Jan Beulich
2012-Sep-05 12:39 UTC
[PATCH 08/11] tmem: properly drop lock on error path in do_tmem_op()
This is part of XSA-15 / CVE-2012-3497. Reported-by: Tim Deegan <tim@xen.org> Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com> --- a/xen/common/tmem.c +++ b/xen/common/tmem.c @@ -2659,13 +2659,19 @@ EXPORT long do_tmem_op(tmem_cli_op_t uop if ( client != NULL && tmh_client_is_dying(client) ) { rc = -ENODEV; - goto out; + if ( tmh_lock_all ) + goto out; + simple_error: + errored_tmem_ops++; + return rc; } if ( unlikely(tmh_get_tmemop_from_client(&op, uops) != 0) ) { printk("tmem: can''t get tmem struct from %s\n",client_str); rc = -EFAULT; + if ( !tmh_lock_all ) + goto simple_error; goto out; } _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel