From: Matthew Daley <mattjd@gmail.com>
Date: Thu, 10 Oct 2013 14:15:47 +0000 (+0000)
Subject: xen_disk: mark ioreq as mapped before unmapping in error case
X-Git-Tag: qemu-xen-4.3.1-rc2^0
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=e16435c95be86244bd92c5c26579bd4298aa65a6;p=qemu-upstream-4.3-testing.git

xen_disk: mark ioreq as mapped before unmapping in error case

Commit 4472beae modified the semantics of ioreq_{un,}map so that they are
idempotent if called when they're not needed (ie., twice in a row). However,
it neglected to handle the case where batch mapping is not being used (the
default), and one of the grants fails to map. In this case, ioreq_unmap will
be called to unwind and unmap any mappings already performed, but ioreq_unmap
simply returns due to the aforementioned change (the ioreq has not already
been marked as mapped).

The frontend user can therefore force xen_disk to leak grant mappings, a
per-domain limited resource.

Fix by marking the ioreq as mapped before calling ioreq_unmap in this
situation.

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
---

diff --git a/hw/xen_disk.c b/hw/xen_disk.c
index 4108ce8b4..bad484c9e 100644
--- a/hw/xen_disk.c
+++ b/hw/xen_disk.c
@@ -406,6 +406,7 @@ static int ioreq_map(struct ioreq *ioreq)
                 xen_be_printf(&ioreq->blkdev->xendev, 0,
                               "can't map grant ref %d (%s, %d maps)\n",
                               refs[i], strerror(errno), ioreq->blkdev->cnt_map);
+                ioreq->mapped = 1;
                 ioreq_unmap(ioreq);
                 return -1;
             }