File xsa160.patch of Package xen.openSUSE_13.1_Update
From 7f9fd14c80b71b4abbca36f2747d2e75dfebc289 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Wed, 18 Nov 2015 15:34:54 +0000
Subject: [PATCH] libxl: Fix bootloader-related virtual memory leak on pv
 build failure
The bootloader may call libxl__file_reference_map(), which mmap's the
pv_kernel and pv_ramdisk into process memory.  This was only unmapped,
however, on the success path of libxl__build_pv().  If there were a
failure anywhere between libxl_bootloader.c:parse_bootloader_result()
and the end of libxl__build_pv(), the calls to
libxl__file_reference_unmap() would be skipped, leaking the mapped
virtual memory.
Ideally this would be fixed by adding the unmap calls to the
destruction path for libxl__domain_build_state.  Unfortunately the
lifetime of the libxl__domain_build_state is opaque, and it doesn't
have a proper destruction path.  But, the only thing in it that isn't
from the gc are these bootloader references, and they are only ever
set for one libxl__domain_build_state, the one which is
libxl__domain_create_state.build_state.
So we can clean up in the exit path from libxl__domain_create_*, which
always comes through domcreate_complete.
Remove the now-redundant unmaps in libxl__build_pv's success path.
This is XSA-160.
Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
 tools/libxl/libxl_create.c |    3 +++
 tools/libxl/libxl_dom.c    |    3 ---
 2 files changed, 3 insertions(+), 3 deletions(-)
Index: xen-4.3.4-testing/tools/libxl/libxl_create.c
===================================================================
--- xen-4.3.4-testing.orig/tools/libxl/libxl_create.c
+++ xen-4.3.4-testing/tools/libxl/libxl_create.c
@@ -1197,6 +1197,9 @@ static void domcreate_complete(libxl__eg
     STATE_AO_GC(dcs->ao);
     libxl_domain_config *const d_config = dcs->guest_config;
 
+    libxl__file_reference_unmap(&dcs->build_state.pv_kernel);
+    libxl__file_reference_unmap(&dcs->build_state.pv_ramdisk);
+
     if (!rc && d_config->b_info.exec_ssidref)
         rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid, d_config->b_info.exec_ssidref);
 
Index: xen-4.3.4-testing/tools/libxl/libxl_dom.c
===================================================================
--- xen-4.3.4-testing.orig/tools/libxl/libxl_dom.c
+++ xen-4.3.4-testing/tools/libxl/libxl_dom.c
@@ -420,9 +420,6 @@ int libxl__build_pv(libxl__gc *gc, uint3
         state->store_mfn = xc_dom_p2m_host(dom, dom->xenstore_pfn);
     }
 
-    libxl__file_reference_unmap(&state->pv_kernel);
-    libxl__file_reference_unmap(&state->pv_ramdisk);
-
     ret = 0;
 out:
     xc_dom_release(dom);