From 368c6ecb52dcdba4def2084f6ab9d65b92250df8 Mon Sep 17 00:00:00 2001
From: Keir Fraser <keir@xensource.com>
Date: Mon, 1 Oct 2007 06:36:25 +0100
Subject: [PATCH] xsm:acm: Fix nul dereference bug (take 2). Signed-off-by:
 George Coker <gscoker@alpha.ncsc.mil>

---
 xen/include/xsm/acm/acm_core.h  | 2 +-
 xen/include/xsm/acm/acm_hooks.h | 4 ++--
 xen/xsm/acm/acm_core.c          | 8 ++++++--
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/xen/include/xsm/acm/acm_core.h b/xen/include/xsm/acm/acm_core.h
index b6d30d7c7b..df6ea63851 100644
--- a/xen/include/xsm/acm/acm_core.h
+++ b/xen/include/xsm/acm/acm_core.h
@@ -154,7 +154,7 @@ static inline int acm_array_append_tuple(struct acm_sized_buffer *buf,
 
 /* protos */
 int acm_init_domain_ssid(struct domain *, ssidref_t ssidref);
-void acm_free_domain_ssid(struct acm_ssid_domain *ssid);
+void acm_free_domain_ssid(struct domain *);
 int acm_init_binary_policy(u32 policy_code);
 int acm_set_policy(XEN_GUEST_HANDLE_64(void) buf, u32 buf_size);
 int do_acm_set_policy(void *buf, u32 buf_size, int is_bootpolicy,
diff --git a/xen/include/xsm/acm/acm_hooks.h b/xen/include/xsm/acm/acm_hooks.h
index 54bd15e2a0..f3ca68fa01 100644
--- a/xen/include/xsm/acm/acm_hooks.h
+++ b/xen/include/xsm/acm/acm_hooks.h
@@ -258,7 +258,7 @@ static inline void acm_domain_destroy(struct domain *d)
             acm_secondary_ops->domain_destroy(ssid, d);
         /* free security ssid for the destroyed domain (also if null policy */
         acm_domain_ssid_off_list(ssid);
-        acm_free_domain_ssid((struct acm_ssid_domain *)(ssid));
+        acm_free_domain_ssid(d);
     }
 }
 
@@ -294,7 +294,7 @@ static inline int acm_domain_create(struct domain *d, ssidref_t ssidref)
     {
         acm_domain_ssid_onto_list(d->ssid);
     } else {
-        acm_free_domain_ssid(d->ssid);
+        acm_free_domain_ssid(d);
     }
 
 error_out:
diff --git a/xen/xsm/acm/acm_core.c b/xen/xsm/acm/acm_core.c
index 59a281446d..3133877cf4 100644
--- a/xen/xsm/acm/acm_core.c
+++ b/xen/xsm/acm/acm_core.c
@@ -361,7 +361,7 @@ int acm_init_domain_ssid(struct domain *subj, ssidref_t ssidref)
     {
         printk("%s: ERROR instantiating individual ssids for domain 0x%02x.\n",
                __func__, subj->domain_id);
-        acm_free_domain_ssid(ssid);
+        acm_free_domain_ssid(subj);
         return ACM_INIT_SSID_ERROR;
     }
 
@@ -372,8 +372,10 @@ int acm_init_domain_ssid(struct domain *subj, ssidref_t ssidref)
 
 
 void
-acm_free_domain_ssid(struct acm_ssid_domain *ssid)
+acm_free_domain_ssid(struct domain *d)
 {
+    struct acm_ssid_domain *ssid = d->ssid;
+    
     /* domain is already gone, just ssid is left */
     if (ssid == NULL)
         return;
@@ -387,6 +389,8 @@ acm_free_domain_ssid(struct acm_ssid_domain *ssid)
     ssid->secondary_ssid = NULL;
 
     xfree(ssid);
+    d->ssid = NULL;
+    
     printkd("%s: Freed individual domain ssid (domain=%02x).\n",
             __func__, id);
 }
-- 
2.39.5