xen-gnt: prevent adding duplicate gnt callbacks
authorRoger Pau Monne <roger.pau@citrix.com>
Wed, 31 Jul 2013 15:00:42 +0000 (17:00 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 27 Sep 2013 00:18:02 +0000 (17:18 -0700)
commit 5f338d9001094a56cf87bd8a280b4e7ff953bb59 upstream.

With the current implementation, the callback in the tail of the list
can be added twice, because the check done in
gnttab_request_free_callback is bogus, callback->next can be NULL if
it is the last callback in the list. If we add the same callback twice
we end up with an infinite loop, were callback == callback->next.

Replace this check with a proper one that iterates over the list to
see if the callback has already been added.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Matt Wilson <msw@amazon.com>
Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/xen/grant-table.c

index 04c1b2d9b77514ca89ef1cf74d6263f5ebb93a29..d5418c1be9aaae7c6876946d57c8ba5958949e6e 100644 (file)
@@ -729,9 +729,18 @@ void gnttab_request_free_callback(struct gnttab_free_callback *callback,
                                  void (*fn)(void *), void *arg, u16 count)
 {
        unsigned long flags;
+       struct gnttab_free_callback *cb;
+
        spin_lock_irqsave(&gnttab_list_lock, flags);
-       if (callback->next)
-               goto out;
+
+       /* Check if the callback is already on the list */
+       cb = gnttab_free_callback_list;
+       while (cb) {
+               if (cb == callback)
+                       goto out;
+               cb = cb->next;
+       }
+
        callback->fn = fn;
        callback->arg = arg;
        callback->count = count;