xen/gntalloc: fix oops after runnning out of grant refs

Only set gref->gref_id if foreign access was successfully granted and
the grant ref is valid.

If gref->gref_id == -ENOSPC the test in __del_gref() would incorrectly
attempt to end foreign access (because grant_ref_t is unsigned).

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Reported-by: Dave Scott <dave.scott@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>

1 files changed, 4 insertions, 6 deletions

diff --git a/drivers/xen/gntalloc.c b/drivers/xen/gntalloc.c
index 787d17945418..8ed2bb4f6f21 100644
--- a/drivers/xen/gntalloc.c
+++ b/drivers/xen/gntalloc.c
@@ -141,13 +141,11 @@ static int add_grefs(struct ioctl_gntalloc_alloc_gref *op,
                         goto undo;
 
                 /* Grant foreign access to the page. */
-                gref->gref_id = gnttab_grant_foreign_access(op->domid,
+                rc = gnttab_grant_foreign_access(op->domid,
                         pfn_to_mfn(page_to_pfn(gref->page)), readonly);
-                if ((int)gref->gref_id < 0) {
-                        rc = gref->gref_id;
+                if (rc < 0)
                         goto undo;
-                }
-                gref_ids[i] = gref->gref_id;
+                gref_ids[i] = gref->gref_id = rc;
         }
 
         /* Add to gref lists. */
@@ -193,7 +191,7 @@ static void __del_gref(struct gntalloc_gref *gref)
 
         gref->notify.flags = 0;
 
-        if (gref->gref_id > 0) {
+        if (gref->gref_id) {
                 if (gnttab_query_foreign_access(gref->gref_id))
                         return;