[ 3.8.y.z extended stable ] Patch "xen-gnt: prevent adding duplicate gnt callbacks" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Thu Sep 19 00:03:21 UTC 2013

This is a note to let you know that I have just added a patch titled

    xen-gnt: prevent adding duplicate gnt callbacks

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:


This patch is scheduled to be released in version

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see



>From 07c1fff7a020c14352f49e3a85cbedb6d38956cb Mon Sep 17 00:00:00 2001
From: Roger Pau Monne <roger.pau at citrix.com>
Date: Wed, 31 Jul 2013 17:00:42 +0200
Subject: xen-gnt: prevent adding duplicate gnt callbacks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

commit 5f338d9001094a56cf87bd8a280b4e7ff953bb59 upstream.

With the current implementation, the callback in the tail of the list
can be added twice, because the check done in
gnttab_request_free_callback is bogus, callback->next can be NULL if
it is the last callback in the list. If we add the same callback twice
we end up with an infinite loop, were callback == callback->next.

Replace this check with a proper one that iterates over the list to
see if the callback has already been added.

Signed-off-by: Roger Pau Monné <roger.pau at citrix.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
Cc: David Vrabel <david.vrabel at citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
Acked-by: Matt Wilson <msw at amazon.com>
Reviewed-by: David Vrabel <david.vrabel at citrix.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
 drivers/xen/grant-table.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
index 157c0cc..51be226 100644
--- a/drivers/xen/grant-table.c
+++ b/drivers/xen/grant-table.c
@@ -729,9 +729,18 @@ void gnttab_request_free_callback(struct gnttab_free_callback *callback,
 				  void (*fn)(void *), void *arg, u16 count)
 	unsigned long flags;
+	struct gnttab_free_callback *cb;
 	spin_lock_irqsave(&gnttab_list_lock, flags);
-	if (callback->next)
-		goto out;
+	/* Check if the callback is already on the list */
+	cb = gnttab_free_callback_list;
+	while (cb) {
+		if (cb == callback)
+			goto out;
+		cb = cb->next;
+	}
 	callback->fn = fn;
 	callback->arg = arg;
 	callback->count = count;

More information about the kernel-team mailing list