| Message ID | 1490605592-12189-11-git-send-email-jtotto@uwaterloo.ca (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 27/03/17 10:06, Joshua Otto wrote: > colo_merge_secondary_dirty_bitmap() unconditionally free()s the .data > member of its local xc_sr_record structure rec on its exit path. > However, if the initial call to read_record() fails then this member is > uninitialised. Initialise it. > > Signed-off-by: Joshua Otto <jtotto@uwaterloo.ca> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> This bugfix should be taken ASAP, and needs backporting to Xen 4.7 and 4.8 > --- > tools/libxc/xc_sr_save.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/tools/libxc/xc_sr_save.c b/tools/libxc/xc_sr_save.c > index ac97d93..6acc8d3 100644 > --- a/tools/libxc/xc_sr_save.c > +++ b/tools/libxc/xc_sr_save.c > @@ -681,7 +681,7 @@ static int send_memory_live(struct xc_sr_context *ctx) > static int colo_merge_secondary_dirty_bitmap(struct xc_sr_context *ctx) > { > xc_interface *xch = ctx->xch; > - struct xc_sr_record rec; > + struct xc_sr_record rec = { 0, 0, NULL }; > uint64_t *pfns = NULL; > uint64_t pfn; > unsigned count, i;
On Tue, Mar 28, 2017 at 08:59:09PM +0100, Andrew Cooper wrote: > On 27/03/17 10:06, Joshua Otto wrote: > > colo_merge_secondary_dirty_bitmap() unconditionally free()s the .data > > member of its local xc_sr_record structure rec on its exit path. > > However, if the initial call to read_record() fails then this member is > > uninitialised. Initialise it. > > > > Signed-off-by: Joshua Otto <jtotto@uwaterloo.ca> > > Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> > > This bugfix should be taken ASAP, and needs backporting to Xen 4.7 and 4.8 Acked + applied. > > > --- > > tools/libxc/xc_sr_save.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/tools/libxc/xc_sr_save.c b/tools/libxc/xc_sr_save.c > > index ac97d93..6acc8d3 100644 > > --- a/tools/libxc/xc_sr_save.c > > +++ b/tools/libxc/xc_sr_save.c > > @@ -681,7 +681,7 @@ static int send_memory_live(struct xc_sr_context *ctx) > > static int colo_merge_secondary_dirty_bitmap(struct xc_sr_context *ctx) > > { > > xc_interface *xch = ctx->xch; > > - struct xc_sr_record rec; > > + struct xc_sr_record rec = { 0, 0, NULL }; > > uint64_t *pfns = NULL; > > uint64_t pfn; > > unsigned count, i; >
diff --git a/tools/libxc/xc_sr_save.c b/tools/libxc/xc_sr_save.c index ac97d93..6acc8d3 100644 --- a/tools/libxc/xc_sr_save.c +++ b/tools/libxc/xc_sr_save.c @@ -681,7 +681,7 @@ static int send_memory_live(struct xc_sr_context *ctx) static int colo_merge_secondary_dirty_bitmap(struct xc_sr_context *ctx) { xc_interface *xch = ctx->xch; - struct xc_sr_record rec; + struct xc_sr_record rec = { 0, 0, NULL }; uint64_t *pfns = NULL; uint64_t pfn; unsigned count, i;
colo_merge_secondary_dirty_bitmap() unconditionally free()s the .data member of its local xc_sr_record structure rec on its exit path. However, if the initial call to read_record() fails then this member is uninitialised. Initialise it. Signed-off-by: Joshua Otto <jtotto@uwaterloo.ca> --- tools/libxc/xc_sr_save.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)