From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: [PATCH v5 1/9] hvm_set_ioreq_page() releases wrong page in error path Date: Thu, 1 May 2014 13:48:42 +0100 Message-ID: <536242AA.1010703@citrix.com> References: <1398946120-33169-1-git-send-email-paul.durrant@citrix.com> <1398946120-33169-2-git-send-email-paul.durrant@citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1398946120-33169-2-git-send-email-paul.durrant@citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Paul Durrant Cc: Keir Fraser , Jan Beulich , xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org On 01/05/14 13:08, Paul Durrant wrote: > The function calls prepare_ring_for_helper() to acquire a mapping for the > given gmfn, then checks (under lock) to see if the ioreq page is already > set up but, if it is, the function then releases the in-use ioreq page > mapping on the error path rather than the one it just acquired. This patch > fixes this bug. > > Signed-off-by: Paul Durrant > Cc: Keir Fraser > Cc: Jan Beulich Reviewed-by: Andrew Cooper > --- > xen/arch/x86/hvm/hvm.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c > index ac05160..3dec1eb 100644 > --- a/xen/arch/x86/hvm/hvm.c > +++ b/xen/arch/x86/hvm/hvm.c > @@ -496,7 +496,7 @@ static int hvm_set_ioreq_page( > > if ( (iorp->va != NULL) || d->is_dying ) > { > - destroy_ring_for_helper(&iorp->va, iorp->page); > + destroy_ring_for_helper(&va, page); > spin_unlock(&iorp->lock); > return -EINVAL; > }