xen-gnt: prevent adding duplicate gnt callbacks

commit 5f338d9001094a56cf87bd8a280b4e7ff953bb59 upstream.

With the current implementation, the callback in the tail of the list
can be added twice, because the check done in
gnttab_request_free_callback is bogus, callback->next can be NULL if
it is the last callback in the list. If we add the same callback twice
we end up with an infinite loop, were callback == callback->next.

Replace this check with a proper one that iterates over the list to
see if the callback has already been added.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Matt Wilson <msw@amazon.com>
Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
index bf1c094f4ebf12ea234b9a60fdaea118d6217d8e..b657de614a069a1bdfd02dac6f8ccc1eb89118da 100644 (file)
--- a/drivers/xen/grant-table.c
+++ b/drivers/xen/grant-table.c
@@ -355,9 +355,18 @@ void gnttab_request_free_callback(struct gnttab_free_callback *callback,
                                  void (*fn)(void *), void *arg, u16 count)
 {
        unsigned long flags;
+       struct gnttab_free_callback *cb;
+
        spin_lock_irqsave(&gnttab_list_lock, flags);
-       if (callback->next)
-               goto out;
+
+       /* Check if the callback is already on the list */
+       cb = gnttab_free_callback_list;
+       while (cb) {
+               if (cb == callback)
+                       goto out;
+               cb = cb->next;
+       }
+
        callback->fn = fn;
        callback->arg = arg;
        callback->count = count;