tmem: fix double-free bug

Tmem double-frees a high-level data structure causing memory
corruption under certain circumstances.

Signed-off-by: Dan Magenheimer <dan.magenheimer@oracle.com>

diff --git a/xen/common/tmem.c b/xen/common/tmem.c
index 806f5439622800b1b18e37a14cfb13c0c5046459..efc2f536490845e5b0d384208ec0cde35317085f 100644 (file)
--- a/xen/common/tmem.c
+++ b/xen/common/tmem.c
@@ -943,7 +943,7 @@ static void client_free(client_t *client)
 {
     list_del(&client->client_list);
     tmh_client_destroy(client->tmh);
-    tmem_free(client,sizeof(client_t),NULL);
+    tmh_free_infra(client);
 }
 
 /* flush all data from a client and, optionally, free it */

diff --git a/xen/common/tmem_xen.c b/xen/common/tmem_xen.c
index 26f593417e7078bb297c8a5a5652e8e44fa268ca..12e67f3464ffbd95c61195f4fca9966af3bc0e63 100644 (file)
--- a/xen/common/tmem_xen.c
+++ b/xen/common/tmem_xen.c
@@ -295,7 +295,7 @@ EXPORT tmh_client_t *tmh_client_init(void)
     if ( (tmh = xmalloc(tmh_client_t)) == NULL )
         return NULL;
     for (i = 0, shift = 12; i < 4; shift -=4, i++)
-        name[i] = ((unsigned short)domid >> shift) & 0xf;
+        name[i] = (((unsigned short)domid >> shift) & 0xf) + '0';
     name[4] = '\0';
 #ifndef __i386__
     tmh->persistent_pool = xmem_pool_create(name, tmh_persistent_pool_page_get,
@@ -316,7 +316,6 @@ EXPORT void tmh_client_destroy(tmh_client_t *tmh)
     xmem_pool_destroy(tmh->persistent_pool);
 #endif
     put_domain(tmh->domain);
-    xfree(tmh);
 }
 
 /******************  XEN-SPECIFIC HOST INITIALIZATION ********************/