xenbus: don't BUG() on user mode induced condition

Inability to locate a user mode specified transaction ID should not
lead to a kernel crash. For other than XS_TRANSACTION_START also
don't issue anything to xenbus if the specified ID doesn't match that
of any active transaction.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>

1 files changed, 8 insertions, 6 deletions

diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c
index cacf30d14747..7487971f9f78 100644
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -316,11 +316,18 @@ static int xenbus_write_transaction(unsigned msg_type,
                         rc = -ENOMEM;
                         goto out;
                 }
+        } else {
+                list_for_each_entry(trans, &u->transactions, list)
+                        if (trans->handle.id == u->u.msg.tx_id)
+                                break;
+                if (&trans->list == &u->transactions)
+                        return -ESRCH;
         }
 
         reply = xenbus_dev_request_and_reply(&u->u.msg);
         if (IS_ERR(reply)) {
-                kfree(trans);
+                if (msg_type == XS_TRANSACTION_START)
+                        kfree(trans);
                 rc = PTR_ERR(reply);
                 goto out;
         }
@@ -333,12 +340,7 @@ static int xenbus_write_transaction(unsigned msg_type,
                         list_add(&trans->list, &u->transactions);
                 }
         } else if (u->u.msg.type == XS_TRANSACTION_END) {
-                list_for_each_entry(trans, &u->transactions, list)
-                        if (trans->handle.id == u->u.msg.tx_id)
-                                break;
-                BUG_ON(&trans->list == &u->transactions);
                 list_del(&trans->list);
-
                 kfree(trans);
         }