Fix a use-after-free on an error path.

author Steven Smith <ssmith@weybridge.uk.xensource.com>

Wed, 24 Jun 2009 14:58:43 +0000 (15:58 +0100)

committer Steven Smith <ssmith@weybridge.uk.xensource.com>

Tue, 30 Jun 2009 12:02:15 +0000 (13:02 +0100)
author Steven Smith <ssmith@weybridge.uk.xensource.com>
Wed, 24 Jun 2009 14:58:43 +0000 (15:58 +0100)
committer Steven Smith <ssmith@weybridge.uk.xensource.com>
Tue, 30 Jun 2009 12:02:15 +0000 (13:02 +0100)
diff --git a/drivers/xen/netchannel2/recv_packet.c b/drivers/xen/netchannel2/recv_packet.c

index 03a37eb1f3f6181ecf6572b0e8d1f364dd8a3ccc..33e71569a5b95e3d6c253d746c1d61c47300f40c 100644 (file)
--- a/drivers/xen/netchannel2/recv_packet.c
+++ b/drivers/xen/netchannel2/recv_packet.c
@@ -272,6 +272,13 @@ void nc2_handle_packet_msg(struct netchannel2 *nc,
          return;
  
  err:
+        /* If the receive succeeded part-way, there may be references
+           to the skb in the hypercall batcher.  Flush them out before
+           we release it.  This is a slow path, so we don't care that
+           much about performance. */
+        flush_prepared_grant_copies(&pending_rx_hypercalls,
+                                    nc2_rscb_on_gntcopy_fail);
+
          /* We may need to send a FINISH message here if this was a
             receiver-map packet.  That should be handled automatically
             by the kfree_skb(). */
author	Steven Smith <ssmith@weybridge.uk.xensource.com>
	Wed, 24 Jun 2009 14:58:43 +0000 (15:58 +0100)
committer	Steven Smith <ssmith@weybridge.uk.xensource.com>
	Tue, 30 Jun 2009 12:02:15 +0000 (13:02 +0100)