# Commit b399386bcdb9d458f5647476a06fe86f5968d87e # Date 2015-06-22 11:36:17 +0200 # Author David Vrabel # Committer Jan Beulich evtchn: clear xen_consumer when clearing state Freeing a xen event channel would clear xen_consumer before clearing the channel state, leaving a window where the channel is in a funny state (still bound but no consumer). Move the clear of xen_consumer into free_evtchn() where the state is also cleared. Signed-off-by: David Vrabel Ditch the pointless evtchn_close() wrapper around __evtchn_close() (renaming the latter) as well as some bogus casts of function results to void. Signed-off-by: Jan Beulich --- a/xen/common/event_channel.c +++ b/xen/common/event_channel.c @@ -204,6 +204,7 @@ static void free_evtchn(struct domain *d /* Reset binding to vcpu0 when the channel is freed. */ chn->state = ECS_FREE; chn->notify_vcpu_id = 0; + chn->xen_consumer = 0; xsm_evtchn_close_post(chn); } @@ -467,7 +468,7 @@ static long evtchn_bind_pirq(evtchn_bind } -static long __evtchn_close(struct domain *d1, int port1) +static long evtchn_close(struct domain *d1, int port1, bool_t guest) { struct domain *d2 = NULL; struct vcpu *v; @@ -487,7 +488,7 @@ static long __evtchn_close(struct domain chn1 = evtchn_from_port(d1, port1); /* Guest cannot close a Xen-attached event channel. */ - if ( unlikely(consumer_is_xen(chn1)) ) + if ( unlikely(consumer_is_xen(chn1)) && guest ) { rc = -EINVAL; goto out; @@ -596,12 +597,6 @@ static long __evtchn_close(struct domain return rc; } - -static long evtchn_close(evtchn_close_t *close) -{ - return __evtchn_close(current->domain, close->port); -} - int evtchn_send(struct domain *d, unsigned int lport) { struct evtchn *lchn, *rchn; @@ -956,7 +951,7 @@ static long evtchn_reset(evtchn_reset_t goto out; for ( i = 0; port_is_valid(d, i); i++ ) - (void)__evtchn_close(d, i); + evtchn_close(d, i, 1); spin_lock(&d->event_lock); @@ -1063,7 +1058,7 @@ long do_event_channel_op(int cmd, XEN_GU struct evtchn_close close; if ( copy_from_guest(&close, arg, 1) != 0 ) return -EFAULT; - rc = evtchn_close(&close); + rc = evtchn_close(current->domain, close.port, 1); break; } @@ -1193,11 +1188,10 @@ void free_xen_event_channel( BUG_ON(!port_is_valid(d, port)); chn = evtchn_from_port(d, port); BUG_ON(!consumer_is_xen(chn)); - chn->xen_consumer = 0; spin_unlock(&d->event_lock); - (void)__evtchn_close(d, port); + evtchn_close(d, port, 0); } @@ -1296,10 +1290,7 @@ void evtchn_destroy(struct domain *d) /* Close all existing event channels. */ for ( i = 0; port_is_valid(d, i); i++ ) - { - evtchn_from_port(d, i)->xen_consumer = 0; - (void)__evtchn_close(d, i); - } + evtchn_close(d, i, 0); /* Free all event-channel buckets. */ spin_lock(&d->event_lock);