Commit a76f48e5 authored by Matthew Daley's avatar Matthew Daley Committed by Stefano Stabellini
Browse files

xen_disk: mark ioreq as mapped before unmapping in error case 



Commit 4472beae modified the semantics of ioreq_{un,}map so that they are
idempotent if called when they're not needed (ie., twice in a row). However,
it neglected to handle the case where batch mapping is not being used (the
default), and one of the grants fails to map. In this case, ioreq_unmap will
be called to unwind and unmap any mappings already performed, but ioreq_unmap
simply returns due to the aforementioned change (the ioreq has not already
been marked as mapped).

The frontend user can therefore force xen_disk to leak grant mappings, a
per-domain limited resource.

Fix by marking the ioreq as mapped before calling ioreq_unmap in this
situation.

Signed-off-by: default avatarMatthew Daley <mattjd@gmail.com>
Signed-off-by: default avatarStefano Stabellini <stefano.stabellini@eu.citrix.com>
parent a684f3cf

hw/block/xen_disk.c

+1 −0
Original line number Diff line number Diff line
@@ -405,6 +405,7 @@ static int ioreq_map(struct ioreq *ioreq) 
                xen_be_printf(&ioreq->blkdev->xendev, 0,

                              "can't map grant ref %d (%s, %d maps)\n",

                              refs[i], strerror(errno), ioreq->blkdev->cnt_map);

                ioreq->mapped = 1;

                ioreq_unmap(ioreq);

                return -1;

            }