diff --git a/patches.xen/2a22ee6c3ab1-xen-xenbus_dev_frontend-Fix-XS_TRANSACTION_END-handl.patch b/patches.xen/2a22ee6c3ab1-xen-xenbus_dev_frontend-Fix-XS_TRANSACTION_END-handl.patch deleted file mode 100644 index da5b792..0000000 --- a/patches.xen/2a22ee6c3ab1-xen-xenbus_dev_frontend-Fix-XS_TRANSACTION_END-handl.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 2a22ee6c3ab1d761bc9c04f1e4117edd55b82f09 Mon Sep 17 00:00:00 2001 -From: Simon Gaiser -Date: Thu, 15 Mar 2018 03:43:20 +0100 -Subject: [PATCH 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling - -Commit fd8aa9095a95 ("xen: optimize xenbus driver for multiple -concurrent xenstore accesses") made a subtle change to the semantic of -xenbus_dev_request_and_reply() and xenbus_transaction_end(). - -Before on an error response to XS_TRANSACTION_END -xenbus_dev_request_and_reply() would not decrement the active -transaction counter. But xenbus_transaction_end() has always counted the -transaction as finished regardless of the response. - -The new behavior is that xenbus_dev_request_and_reply() and -xenbus_transaction_end() will always count the transaction as finished -regardless the response code (handled in xs_request_exit()). - -But xenbus_dev_frontend tries to end a transaction on closing of the -device if the XS_TRANSACTION_END failed before. Trying to close the -transaction twice corrupts the reference count. So fix this by also -considering a transaction closed if we have sent XS_TRANSACTION_END once -regardless of the return code. - -Cc: # 4.11 -Fixes: fd8aa9095a95 ("xen: optimize xenbus driver for multiple concurrent xenstore accesses") -Signed-off-by: Simon Gaiser -Reviewed-by: Juergen Gross -Signed-off-by: Boris Ostrovsky ---- - drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c -index a493e99bed21..81a84b3c1c50 100644 ---- a/drivers/xen/xenbus/xenbus_dev_frontend.c -+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c -@@ -365,7 +365,7 @@ void xenbus_dev_queue_reply(struct xb_req_data *req) - if (WARN_ON(rc)) - goto out; - } -- } else if (req->msg.type == XS_TRANSACTION_END) { -+ } else if (req->type == XS_TRANSACTION_END) { - trans = xenbus_get_transaction(u, req->msg.tx_id); - if (WARN_ON(!trans)) - goto out; --- -2.16.2 - diff --git a/patches.xen/8fe5ab411209-xen-xenbus_dev_frontend-Verify-body-of-XS_TRANSACTIO.patch b/patches.xen/8fe5ab411209-xen-xenbus_dev_frontend-Verify-body-of-XS_TRANSACTIO.patch deleted file mode 100644 index a3233b4..0000000 --- a/patches.xen/8fe5ab411209-xen-xenbus_dev_frontend-Verify-body-of-XS_TRANSACTIO.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 8fe5ab411209ac6e2c7021131e622fd004506d1a Mon Sep 17 00:00:00 2001 -From: Simon Gaiser -Date: Thu, 15 Mar 2018 03:43:22 +0100 -Subject: [PATCH 3/3] xen: xenbus_dev_frontend: Verify body of - XS_TRANSACTION_END - -By guaranteeing that the argument of XS_TRANSACTION_END is valid we can -assume that the transaction has been closed when we get an XS_ERROR -response from xenstore (Note that we already verify that it's a valid -transaction id). - -Signed-off-by: Simon Gaiser -Reviewed-by: Juergen Gross -Signed-off-by: Boris Ostrovsky ---- - drivers/xen/xenbus/xenbus_dev_frontend.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c -index 81a84b3c1c50..0d6d9264d6a9 100644 ---- a/drivers/xen/xenbus/xenbus_dev_frontend.c -+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c -@@ -429,6 +429,10 @@ static int xenbus_write_transaction(unsigned msg_type, - { - int rc; - struct xenbus_transaction_holder *trans = NULL; -+ struct { -+ struct xsd_sockmsg hdr; -+ char body[]; -+ } *msg = (void *)u->u.buffer; - - if (msg_type == XS_TRANSACTION_START) { - trans = kzalloc(sizeof(*trans), GFP_KERNEL); -@@ -437,11 +441,15 @@ static int xenbus_write_transaction(unsigned msg_type, - goto out; - } - list_add(&trans->list, &u->transactions); -- } else if (u->u.msg.tx_id != 0 && -- !xenbus_get_transaction(u, u->u.msg.tx_id)) -+ } else if (msg->hdr.tx_id != 0 && -+ !xenbus_get_transaction(u, msg->hdr.tx_id)) - return xenbus_command_reply(u, XS_ERROR, "ENOENT"); -+ else if (msg_type == XS_TRANSACTION_END && -+ !(msg->hdr.len == 2 && -+ (!strcmp(msg->body, "T") || !strcmp(msg->body, "F")))) -+ return xenbus_command_reply(u, XS_ERROR, "EINVAL"); - -- rc = xenbus_dev_request_and_reply(&u->u.msg, u); -+ rc = xenbus_dev_request_and_reply(&msg->hdr, u); - if (rc && trans) { - list_del(&trans->list); - kfree(trans); --- -2.16.2 - diff --git a/patches.xen/b93008d1ac65-xen-xenbus-Catch-closing-of-non-existent-transaction.patch b/patches.xen/b93008d1ac65-xen-xenbus-Catch-closing-of-non-existent-transaction.patch deleted file mode 100644 index 98cba26..0000000 --- a/patches.xen/b93008d1ac65-xen-xenbus-Catch-closing-of-non-existent-transaction.patch +++ /dev/null @@ -1,35 +0,0 @@ -From b93008d1ac657dc67819330c5995e65e7c3e7978 Mon Sep 17 00:00:00 2001 -From: Simon Gaiser -Date: Thu, 15 Mar 2018 03:43:21 +0100 -Subject: [PATCH 2/3] xen: xenbus: Catch closing of non existent transactions - -Users of the xenbus functions should never close a non existent -transaction (for example by trying to closing the same transaction -twice) but better catch it in xs_request_exit() than to corrupt the -reference counter. - -Signed-off-by: Simon Gaiser -Reviewed-by: Juergen Gross -Signed-off-by: Boris Ostrovsky ---- - drivers/xen/xenbus/xenbus_xs.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c -index 3f3b29398ab8..49a3874ae6bb 100644 ---- a/drivers/xen/xenbus/xenbus_xs.c -+++ b/drivers/xen/xenbus/xenbus_xs.c -@@ -140,7 +140,9 @@ void xs_request_exit(struct xb_req_data *req) - spin_lock(&xs_state_lock); - xs_state_users--; - if ((req->type == XS_TRANSACTION_START && req->msg.type == XS_ERROR) || -- req->type == XS_TRANSACTION_END) -+ (req->type == XS_TRANSACTION_END && -+ !WARN_ON_ONCE(req->msg.type == XS_ERROR && -+ !strcmp(req->body, "ENOENT")))) - xs_state_users--; - spin_unlock(&xs_state_lock); - --- -2.16.2 -