From 12e8f728cbc2bc04bb92b6507369462119aae167 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Thu, 6 Sep 2018 15:09:44 +0200 Subject: [PATCH] xen-netfront-detach-crash When it get to free_page(queue->grant_tx_page[i]), the use counter on this page is already 0, which cause a crash. Not sure if this is the proper fix (according to git log this may introduce some memory leak), but at least it prevent the crash. Details in this thread: http://xen.markmail.org/thread/pw5edbtqienjx4q5 --- drivers/net/xen-netfront.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c index c914c24f880b..f1688897b256 100644 --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -1138,9 +1138,10 @@ static void xennet_release_tx_bufs(struct netfront_queue *queue) skb = queue->tx_skbs[i].skb; get_page(queue->grant_tx_page[i]); - gnttab_end_foreign_access(queue->grant_tx_ref[i], - GNTMAP_readonly, - (unsigned long)page_address(queue->grant_tx_page[i])); + gnttab_end_foreign_access_ref( + queue->grant_tx_ref[i], GNTMAP_readonly); + gnttab_release_grant_reference( + &queue->gref_tx_head, queue->grant_tx_ref[i]); queue->grant_tx_page[i] = NULL; queue->grant_tx_ref[i] = GRANT_INVALID_REF; add_id_to_freelist(&queue->tx_skb_freelist, queue->tx_skbs, i); -- 2.20.1