find_ring_mfn() already holds a page reference when trying to obtain a writable type reference. We shouldn't make assumptions on the general reference count limit being effectively "infinity". Obtain merely a type ref, re-using the general ref by only dropping the previously acquired one in the case of an error.
Signed-off-by: Jan Beulich <[email protected]> --- I further question the log-dirty check there: The present P2M type of a page doesn't really matter for writing to the page (plus it's stale by the time it is looked at). Instead I think every write to such a page needs to be accompanied by a call to paging_mark_dirty(). --- a/xen/common/argo.c +++ b/xen/common/argo.c @@ -1429,10 +1429,11 @@ find_ring_mfn(struct domain *d, gfn_t gf ret = -EAGAIN; #endif else if ( (p2mt != p2m_ram_rw) || - !get_page_and_type(page, d, PGT_writable_page) ) + !get_page_type(page, PGT_writable_page) ) ret = -EINVAL; - put_page(page); + if ( unlikely(ret) ) + put_page(page); return ret; }
