libxc: fix mmap leak in xc_unmap_domain_meminfo/xc_map_domain_meminfo

xc_unmap_domain_meminfo uses P2M_FLL_ENTRIES macro instead of P2M_FL_ENTRIES.
Moreover, P2M_FL_ENTRIES macro uses (dinfo->p2m_size) which is always 0 here
as we don't initialize it. The result is that we always unmap just 1 frame.

xc_map_domain_meminfo uses P2M_FLL_ENTRIES macro instead of P2M_FL_ENTRIES
on failure path.

The issue went unnoticed mostly because we use unmap_domain_meminfo and
xc_map_domain_meminfo in one-shot xen-mfndump and xen-hptool (through
xc_exchange_page()) tools. When used is long-running apps (e.g. in xl)
domains become zombies after their death.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

diff --git a/tools/libxc/xc_domain.c b/tools/libxc/xc_domain.c
index 6e0e3552dea3d37e8ddc0eded4c76fca6d481072..a9bcd4a0bfe7780bfb5c3397088439b8a8d5f53c 100644 (file)
--- a/tools/libxc/xc_domain.c
+++ b/tools/libxc/xc_domain.c
@@ -1838,12 +1838,13 @@ int xc_domain_bind_pt_isa_irq(
 
 int xc_unmap_domain_meminfo(xc_interface *xch, struct xc_domain_meminfo *minfo)
 {
-    struct domain_info_context _di = { .guest_width = minfo->guest_width };
+    struct domain_info_context _di = { .guest_width = minfo->guest_width,
+                                       .p2m_size = minfo->p2m_size};
     struct domain_info_context *dinfo = &_di;
 
     free(minfo->pfn_type);
     if ( minfo->p2m_table )
-        munmap(minfo->p2m_table, P2M_FLL_ENTRIES * PAGE_SIZE);
+        munmap(minfo->p2m_table, P2M_FL_ENTRIES * PAGE_SIZE);
     minfo->p2m_table = NULL;
 
     return 0;
@@ -1954,7 +1955,7 @@ failed:
     }
     if ( minfo->p2m_table )
     {
-        munmap(minfo->p2m_table, P2M_FLL_ENTRIES * PAGE_SIZE);
+        munmap(minfo->p2m_table, P2M_FL_ENTRIES * PAGE_SIZE);
         minfo->p2m_table = NULL;
     }