Tmem double-frees a high-level data structure
causing memory corruption under certain
circumstances.
Signed-off-by: Dan Magenheimer <dan.magenheimer@oracle.com>
diff -r bec27eb6f72c xen/common/tmem.c
--- a/xen/common/tmem.c Sat Nov 14 10:32:59 2009 +0000
+++ b/xen/common/tmem.c Mon Nov 16 09:25:14 2009 -0700
@@ -943,7 +943,7 @@ static void client_free(client_t *client
{
list_del(&client->client_list);
tmh_client_destroy(client->tmh);
- tmem_free(client,sizeof(client_t),NULL);
+ tmh_free_infra(client);
}
/* flush all data from a client and, optionally, free it */
diff -r bec27eb6f72c xen/common/tmem_xen.c
--- a/xen/common/tmem_xen.c Sat Nov 14 10:32:59 2009 +0000
+++ b/xen/common/tmem_xen.c Mon Nov 16 09:25:14 2009 -0700
@@ -294,7 +294,7 @@ EXPORT tmh_client_t *tmh_client_init(voi
if ( (tmh = xmalloc(tmh_client_t)) == NULL )
return NULL;
for (i = 0, shift = 12; i < 4; shift -=4, i++)
- name[i] = ((unsigned short)domid >> shift) & 0xf;
+ name[i] = (((unsigned short)domid >> shift) & 0xf) +
''0'';
name[4] = ''\0'';
#ifndef __i386__
tmh->persistent_pool = xmem_pool_create(name,
tmh_persistent_pool_page_get,
@@ -315,7 +315,6 @@ EXPORT void tmh_client_destroy(tmh_clien
xmem_pool_destroy(tmh->persistent_pool);
#endif
put_domain(tmh->domain);
- xfree(tmh);
}
/****************** XEN-SPECIFIC HOST INITIALIZATION ********************/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel