In the case that bad_ioapic_register() fails, the current position of idx++
means that clear_fixmap(idx) will be called with the wrong index, and not
clean up the mapping just created.

Increment idx as part of the loop, rather than midway through the loop body.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Wei Liu <wl@xen.org>
CC: Roger Pau Monné <roger.pau@citrix.com>
---
 xen/arch/x86/io_apic.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/xen/arch/x86/io_apic.c b/xen/arch/x86/io_apic.c
index 878ee5192d..e66fa99ec7 100644
--- a/xen/arch/x86/io_apic.c
+++ b/xen/arch/x86/io_apic.c
@@ -2543,7 +2543,7 @@ static void __init ioapic_init_mappings(void)
 
     nr_irqs_gsi = 0;
 
-    for ( i = 0; i < nr_ioapics; i++ )
+    for ( i = 0; i < nr_ioapics; i++, idx++ )
     {
         union IO_APIC_reg_01 reg_01;
         paddr_t ioapic_phys = mp_ioapics[i].mpc_apicaddr;
@@ -2560,7 +2560,6 @@ static void __init ioapic_init_mappings(void)
         set_fixmap_nocache(idx, ioapic_phys);
         apic_printk(APIC_VERBOSE, "mapped IOAPIC to %08Lx (%08lx)\n",
                     __fix_to_virt(idx), ioapic_phys);
-        idx++;
 
         if ( bad_ioapic_register(i) )
         {
-- 
2.11.0

On 05.08.2020 14:51, Andrew Cooper wrote:
> In the case that bad_ioapic_register() fails, the current position of idx++
> means that clear_fixmap(idx) will be called with the wrong index, and not
> clean up the mapping just created.
> 
> Increment idx as part of the loop, rather than midway through the loop body.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Reviewed-by: Jan Beulich <jbeulich@suse.com>