summaryrefslogtreecommitdiffstats
path: root/hw/block
diff options
context:
space:
mode:
authorMatthew Daley2013-10-10 16:10:48 +0200
committerStefano Stabellini2013-10-10 16:23:45 +0200
commita76f48e53382e6f039db6278443e3ce437653302 (patch)
tree1e9f31249bc29c15225fac0cc720dc9bab653b07 /hw/block
parentMerge remote-tracking branch 'kraxel/seabios-1.7.3.2' into staging (diff)
downloadqemu-a76f48e53382e6f039db6278443e3ce437653302.tar.gz
qemu-a76f48e53382e6f039db6278443e3ce437653302.tar.xz
qemu-a76f48e53382e6f039db6278443e3ce437653302.zip
xen_disk: mark ioreq as mapped before unmapping in error case
Commit 4472beae modified the semantics of ioreq_{un,}map so that they are idempotent if called when they're not needed (ie., twice in a row). However, it neglected to handle the case where batch mapping is not being used (the default), and one of the grants fails to map. In this case, ioreq_unmap will be called to unwind and unmap any mappings already performed, but ioreq_unmap simply returns due to the aforementioned change (the ioreq has not already been marked as mapped). The frontend user can therefore force xen_disk to leak grant mappings, a per-domain limited resource. Fix by marking the ioreq as mapped before calling ioreq_unmap in this situation. Signed-off-by: Matthew Daley <mattjd@gmail.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Diffstat (limited to 'hw/block')
-rw-r--r--hw/block/xen_disk.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/hw/block/xen_disk.c b/hw/block/xen_disk.c
index f35fc5944a..8742294dfb 100644
--- a/hw/block/xen_disk.c
+++ b/hw/block/xen_disk.c
@@ -405,6 +405,7 @@ static int ioreq_map(struct ioreq *ioreq)
xen_be_printf(&ioreq->blkdev->xendev, 0,
"can't map grant ref %d (%s, %d maps)\n",
refs[i], strerror(errno), ioreq->blkdev->cnt_map);
+ ioreq->mapped = 1;
ioreq_unmap(ioreq);
return -1;
}