Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965882AbbBCRBD (ORCPT ); Tue, 3 Feb 2015 12:01:03 -0500 Received: from mx1.redhat.com ([209.132.183.28]:50667 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756182AbbBCRA6 (ORCPT ); Tue, 3 Feb 2015 12:00:58 -0500 From: Vitaly Kuznetsov To: "K. Y. Srinivasan" , devel@linuxdriverproject.org Cc: Haiyang Zhang , linux-kernel@vger.kernel.org, Dexuan Cui , Jason Wang Subject: [PATCH 2/4] Drivers: hv: vmbus: do not lose rescind offer on failure in vmbus_process_offer() Date: Tue, 3 Feb 2015 18:00:37 +0100 Message-Id: <1422982839-3948-3-git-send-email-vkuznets@redhat.com> In-Reply-To: <1422982839-3948-1-git-send-email-vkuznets@redhat.com> References: <1422982839-3948-1-git-send-email-vkuznets@redhat.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2679 Lines: 78 In case we hit a failure condition in vmbus_process_offer() and a rescind offer was pending for the channel we just do free_channel() so CHANNELMSG_RELID_RELEASED will never be send to the host. We have to follow vmbus_process_rescind_offer() path anyway. To support the change we need to protect list_del in vmbus_process_rescind_offer() hitting an uninitialized list. Reported-by: Dexuan Cui Signed-off-by: Vitaly Kuznetsov --- drivers/hv/channel_mgmt.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c index eb9ce94..fdccd16 100644 --- a/drivers/hv/channel_mgmt.c +++ b/drivers/hv/channel_mgmt.c @@ -152,6 +152,7 @@ static struct vmbus_channel *alloc_channel(void) spin_lock_init(&channel->inbound_lock); spin_lock_init(&channel->lock); + INIT_LIST_HEAD(&channel->listentry); INIT_LIST_HEAD(&channel->sc_list); INIT_LIST_HEAD(&channel->percpu_list); @@ -308,6 +309,7 @@ static void vmbus_process_offer(struct work_struct *work) struct vmbus_channel *channel; bool fnew = true; bool enq = false; + bool failure = false; int ret; unsigned long flags; @@ -408,19 +410,33 @@ static void vmbus_process_offer(struct work_struct *work) spin_lock_irqsave(&vmbus_connection.channel_lock, flags); list_del(&newchannel->listentry); spin_unlock_irqrestore(&vmbus_connection.channel_lock, flags); + /* + * Init listentry again as vmbus_process_rescind_offer can try + * doing list_del again. + */ + INIT_LIST_HEAD(&channel->listentry); kfree(newchannel->device_obj); + newchannel->device_obj = NULL; goto err_free_chan; } + goto done_init_rescind; +err_free_chan: + failure = true; done_init_rescind: + /* + * Get additional reference as vmbus_put_channel() can be called + * either directly or through vmbus_process_rescind_offer(). + */ + vmbus_get_channel(newchannel); spin_lock_irqsave(&newchannel->lock, flags); /* The next possible work is rescind handling */ INIT_WORK(&newchannel->work, vmbus_process_rescind_offer); /* Check if rescind offer was already received */ if (newchannel->rescind) queue_work(newchannel->controlwq, &newchannel->work); + else if (failure) + vmbus_put_channel(newchannel); spin_unlock_irqrestore(&newchannel->lock, flags); - return; -err_free_chan: vmbus_put_channel(newchannel); } -- 1.9.3 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/