From: Vitaly Kuznetsov Date: Wed, 1 Oct 2014 13:35:36 +0000 (+0200) Subject: libxc: fix mmap leak in xc_unmap_domain_meminfo/xc_map_domain_meminfo X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~4285 X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https:/%22bookmarks://%22/%22http:/www.example.com/cgi/%22https:/%22bookmarks:/%22?a=commitdiff_plain;h=5faf7c1455b0edf96a563ab08461f62fdb19395a;p=xen.git libxc: fix mmap leak in xc_unmap_domain_meminfo/xc_map_domain_meminfo xc_unmap_domain_meminfo uses P2M_FLL_ENTRIES macro instead of P2M_FL_ENTRIES. Moreover, P2M_FL_ENTRIES macro uses (dinfo->p2m_size) which is always 0 here as we don't initialize it. The result is that we always unmap just 1 frame. xc_map_domain_meminfo uses P2M_FLL_ENTRIES macro instead of P2M_FL_ENTRIES on failure path. The issue went unnoticed mostly because we use unmap_domain_meminfo and xc_map_domain_meminfo in one-shot xen-mfndump and xen-hptool (through xc_exchange_page()) tools. When used is long-running apps (e.g. in xl) domains become zombies after their death. Signed-off-by: Vitaly Kuznetsov Acked-by: Ian Campbell --- diff --git a/tools/libxc/xc_domain.c b/tools/libxc/xc_domain.c index 6e0e3552de..a9bcd4a0bf 100644 --- a/tools/libxc/xc_domain.c +++ b/tools/libxc/xc_domain.c @@ -1838,12 +1838,13 @@ int xc_domain_bind_pt_isa_irq( int xc_unmap_domain_meminfo(xc_interface *xch, struct xc_domain_meminfo *minfo) { - struct domain_info_context _di = { .guest_width = minfo->guest_width }; + struct domain_info_context _di = { .guest_width = minfo->guest_width, + .p2m_size = minfo->p2m_size}; struct domain_info_context *dinfo = &_di; free(minfo->pfn_type); if ( minfo->p2m_table ) - munmap(minfo->p2m_table, P2M_FLL_ENTRIES * PAGE_SIZE); + munmap(minfo->p2m_table, P2M_FL_ENTRIES * PAGE_SIZE); minfo->p2m_table = NULL; return 0; @@ -1954,7 +1955,7 @@ failed: } if ( minfo->p2m_table ) { - munmap(minfo->p2m_table, P2M_FLL_ENTRIES * PAGE_SIZE); + munmap(minfo->p2m_table, P2M_FL_ENTRIES * PAGE_SIZE); minfo->p2m_table = NULL; }