KVM: x86/xen: Fix eventfd error handling in kvm_xen_eventfd_assign()

Should not call eventfd_ctx_put() in case of error.

Fixes: 2fd6df2f2b47 ("KVM: x86/xen: intercept EVTCHNOP_send from guests")
Reported-by: syzbot+6f0c896c5a9449a10ded@syzkaller.appspotmail.com
Signed-off-by: Eiichi Tsukata <eiichi.tsukata@nutanix.com>
Message-Id: <20221028092631.117438-1-eiichi.tsukata@nutanix.com>
[Introduce new goto target instead. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c
index b2be60c..2dae413 100644 (file)
--- a/arch/x86/kvm/xen.c
+++ b/arch/x86/kvm/xen.c
@@ -1666,18 +1666,18 @@ static int kvm_xen_eventfd_assign(struct kvm *kvm,
        case EVTCHNSTAT_ipi:
                /* IPI  must map back to the same port# */
                if (data->u.evtchn.deliver.port.port != data->u.evtchn.send_port)
-                       goto out; /* -EINVAL */
+                       goto out_noeventfd; /* -EINVAL */
                break;
 
        case EVTCHNSTAT_interdomain:
                if (data->u.evtchn.deliver.port.port) {
                        if (data->u.evtchn.deliver.port.port >= max_evtchn_port(kvm))
-                               goto out; /* -EINVAL */
+                               goto out_noeventfd; /* -EINVAL */
                } else {
                        eventfd = eventfd_ctx_fdget(data->u.evtchn.deliver.eventfd.fd);
                        if (IS_ERR(eventfd)) {
                                ret = PTR_ERR(eventfd);
-                               goto out;
+                               goto out_noeventfd;
                        }
                }
                break;
@@ -1717,6 +1717,7 @@ static int kvm_xen_eventfd_assign(struct kvm *kvm,
 out:
        if (eventfd)
                eventfd_ctx_put(eventfd);
+out_noeventfd:
        kfree(evtchnfd);
        return ret;
 }