From 11c121640c88f17b4c78738ffa92c0dd2500b314 Mon Sep 17 00:00:00 2001
From: Keir Fraser <keir.fraser@citrix.com>
Date: Tue, 17 Mar 2009 15:29:20 +0000
Subject: [PATCH] x86: Fix get_page() to not drop reference count if it wasn't
 incremented.

Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
---
 xen/arch/x86/mm.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 006964498f..4f58720fed 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -1948,9 +1948,12 @@ struct domain *page_get_owner_and_reference(struct page_info *page)
 
     do {
         x = y;
-        if ( unlikely((x & PGC_count_mask) == 0) ||  /* Not allocated? */
-             /* Keep one spare reference to be acquired by get_page_light(). */
-             unlikely(((x + 2) & PGC_count_mask) <= 1) ) /* Overflow? */
+        /*
+         * Count ==  0: Page is not allocated, so we cannot take a reference.
+         * Count == -1: Reference count would wrap, which is invalid. 
+         * Count == -2: Remaining unused ref is reserved for get_page_light().
+         */
+        if ( unlikely(((x + 2) & PGC_count_mask) <= 2) )
             return NULL;
     }
     while ( (y = cmpxchg(&page->count_info, x, x + 1)) != x );
@@ -1966,7 +1969,8 @@ int get_page(struct page_info *page, struct domain *domain)
     if ( likely(owner == domain) )
         return 1;
 
-    put_page(page);
+    if ( owner != NULL )
+        put_page(page);
 
     if ( !_shadow_mode_refcounts(domain) && !domain->is_dying )
         gdprintk(XENLOG_INFO,
-- 
2.30.2