From mboxrd@z Thu Jan  1 00:00:00 1970
From: Julien Grall <julien.grall@linaro.org>
Subject: Re: [PATCH] xen/arm: domain_vgic_init: Avoid double
	free on shared_irqs
Date: Mon, 08 Sep 2014 13:47:59 -0700
Message-ID: <540E15FF.8050002@linaro.org>
References: <1406297847-23440-1-git-send-email-julien.grall@linaro.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta4.messagelabs.com ([85.158.143.247])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <julien.grall@linaro.org>) id 1XR5r1-0005we-CC
	for xen-devel@lists.xenproject.org; Mon, 08 Sep 2014 20:48:03 +0000
Received: by mail-qa0-f42.google.com with SMTP id dc16so10697317qab.15
	for <xen-devel@lists.xenproject.org>;
	Mon, 08 Sep 2014 13:48:00 -0700 (PDT)
In-Reply-To: <1406297847-23440-1-git-send-email-julien.grall@linaro.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: xen-devel@lists.xenproject.org
Cc: stefano.stabellini@citrix.com, tim@xen.org, ian.campbell@citrix.com
List-Id: xen-devel@lists.xenproject.org

Hi Ian and Stefano,

Ping?

On 25/07/14 07:17, Julien Grall wrote:
> When the function domain_vgic_init is failing to initialize pending_irqs,
> it will free shared_irqs. Few call later, domain_vgic_free will be called
> an try to free a second time the same variable. This will result to a double
> free.
>
> Remove the free in domain_vgic_init and rely on domain_vgic_free to correctly
> release the memory.
>
> Signed-off-by: Julien Grall <julien.grall@linaro.org>
>
> ---
>
> This patch should be backported to Xen 4.4.
> ---
>   xen/arch/arm/vgic.c |    3 ---
>   1 file changed, 3 deletions(-)
>
> diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c
> index aba613b..edbb71a 100644
> --- a/xen/arch/arm/vgic.c
> +++ b/xen/arch/arm/vgic.c
> @@ -84,10 +84,7 @@ int domain_vgic_init(struct domain *d, unsigned int nr_spis)
>       d->arch.vgic.pending_irqs =
>           xzalloc_array(struct pending_irq, d->arch.vgic.nr_spis);
>       if ( d->arch.vgic.pending_irqs == NULL )
> -    {
> -        xfree(d->arch.vgic.shared_irqs);
>           return -ENOMEM;
> -    }
>
>       for (i=0; i<d->arch.vgic.nr_spis; i++)
>       {
>

-- 
Julien Grall