[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.2] VTD/DMAR: free() correct pointer on error from acpi_parse_one_atsr()

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Mon, 13 Jan 2014 20:00:26 +0000
Delivery-date: Mon, 13 Jan 2014 20:00:30 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>

commit be6a5018e4b7b2e5b52952317690428c002072c7
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Mon Jan 13 16:00:28 2014 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Mon Jan 13 16:00:28 2014 +0100

    VTD/DMAR: free() correct pointer on error from acpi_parse_one_atsr()
    
    Free the allocated structure rather than the ACPI table ATS entry.
    
    On further analysis, there is another memory leak.  acpi_parse_dev_scope()
    could allocate scope->devices, and return with -ENOMEM.  All callers of
    acpi_parse_dev_scope() would then free the underlying structure, loosing the
    pointer.
    
    These errors can only actually be reached through acpi_parse_dev_scope()
    (which passes type = DMAR_TYPE), but I am quite surprised Coverity didn't 
spot
    it.
    
    Coverity-ID: 1146949
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    master commit: 62d33ca1048f4e08eaeb026c7b79239b4605b636
    master date: 2014-01-07 14:59:31 +0100
---
 xen/drivers/passthrough/vtd/dmar.c |   16 ++++++++++++----
 1 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/xen/drivers/passthrough/vtd/dmar.c 
b/xen/drivers/passthrough/vtd/dmar.c
index 309a985..0c52bd6 100644
--- a/xen/drivers/passthrough/vtd/dmar.c
+++ b/xen/drivers/passthrough/vtd/dmar.c
@@ -282,7 +282,7 @@ static int __init acpi_parse_dev_scope(
     const struct acpi_dmar_device_scope *acpi_scope;
     u16 bus, sub_bus, sec_bus;
     const struct acpi_dmar_pci_path *path;
-    int depth, cnt, didx = 0;
+    int depth, cnt, didx = 0, ret;
 
     if ( (cnt = scope_device_count(start, end)) < 0 )
         return cnt;
@@ -355,9 +355,11 @@ static int __init acpi_parse_dev_scope(
             if ( type == DMAR_TYPE )
             {
                 struct acpi_drhd_unit *drhd = acpi_entry;
+
+                ret = -ENOMEM;
                 acpi_ioapic_unit = xmalloc(struct acpi_ioapic_unit);
                 if ( !acpi_ioapic_unit )
-                    return -ENOMEM;
+                    goto out;
                 acpi_ioapic_unit->apic_id = acpi_scope->enumeration_id;
                 acpi_ioapic_unit->ioapic.bdf.bus = bus;
                 acpi_ioapic_unit->ioapic.bdf.dev = path->dev;
@@ -378,7 +380,13 @@ static int __init acpi_parse_dev_scope(
         start += acpi_scope->length;
    }
 
-    return 0;
+    ret = 0;
+
+ out:
+    if ( ret )
+        xfree(scope->devices);
+
+    return ret;
 }
 
 static int __init acpi_dmar_check_length(
@@ -667,7 +675,7 @@ acpi_parse_one_atsr(struct acpi_dmar_header *header)
     }
 
     if ( ret )
-        xfree(atsr);
+        xfree(atsru);
     else
         acpi_register_atsr_unit(atsru);
     return ret;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.2

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

Prev by Date: [Xen-changelog] [xen stable-4.2] x86/mm: Prevent leaking domain mappings in paging_log_dirty_op()
Next by Date: [Xen-changelog] [xen stable-4.2] AMD/IOMMU: fix infinite loop due to ivrs_bdf_entries larger than 16-bit value
Previous by thread: [Xen-changelog] [xen stable-4.2] x86/mm: Prevent leaking domain mappings in paging_log_dirty_op()
Next by thread: [Xen-changelog] [xen stable-4.2] AMD/IOMMU: fix infinite loop due to ivrs_bdf_entries larger than 16-bit value
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.