From 62dde2c1eff6d4e5d45883b78bdae5447e7d2d9c Mon Sep 17 00:00:00 2001
From: =?utf8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
Date: Mon, 4 Jan 2021 10:03:23 +0100
Subject: [PATCH] x86/p2m: fix p2m_add_foreign error path
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

One of the error paths in p2m_add_foreign could call put_page with a
NULL page, thus triggering a fault.

Split the checks into two different if statements, so the appropriate
error path can be taken.

Fixes: 173ae325026bd ('x86/p2m: tidy p2m_add_foreign() a little')
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
 xen/arch/x86/mm/p2m.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index 487959b121..a4ebfc9b21 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -2601,8 +2601,13 @@ static int p2m_add_foreign(struct domain *tdom, unsigned long fgfn,
      *     ram_rw | ram_logdirty | ram_ro | paging_out.
      */
     page = get_page_from_gfn(fdom, fgfn, &p2mt, P2M_ALLOC);
-    if ( !page ||
-         !p2m_is_ram(p2mt) || p2m_is_shared(p2mt) || p2m_is_hole(p2mt) )
+    if ( !page )
+    {
+        rc = -EINVAL;
+        goto out;
+    }
+
+    if ( !p2m_is_ram(p2mt) || p2m_is_shared(p2mt) || p2m_is_hole(p2mt) )
     {
         rc = -EINVAL;
         goto put_one;
-- 
2.30.2