Jan Beulich
2012-Sep-05 12:38 UTC
[PATCH 07/11] tmem: properly drop lock on error path in do_tmem_get()
Also remove a bogus assertion.
This is part of XSA-15 / CVE-2012-3497.
Reported-by: Tim Deegan <tim@xen.org>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>
--- a/xen/common/tmem.c
+++ b/xen/common/tmem.c
@@ -1790,7 +1790,6 @@ static NOINLINE int do_tmem_get(pool_t *
list_del(&pgp->us.client_eph_pages);
list_add_tail(&pgp->us.client_eph_pages,&client->ephemeral_page_list);
tmem_spin_unlock(&eph_lists_spinlock);
- ASSERT(obj != NULL);
obj->last_client = tmh_get_cli_id_from_current();
}
}
@@ -1807,6 +1806,8 @@ static NOINLINE int do_tmem_get(pool_t *
return 1;
bad_copy:
+ obj->no_evict = 0;
+ tmem_spin_unlock(&obj->obj_spinlock);
failed_copies++;
return rc;
}
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel