On 15/03/18 03:43, Simon Gaiser wrote: > Commit fd8aa9095a95 ("xen: optimize xenbus driver for multiple > concurrent xenstore accesses") made a subtle change to the semantic of > xenbus_dev_request_and_reply() and xenbus_transaction_end(). > > Before on an error response to XS_TRANSACTION_END > xenbus_dev_request_and_reply() would not decrement the active > transaction counter. But xenbus_transaction_end() has always counted the > transaction as finished regardless of the response. > > The new behavior is that xenbus_dev_request_and_reply() and > xenbus_transaction_end() will always count the transaction as finished > regardless the response code (handled in xs_request_exit()). > > But xenbus_dev_frontend tries to end a transaction on closing of the > device if the XS_TRANSACTION_END failed before. Trying to close the > transaction twice corrupts the reference count. So fix this by also > considering a transaction closed if we have sent XS_TRANSACTION_END once > regardless of the return code. > > Cc: <stable@xxxxxxxxxxxxxxx> # 4.11 > Fixes: fd8aa9095a95 ("xen: optimize xenbus driver for multiple concurrent xenstore accesses") > Signed-off-by: Simon Gaiser <simon@xxxxxxxxxxxxxxxxxxxxxx> Reviewed-by: Juergen Gross <jgross@xxxxxxxx> Juergen