From 20960a081ad23e0a5d1fd48fd84cff9f81e7cc6c Mon Sep 17 00:00:00 2001 From: Wei Liu Date: Sun, 26 Jul 2015 22:34:54 +0100 Subject: [PATCH] libxc: fix memory leak in migration v2 Originally there was only one counter to keep track of pages. It was used erroneously to keep track of how many pages were mapped and how many pages needed to be sent. In the end munmap(2) always had 0 as the length argument, which resulted in leaking the mapping. This problem was discovered on 32bit toolstack because 32bit applications have notably smaller address space. In fact this bug affects 64bit toolstack too. Use a separate counter to keep track of the number of mapped pages to solve this problem. Signed-off-by: Wei Liu Reviewed-by: Andrew Cooper --- tools/libxc/xc_sr_save.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/libxc/xc_sr_save.c b/tools/libxc/xc_sr_save.c index d63b783828..1b6be2a46d 100644 --- a/tools/libxc/xc_sr_save.c +++ b/tools/libxc/xc_sr_save.c @@ -84,7 +84,7 @@ static int write_batch(struct xc_sr_context *ctx) void **guest_data = NULL; void **local_pages = NULL; int *errors = NULL, rc = -1; - unsigned i, p, nr_pages = 0; + unsigned i, p, nr_pages = 0, nr_pages_mapped = 0; unsigned nr_pfns = ctx->save.nr_batch_pfns; void *page, *orig_page; uint64_t *rec_pfns = NULL; @@ -160,6 +160,7 @@ static int write_batch(struct xc_sr_context *ctx) PERROR("Failed to map guest pages"); goto err; } + nr_pages_mapped = nr_pages; for ( i = 0, p = 0; i < nr_pfns; ++i ) { @@ -262,7 +263,7 @@ static int write_batch(struct xc_sr_context *ctx) err: free(rec_pfns); if ( guest_mapping ) - munmap(guest_mapping, nr_pages * PAGE_SIZE); + munmap(guest_mapping, nr_pages_mapped * PAGE_SIZE); for ( i = 0; local_pages && i < nr_pfns; ++i ) free(local_pages[i]); free(iov); -- 2.30.2