From: Wei Liu <wei.liu2@citrix.com>
Date: Wed, 4 Apr 2018 11:03:14 +0000 (+0100)
Subject: x86/hvm/ioreq: fix two bugs in hvm_create_ioreq_server
X-Git-Tag: archive/raspbian/4.11.1-1+rpi1~1^2~66^2~247
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=90eff18cc5e16e0749605d88092ecfa4ab126c8f;p=xen.git

x86/hvm/ioreq: fix two bugs in hvm_create_ioreq_server

It is possible to call the error path with i pointing beyond the end
of the array.

There is another bug that if there is already a default ioreq server,
the code will actually sets the element to NULL, hence leaking memory.

Move setting NULL to where it is needed.

Coverity-ID: 1433777
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
---

diff --git a/xen/arch/x86/hvm/ioreq.c b/xen/arch/x86/hvm/ioreq.c
index 9435291e87..2275278305 100644
--- a/xen/arch/x86/hvm/ioreq.c
+++ b/xen/arch/x86/hvm/ioreq.c
@@ -811,7 +811,10 @@ int hvm_create_ioreq_server(struct domain *d, bool is_default,
 
     rc = hvm_ioreq_server_init(s, d, bufioreq_handling, i);
     if ( rc )
+    {
+        set_ioreq_server(d, i, NULL);
         goto fail;
+    }
 
     if ( i == DEFAULT_IOSERVID )
         hvm_ioreq_server_enable(s);
@@ -825,8 +828,6 @@ int hvm_create_ioreq_server(struct domain *d, bool is_default,
     return 0;
 
  fail:
-    set_ioreq_server(d, i, NULL);
-
     spin_unlock_recursive(&d->arch.hvm_domain.ioreq_server.lock);
     domain_unpause(d);