In case we hit a failure condition in vmbus_process_offer() and a rescind offer was pending for the channel we just do free_channel() so CHANNELMSG_RELID_RELEASED will never be send to the host. We have to follow vmbus_process_rescind_offer() path anyway. To support the change we need to protect list_del in vmbus_process_rescind_offer() hitting an uninitialized list. Reported-by: Dexuan Cui <decui@xxxxxxxxxxxxx> Signed-off-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx> --- drivers/hv/channel_mgmt.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c index eb9ce94..fdccd16 100644 --- a/drivers/hv/channel_mgmt.c +++ b/drivers/hv/channel_mgmt.c @@ -152,6 +152,7 @@ static struct vmbus_channel *alloc_channel(void) spin_lock_init(&channel->inbound_lock); spin_lock_init(&channel->lock); + INIT_LIST_HEAD(&channel->listentry); INIT_LIST_HEAD(&channel->sc_list); INIT_LIST_HEAD(&channel->percpu_list); @@ -308,6 +309,7 @@ static void vmbus_process_offer(struct work_struct *work) struct vmbus_channel *channel; bool fnew = true; bool enq = false; + bool failure = false; int ret; unsigned long flags; @@ -408,19 +410,33 @@ static void vmbus_process_offer(struct work_struct *work) spin_lock_irqsave(&vmbus_connection.channel_lock, flags); list_del(&newchannel->listentry); spin_unlock_irqrestore(&vmbus_connection.channel_lock, flags); + /* + * Init listentry again as vmbus_process_rescind_offer can try + * doing list_del again. + */ + INIT_LIST_HEAD(&channel->listentry); kfree(newchannel->device_obj); + newchannel->device_obj = NULL; goto err_free_chan; } + goto done_init_rescind; +err_free_chan: + failure = true; done_init_rescind: + /* + * Get additional reference as vmbus_put_channel() can be called + * either directly or through vmbus_process_rescind_offer(). + */ + vmbus_get_channel(newchannel); spin_lock_irqsave(&newchannel->lock, flags); /* The next possible work is rescind handling */ INIT_WORK(&newchannel->work, vmbus_process_rescind_offer); /* Check if rescind offer was already received */ if (newchannel->rescind) queue_work(newchannel->controlwq, &newchannel->work); + else if (failure) + vmbus_put_channel(newchannel); spin_unlock_irqrestore(&newchannel->lock, flags); - return; -err_free_chan: vmbus_put_channel(newchannel); } -- 1.9.3 _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
