summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStefano Stabellini <sstabellini@kernel.org>2017-11-15 13:20:21 -0800
committerBoris Ostrovsky <boris.ostrovsky@oracle.com>2017-11-15 16:38:15 -0500
commit646d944c2ef5a3b298c4e150494c71b9272d8b47 (patch)
tree7dc5ca8c8681c80b438db0babfebe26e2f1ecbc0
parent24e7f84db0db6b6f14581707a45d06ec5d5b88f2 (diff)
downloadlinux-646d944c2ef5a3b298c4e150494c71b9272d8b47.tar.bz2
xen/pvcalls: fix potential endless loop in pvcalls-front.c
mutex_trylock() returns 1 if you take the lock and 0 if not. Assume you take in_mutex on the first try, but you can't take out_mutex. Next times you call mutex_trylock() in_mutex is going to fail. It's an endless loop. Solve the problem by waiting until the global refcount is 1 instead (the refcount is 1 when the only active pvcalls frontend function is pvcalls_front_release). Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Stefano Stabellini <sstabellini@kernel.org> Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
-rw-r--r--drivers/xen/pvcalls-front.c11
1 files changed, 5 insertions, 6 deletions
diff --git a/drivers/xen/pvcalls-front.c b/drivers/xen/pvcalls-front.c
index 9e40c2cd70b1..40caa92bff33 100644
--- a/drivers/xen/pvcalls-front.c
+++ b/drivers/xen/pvcalls-front.c
@@ -1041,13 +1041,12 @@ int pvcalls_front_release(struct socket *sock)
wake_up_interruptible(&map->active.inflight_conn_req);
/*
- * Wait until there are no more waiters on the mutexes.
- * We know that no new waiters can be added because sk_send_head
- * is set to NULL -- we only need to wait for the existing
- * waiters to return.
+ * We need to make sure that sendmsg/recvmsg on this socket have
+ * not started before we've cleared sk_send_head here. The
+ * easiest (though not optimal) way to guarantee this is to see
+ * that no pvcall (other than us) is in progress.
*/
- while (!mutex_trylock(&map->active.in_mutex) ||
- !mutex_trylock(&map->active.out_mutex))
+ while (atomic_read(&pvcalls_refcount) > 1)
cpu_relax();
pvcalls_front_free_map(bedata, map);