[PATCH 3.8 57/91] xen-netback: fix refcnt unbalance for 3.11 and earlier versions

Kamal Mostafa kamal at canonical.com
Thu Jan 2 17:04:32 UTC 2014 

3.8.13.15 -stable review patch.  If anyone has any objections, please let me know.

------------------

From: Wei Liu <wei.liu2 at citrix.com>

With the introduction of "xen-netback: Don't destroy the netdev until
the vif is shut down" (upstream commit id 279f438e36), vif disconnect
and free are separated. However in the backported verion reference
counting code was not correctly modified, and the reset of vif->tx_irq
was lost. If frontend goes through vif life cycle more than once the
reference counting is skewed.

This patch adds back the missing tx_irq reset line. It also moves
several lines of the reference counting code to vif_free, so the moved
code corresponds to the counterpart in vif_alloc, thus the reference
counting is balanced.

3.12 and onward versions are not affected by this bug, because reference
counting code was removed due to the introduction of 1:1 model.

This pacth should be backported to all stable verions which are lower
than 3.12 and have 279f438e36.

Reported-and-tested-by: Tomasz Wroblewski <tomasz.wroblewski at citrix.com>
Signed-off-by: Wei Liu <wei.liu2 at citrix.com>
Cc: Ian Campbell <ian.campbell at citrix.com>
Cc: Konrad Wilk <konrad.wilk at oracle.com>
Cc: David Vrabel <david.vrabel at citrix.com>
[ kamal: backport to 3.8 ]
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 drivers/net/xen-netback/interface.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c
index c63cbd0..b3cbaa9 100644
--- a/drivers/net/xen-netback/interface.c
+++ b/drivers/net/xen-netback/interface.c
@@ -363,17 +363,19 @@ void xenvif_disconnect(struct xenvif *vif)
 	if (netif_carrier_ok(vif->dev))
 		xenvif_carrier_off(vif);
 
-	atomic_dec(&vif->refcnt);
-	wait_event(vif->waiting_to_free, atomic_read(&vif->refcnt) == 0);
-
-	if (vif->irq)
+	if (vif->irq) {
 		unbind_from_irqhandler(vif->irq, vif);
+		vif->irq = 0;
+	}
 
 	xen_netbk_unmap_frontend_rings(vif);
 }
 
 void xenvif_free(struct xenvif *vif)
 {
+	atomic_dec(&vif->refcnt);
+	wait_event(vif->waiting_to_free, atomic_read(&vif->refcnt) == 0);
+
 	unregister_netdev(vif->dev);
 
 	free_netdev(vif->dev);
-- 
1.8.3.2

More information about the kernel-team mailing list