# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1258958894 0
# Node ID 218e9e47fa507acae30cf0e62b6ba33861a7be4a
# Parent c11e2c3df5471514eaeb5dc2ba601f3f368627ac
tmem: fix double-free bug
Tmem double-frees a high-level data structure causing memory
corruption under certain circumstances.
Signed-off-by: Dan Magenheimer <dan.magenheimer@xxxxxxxxxx>
---
xen/common/tmem.c | 2 +-
xen/common/tmem_xen.c | 3 +--
2 files changed, 2 insertions(+), 3 deletions(-)
diff -r c11e2c3df547 -r 218e9e47fa50 xen/common/tmem.c
--- a/xen/common/tmem.c Mon Nov 23 06:47:29 2009 +0000
+++ b/xen/common/tmem.c Mon Nov 23 06:48:14 2009 +0000
@@ -943,7 +943,7 @@ static void client_free(client_t *client
{
list_del(&client->client_list);
tmh_client_destroy(client->tmh);
- tmem_free(client,sizeof(client_t),NULL);
+ tmh_free_infra(client);
}
/* flush all data from a client and, optionally, free it */
diff -r c11e2c3df547 -r 218e9e47fa50 xen/common/tmem_xen.c
--- a/xen/common/tmem_xen.c Mon Nov 23 06:47:29 2009 +0000
+++ b/xen/common/tmem_xen.c Mon Nov 23 06:48:14 2009 +0000
@@ -295,7 +295,7 @@ EXPORT tmh_client_t *tmh_client_init(voi
if ( (tmh = xmalloc(tmh_client_t)) == NULL )
return NULL;
for (i = 0, shift = 12; i < 4; shift -=4, i++)
- name[i] = ((unsigned short)domid >> shift) & 0xf;
+ name[i] = (((unsigned short)domid >> shift) & 0xf) + '0';
name[4] = '\0';
#ifndef __i386__
tmh->persistent_pool = xmem_pool_create(name, tmh_persistent_pool_page_get,
@@ -316,7 +316,6 @@ EXPORT void tmh_client_destroy(tmh_clien
xmem_pool_destroy(tmh->persistent_pool);
#endif
put_domain(tmh->domain);
- xfree(tmh);
}
/****************** XEN-SPECIFIC HOST INITIALIZATION ********************/
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
Home