From: Paul Durrant <paul.durrant@citrix.com>
Date: Fri, 2 May 2014 09:46:32 +0000 (+0200)
Subject: hvm_set_ioreq_page() releases wrong page in error path
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~5117
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=16e2a7596e9fc86881c73cef57602b2c88155528;p=xen.git

hvm_set_ioreq_page() releases wrong page in error path

The function calls prepare_ring_for_helper() to acquire a mapping for the
given gmfn, then checks (under lock) to see if the ioreq page is already
set up but, if it is, the function then releases the in-use ioreq page
mapping on the error path rather than the one it just acquired. This patch
fixes this bug.

Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
---

diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index ff6a1fd97d..5290341183 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -496,7 +496,7 @@ static int hvm_set_ioreq_page(
 
     if ( (iorp->va != NULL) || d->is_dying )
     {
-        destroy_ring_for_helper(&iorp->va, iorp->page);
+        destroy_ring_for_helper(&va, page);
         spin_unlock(&iorp->lock);
         return -EINVAL;
     }