Commit 73536338 authored by Eiichi Tsukata's avatar Eiichi Tsukata Committed by Paolo Bonzini
Browse files

KVM: x86/xen: Fix eventfd error handling in kvm_xen_eventfd_assign() 



Should not call eventfd_ctx_put() in case of error.

Fixes: 2fd6df2f ("KVM: x86/xen: intercept EVTCHNOP_send from guests")
Reported-by: default avatar <syzbot+6f0c896c5a9449a10ded@syzkaller.appspotmail.com>
Signed-off-by: default avatarEiichi Tsukata <eiichi.tsukata@nutanix.com>
Message-Id: <20221028092631.117438-1-eiichi.tsukata@nutanix.com>
[Introduce new goto target instead. - Paolo]
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
parent 696db303

arch/x86/kvm/xen.c

+4 −3
Original line number Diff line number Diff line
@@ -1666,18 +1666,18 @@ static int kvm_xen_eventfd_assign(struct kvm *kvm, 
	case EVTCHNSTAT_ipi:

		/* IPI  must map back to the same port# */

		if (data->u.evtchn.deliver.port.port != data->u.evtchn.send_port)

			goto out; /* -EINVAL */

			goto out_noeventfd; /* -EINVAL */

		break;



	case EVTCHNSTAT_interdomain:

		if (data->u.evtchn.deliver.port.port) {

			if (data->u.evtchn.deliver.port.port >= max_evtchn_port(kvm))

				goto out; /* -EINVAL */

				goto out_noeventfd; /* -EINVAL */

		} else {

			eventfd = eventfd_ctx_fdget(data->u.evtchn.deliver.eventfd.fd);

			if (IS_ERR(eventfd)) {

				ret = PTR_ERR(eventfd);

				goto out;

				goto out_noeventfd;

			}

		}

		break;
@@ -1717,6 +1717,7 @@ static int kvm_xen_eventfd_assign(struct kvm *kvm, 
out:

	if (eventfd)

		eventfd_ctx_put(eventfd);

out_noeventfd:

	kfree(evtchnfd);

	return ret;

}