The page was allocated with MEMF_no_refcount. The MEMF_no_refcount flag means the page is allocated without a regular reference, but it still has the allocation reference. If get_page_and_type() fails, we still need to release the allocation reference. Otherwise the page would leak. domain_crash() doesn't free individual pages; it just marks the domain for destruction. The domain teardown will eventually free domain heap pages, but only those it can find. A page with a dangling alloc ref would prevent the page from being fully freed during domain cleanup.
Signed-off-by: Julian Vetter <[email protected]> --- Changes in v2: - New patch --- xen/common/ioreq.c | 1 + 1 file changed, 1 insertion(+) diff --git a/xen/common/ioreq.c b/xen/common/ioreq.c index f5fd30ce12..5d722c8d4e 100644 --- a/xen/common/ioreq.c +++ b/xen/common/ioreq.c @@ -287,6 +287,7 @@ static int ioreq_server_alloc_mfn(struct ioreq_server *s, bool buf) * The domain can't possibly know about this page yet, so failure * here is a clear indication of something fishy going on. */ + put_page_alloc_ref(page); domain_crash(s->emulator); return -ENODATA; } -- 2.51.0 -- Julian Vetter | Vates Hypervisor & Kernel Developer XCP-ng & Xen Orchestra - Vates solutions web: https://vates.tech
