrent read/write If an application has a dedicated read thread watching xenbus and another thread writes an XS_WATCH message that generates a synthetic "OK" reply, this reply will be enqueued in the buffer without waking up the reader. Signed-off-by: Jeremy Fitzhardinge --- drivers/xen/xenfs/xenbus.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/xen/xenfs/xenbus.c b/drivers/xen/xenfs/xenbus.c index 46cf4048e60e..c4c7db8363e7 100644 --- a/drivers/xen/xenfs/xenbus.c +++ b/drivers/xen/xenfs/xenbus.c @@ -405,6 +405,7 @@ static int xenbus_write_watch(unsigned msg_type, struct xenbus_file_priv *u) mutex_lock(&u->reply_mutex); rc = queue_reply(&u->read_buffers, &reply, sizeof(reply)); + wake_up(&u->read_waitq); mutex_unlock(&u->reply_mutex); } From 7808121b9a1e44ef12fecd49fa6c268f27a150fc Mon Sep 17 00:00:00 2001 From: Daniel De Graaf Date: Wed, 8 Sep 2010 18:10:42 -0400 Subject: [PATCH 4/5] xenbus: avoid zero returns from read() It is possible to get a zero return from read() in instances where the queue is not empty but has no elements with data to deliver to the user. Since a zero return from read is an error indicator, resume waiting or return -EAGAIN (for a nonblocking fd) in this case. Signed-off-by: Daniel De Graaf Signed-off-by: Jeremy Fitzhardinge --- drivers/xen/xenfs/xenbus.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/xen/xenfs/xenbus.c b/drivers/xen/xenfs/xenbus.c index c4c7db8363e7..55791dd1105f 100644 --- a/drivers/xen/xenfs/xenbus.c +++ b/drivers/xen/xenfs/xenbus.c @@ -120,6 +120,7 @@ static ssize_t xenbus_file_read(struct file *filp, int ret; mutex_lock(&u->reply_mutex); +again: while (list_empty(&u->read_buffers)) { mutex_unlock(&u->reply_mutex); if (filp->f_flags & O_NONBLOCK) @@ -158,6 +159,8 @@ static ssize_t xenbus_file_read(struct file *filp, struct read_buffer, list); } } + if (i == 0) + goto again; out: mutex_unlock(&u->reply_mutex); From 6a5b3beff916a19e7672f8c0330b4f82ed367be2 Mon Sep 17 00:00:00 2001 From: Daniel De Graaf Date: Mon, 20 Dec 2010 14:56:09 -0800 Subject: [PATCH 5/5] xenbus: Fix memory leak on release Pending responses were leaked on close. Signed-off-by: Daniel De Graaf Signed-off-by: Jan Beulich Signed-off-by: Jeremy Fitzhardinge --- drivers/xen/xenfs/xenbus.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/xen/xenfs/xenbus.c b/drivers/xen/xenfs/xenbus.c index 55791dd1105f..8f6c7d4b3e4d 100644 --- a/drivers/xen/xenfs/xenbus.c +++ b/drivers/xen/xenfs/xenbus.c @@ -543,6 +543,7 @@ static int xenbus_file_release(struct inode *inode, struct file *filp) struct xenbus_file_priv *u = filp->private_data; struct xenbus_transaction_holder *trans, *tmp; struct watch_adapter *watch, *tmp_watch; + struct read_buffer *rb, *tmp_rb; /* * No need for locking here because there are no other users, @@ -561,6 +562,10 @@ static int xenbus_file_release(struct inode *inode, struct file *filp) free_watch_adapter(watch); } + list_for_each_entry_safe(rb, tmp_rb, &u->read_buffers, list) { + list_del(&rb->list); + kfree(rb); + } kfree(u); return 0;