x86/hvm/ioreq: fix two bugs in hvm_create_ioreq_server

It is possible to call the error path with i pointing beyond the end
of the array.

There is another bug that if there is already a default ioreq server,
the code will actually sets the element to NULL, hence leaking memory.

Move setting NULL to where it is needed.

Coverity-ID: 1433777
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff --git a/xen/arch/x86/hvm/ioreq.c b/xen/arch/x86/hvm/ioreq.c
index 9435291e879e9ead2ae923aa0a656611eee83f84..2275278305e4980c82f3f09edf834814a2c489cb 100644 (file)
--- a/xen/arch/x86/hvm/ioreq.c
+++ b/xen/arch/x86/hvm/ioreq.c
@@ -811,7 +811,10 @@ int hvm_create_ioreq_server(struct domain *d, bool is_default,
 
     rc = hvm_ioreq_server_init(s, d, bufioreq_handling, i);
     if ( rc )
+    {
+        set_ioreq_server(d, i, NULL);
         goto fail;
+    }
 
     if ( i == DEFAULT_IOSERVID )
         hvm_ioreq_server_enable(s);
@@ -825,8 +828,6 @@ int hvm_create_ioreq_server(struct domain *d, bool is_default,
     return 0;
 
  fail:
-    set_ioreq_server(d, i, NULL);
-
     spin_unlock_recursive(&d->arch.hvm_domain.ioreq_server.lock);
     domain_unpause(d);