[PATCH 2/4] Drivers: hv: vmbus: do not lose rescind offer on failure in vmbus_process_offer()

From: Vitaly Kuznetsov
Date: Tue Feb 03 2015 - 12:01:06 EST

Next message: Vitaly Kuznetsov: "[PATCH 3/4] Drivers: hv: vmbus: protect vmbus_get_outgoing_channel() against channel removal"
Previous message: Vitaly Kuznetsov: "[PATCH 4/4] hyperv: netvsc: improve protection against rescind offer"
In reply to: Dexuan Cui: "RE: [PATCH 4/4] hyperv: netvsc: improve protection against rescind offer"
Next in thread: Dexuan Cui: "RE: [PATCH 2/4] Drivers: hv: vmbus: do not lose rescind offer on failure in vmbus_process_offer()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In case we hit a failure condition in vmbus_process_offer() and a rescind offer
was pending for the channel we just do free_channel() so CHANNELMSG_RELID_RELEASED
will never be send to the host. We have to follow vmbus_process_rescind_offer()
path anyway.

To support the change we need to protect list_del in vmbus_process_rescind_offer()
hitting an uninitialized list.

Reported-by: Dexuan Cui <decui@xxxxxxxxxxxxx>
Signed-off-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
---
drivers/hv/channel_mgmt.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
index eb9ce94..fdccd16 100644
--- a/drivers/hv/channel_mgmt.c
+++ b/drivers/hv/channel_mgmt.c
@@ -152,6 +152,7 @@ static struct vmbus_channel *alloc_channel(void)
spin_lock_init(&channel->inbound_lock);
spin_lock_init(&channel->lock);

+ INIT_LIST_HEAD(&channel->listentry);
INIT_LIST_HEAD(&channel->sc_list);
INIT_LIST_HEAD(&channel->percpu_list);

@@ -308,6 +309,7 @@ static void vmbus_process_offer(struct work_struct *work)
struct vmbus_channel *channel;
bool fnew = true;
bool enq = false;
+ bool failure = false;
int ret;
unsigned long flags;

@@ -408,19 +410,33 @@ static void vmbus_process_offer(struct work_struct *work)
spin_lock_irqsave(&vmbus_connection.channel_lock, flags);
list_del(&newchannel->listentry);
spin_unlock_irqrestore(&vmbus_connection.channel_lock, flags);
+ /*
+ * Init listentry again as vmbus_process_rescind_offer can try
+ * doing list_del again.
+ */
+ INIT_LIST_HEAD(&channel->listentry);
kfree(newchannel->device_obj);
+ newchannel->device_obj = NULL;
goto err_free_chan;
}
+ goto done_init_rescind;
+err_free_chan:
+ failure = true;
done_init_rescind:
+ /*
+ * Get additional reference as vmbus_put_channel() can be called
+ * either directly or through vmbus_process_rescind_offer().
+ */
+ vmbus_get_channel(newchannel);
spin_lock_irqsave(&newchannel->lock, flags);
/* The next possible work is rescind handling */
INIT_WORK(&newchannel->work, vmbus_process_rescind_offer);
/* Check if rescind offer was already received */
if (newchannel->rescind)
queue_work(newchannel->controlwq, &newchannel->work);
+ else if (failure)
+ vmbus_put_channel(newchannel);
spin_unlock_irqrestore(&newchannel->lock, flags);
- return;
-err_free_chan:
vmbus_put_channel(newchannel);
}

--
1.9.3

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Vitaly Kuznetsov: "[PATCH 3/4] Drivers: hv: vmbus: protect vmbus_get_outgoing_channel() against channel removal"
Previous message: Vitaly Kuznetsov: "[PATCH 4/4] hyperv: netvsc: improve protection against rescind offer"
In reply to: Dexuan Cui: "RE: [PATCH 4/4] hyperv: netvsc: improve protection against rescind offer"
Next in thread: Dexuan Cui: "RE: [PATCH 2/4] Drivers: hv: vmbus: do not lose rescind offer on failure in vmbus_process_offer()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]