aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Vrabel2013-02-13 21:18:57 -0600
committerGreg Kroah-Hartman2013-02-28 08:32:27 -0600
commit436d1b8ff7eb7ac9e2569ad780c33bd4287d0526 (patch)
tree7282140605fb4c9d965b33637e275cd224fc2e85
parentaa1bada15c8ce41ea5b3b9392a85e6e2e07849ff (diff)
downloadkernel-common-436d1b8ff7eb7ac9e2569ad780c33bd4287d0526.tar.gz
kernel-common-436d1b8ff7eb7ac9e2569ad780c33bd4287d0526.tar.xz
kernel-common-436d1b8ff7eb7ac9e2569ad780c33bd4287d0526.zip
xen-netback: correctly return errors from netbk_count_requests()
[ Upstream commit 35876b5ffc154c357476b2c3bdab10feaf4bd8f0 ] netbk_count_requests() could detect an error, call netbk_fatal_tx_error() but return 0. The vif may then be used afterwards (e.g., in a call to netbk_tx_error(). Since netbk_fatal_tx_error() could set vif->refcnt to 1, the vif may be freed immediately after the call to netbk_fatal_tx_error() (e.g., if the vif is also removed). Netback thread Xenwatch thread ------------------------------------------- netbk_fatal_tx_err() netback_remove() xenvif_disconnect() ... free_netdev() netbk_tx_err() Oops! Signed-off-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: Jan Beulich <JBeulich@suse.com> Signed-off-by: David Vrabel <david.vrabel@citrix.com> Reported-by: Christopher S. Aker <caker@theshore.net> Acked-by: Ian Campbell <ian.campbell@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/net/xen-netback/netback.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
index 6ed44c3401d..1260bf0d7e0 100644
--- a/drivers/net/xen-netback/netback.c
+++ b/drivers/net/xen-netback/netback.c
@@ -870,13 +870,13 @@ static int netbk_count_requests(struct xenvif *vif,
870 if (frags >= work_to_do) { 870 if (frags >= work_to_do) {
871 netdev_err(vif->dev, "Need more frags\n"); 871 netdev_err(vif->dev, "Need more frags\n");
872 netbk_fatal_tx_err(vif); 872 netbk_fatal_tx_err(vif);
873 return -frags; 873 return -ENODATA;
874 } 874 }
875 875
876 if (unlikely(frags >= MAX_SKB_FRAGS)) { 876 if (unlikely(frags >= MAX_SKB_FRAGS)) {
877 netdev_err(vif->dev, "Too many frags\n"); 877 netdev_err(vif->dev, "Too many frags\n");
878 netbk_fatal_tx_err(vif); 878 netbk_fatal_tx_err(vif);
879 return -frags; 879 return -E2BIG;
880 } 880 }
881 881
882 memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + frags), 882 memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + frags),
@@ -884,7 +884,7 @@ static int netbk_count_requests(struct xenvif *vif,
884 if (txp->size > first->size) { 884 if (txp->size > first->size) {
885 netdev_err(vif->dev, "Frag is bigger than frame.\n"); 885 netdev_err(vif->dev, "Frag is bigger than frame.\n");
886 netbk_fatal_tx_err(vif); 886 netbk_fatal_tx_err(vif);
887 return -frags; 887 return -EIO;
888 } 888 }
889 889
890 first->size -= txp->size; 890 first->size -= txp->size;
@@ -894,7 +894,7 @@ static int netbk_count_requests(struct xenvif *vif,
894 netdev_err(vif->dev, "txp->offset: %x, size: %u\n", 894 netdev_err(vif->dev, "txp->offset: %x, size: %u\n",
895 txp->offset, txp->size); 895 txp->offset, txp->size);
896 netbk_fatal_tx_err(vif); 896 netbk_fatal_tx_err(vif);
897 return -frags; 897 return -EINVAL;
898 } 898 }
899 } while ((txp++)->flags & XEN_NETTXF_more_data); 899 } while ((txp++)->flags & XEN_NETTXF_more_data);
900 return frags; 900 return frags;