From 463016ab582fb68a17e2f18bcf29a7254a910b73 Mon Sep 17 00:00:00 2001 From: Keir Fraser Date: Mon, 23 Nov 2009 06:48:14 +0000 Subject: [PATCH] tmem: fix double-free bug Tmem double-frees a high-level data structure causing memory corruption under certain circumstances. Signed-off-by: Dan Magenheimer --- xen/common/tmem.c | 2 +- xen/common/tmem_xen.c | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/xen/common/tmem.c b/xen/common/tmem.c index 806f543962..efc2f53649 100644 --- a/xen/common/tmem.c +++ b/xen/common/tmem.c @@ -943,7 +943,7 @@ static void client_free(client_t *client) { list_del(&client->client_list); tmh_client_destroy(client->tmh); - tmem_free(client,sizeof(client_t),NULL); + tmh_free_infra(client); } /* flush all data from a client and, optionally, free it */ diff --git a/xen/common/tmem_xen.c b/xen/common/tmem_xen.c index 26f593417e..12e67f3464 100644 --- a/xen/common/tmem_xen.c +++ b/xen/common/tmem_xen.c @@ -295,7 +295,7 @@ EXPORT tmh_client_t *tmh_client_init(void) if ( (tmh = xmalloc(tmh_client_t)) == NULL ) return NULL; for (i = 0, shift = 12; i < 4; shift -=4, i++) - name[i] = ((unsigned short)domid >> shift) & 0xf; + name[i] = (((unsigned short)domid >> shift) & 0xf) + '0'; name[4] = '\0'; #ifndef __i386__ tmh->persistent_pool = xmem_pool_create(name, tmh_persistent_pool_page_get, @@ -316,7 +316,6 @@ EXPORT void tmh_client_destroy(tmh_client_t *tmh) xmem_pool_destroy(tmh->persistent_pool); #endif put_domain(tmh->domain); - xfree(tmh); } /****************** XEN-SPECIFIC HOST INITIALIZATION ********************/ -- 2.30.2