e293be
centosplus patch [bug#15742]
e293be
e293be
commit 0beef634b86a1350c31da5fcc2992f0d7c8a622b                                                             
e293be
Author: Jan Beulich <JBeulich@suse.com>                                                           
e293be
Date:   Thu Jul 7 01:23:57 2016 -0600                                                             
e293be
                                                                                                  
e293be
    xenbus: don't BUG() on user mode induced condition                                            
e293be
                                                                                                  
e293be
    Inability to locate a user mode specified transaction ID should not                           
e293be
    lead to a kernel crash. For other than XS_TRANSACTION_START also                              
e293be
    don't issue anything to xenbus if the specified ID doesn't match that                         
e293be
    of any active transaction.                                                                    
e293be
                                                                                                  
e293be
    Signed-off-by: Jan Beulich <jbeulich@suse.com>                                                
e293be
    Cc: <stable@vger.kernel.org>                                                                  
e293be
    Signed-off-by: David Vrabel <david.vrabel@citrix.com>
e293be
e293be
    Applied-by: Akemi Yagi <toracat@centos.org>
e293be
e293be
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c	2018-11-15 09:07:13.000000000 -0800
e293be
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c	2019-01-25 09:28:08.685086392 -0800
e293be
@@ -316,11 +316,18 @@ static int xenbus_write_transaction(unsi
e293be
 			rc = -ENOMEM;
e293be
 			goto out;
e293be
 		}
e293be
+	} else {
e293be
+		list_for_each_entry(trans, &u->transactions, list)
e293be
+			if (trans->handle.id == u->u.msg.tx_id)
e293be
+				break;
e293be
+		if (&trans->list == &u->transactions)
e293be
+			return -ESRCH;
e293be
 	}
e293be
 
e293be
 	reply = xenbus_dev_request_and_reply(&u->u.msg);
e293be
 	if (IS_ERR(reply)) {
e293be
-		kfree(trans);
e293be
+		if (msg_type == XS_TRANSACTION_START)
e293be
+			kfree(trans);
e293be
 		rc = PTR_ERR(reply);
e293be
 		goto out;
e293be
 	}
e293be
@@ -330,12 +337,7 @@ static int xenbus_write_transaction(unsi
e293be
 
e293be
 		list_add(&trans->list, &u->transactions);
e293be
 	} else if (msg_type == XS_TRANSACTION_END) {
e293be
-		list_for_each_entry(trans, &u->transactions, list)
e293be
-			if (trans->handle.id == u->u.msg.tx_id)
e293be
-				break;
e293be
-		BUG_ON(&trans->list == &u->transactions);
e293be
 		list_del(&trans->list);
e293be
-
e293be
 		kfree(trans);
e293be
 	}
e293be