[xen master] x86/hvm/ioreq: fix two bugs in hvm_create_ioreq_server

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[xen master] x86/hvm/ioreq: fix two bugs in hvm_create_ioreq_server

patchbot
commit 90eff18cc5e16e0749605d88092ecfa4ab126c8f
Author:     Wei Liu <[hidden email]>
AuthorDate: Wed Apr 4 12:03:14 2018 +0100
Commit:     Wei Liu <[hidden email]>
CommitDate: Wed Apr 4 12:44:52 2018 +0100

    x86/hvm/ioreq: fix two bugs in hvm_create_ioreq_server
   
    It is possible to call the error path with i pointing beyond the end
    of the array.
   
    There is another bug that if there is already a default ioreq server,
    the code will actually sets the element to NULL, hence leaking memory.
   
    Move setting NULL to where it is needed.
   
    Coverity-ID: 1433777
    Signed-off-by: Wei Liu <[hidden email]>
    Reviewed-by: Paul Durrant <[hidden email]>
    Acked-by: Andrew Cooper <[hidden email]>
---
 xen/arch/x86/hvm/ioreq.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/hvm/ioreq.c b/xen/arch/x86/hvm/ioreq.c
index 9435291e87..2275278305 100644
--- a/xen/arch/x86/hvm/ioreq.c
+++ b/xen/arch/x86/hvm/ioreq.c
@@ -811,7 +811,10 @@ int hvm_create_ioreq_server(struct domain *d, bool is_default,
 
     rc = hvm_ioreq_server_init(s, d, bufioreq_handling, i);
     if ( rc )
+    {
+        set_ioreq_server(d, i, NULL);
         goto fail;
+    }
 
     if ( i == DEFAULT_IOSERVID )
         hvm_ioreq_server_enable(s);
@@ -825,8 +828,6 @@ int hvm_create_ioreq_server(struct domain *d, bool is_default,
     return 0;
 
  fail:
-    set_ioreq_server(d, i, NULL);
-
     spin_unlock_recursive(&d->arch.hvm_domain.ioreq_server.lock);
     domain_unpause(d);
 
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
[hidden email]
https://lists.xenproject.org/xen-changelog