]> xenbits.xensource.com Git - xen.git/commitdiff
projects / xen.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 09f9f79)
xen/arm: Don't free p2m->first_level in p2m_teardown() before it has been allocated
authorAndrew Cooper <andrew.cooper3@citrix.com>
Thu, 2 Jun 2016 13:19:00 +0000 (14:19 +0100)
committerAndrew Cooper <andrew.cooper3@citrix.com>
Fri, 3 Jun 2016 10:31:25 +0000 (11:31 +0100)
If p2m_init() didn't complete successfully, (e.g. due to VMID
exhaustion), p2m_teardown() is called and unconditionally tries to free
p2m->first_level before it has been allocated.  free_domheap_pages() doesn't
tolerate NULL pointers.

This is XSA-181

Reported-by: Aaron Cornelius <Aaron.Cornelius@dornerworks.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>
xen/arch/arm/p2m.c patch | blob | blame | history

diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
index aff7a2c3079c45b49549278a9d73eaac2e2b4687..9cf6f91a3c5c3264539fa93ebc561905f72c7f4d 100644 (file)
--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -615,7 +615,8 @@ void p2m_teardown(struct domain *d)
     while ( (pg = page_list_remove_head(&p2m->pages)) )
         free_domheap_page(pg);
 
-    free_domheap_pages(p2m->first_level, P2M_FIRST_ORDER);
+    if ( p2m->first_level )
+        free_domheap_pages(p2m->first_level, P2M_FIRST_ORDER);
 
     p2m->first_level = NULL;
 
Xen (staging and unstable) mirror