[Xen-devel] [PATCH] usbfront: do not assume sequentially mapped pages

[Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>]

xenhcd_gnttab_map in usbfront-q.c looks up the mfn of the start of the
usb transfer buffer.  But the buffer may span several pages, and the
current code simply increments the obtained mfn.  Needless to say this
is an unwarranted assumption.  It causes large transfers to be
corrupted and/or to overwrite other parts of memory.

Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>

diff -r 87c84f7dd850 drivers/xen/usbfront/usbfront-q.c
--- a/drivers/xen/usbfront/usbfront-q.c Fri Mar 20 09:00:58 2009 +0000
+++ b/drivers/xen/usbfront/usbfront-q.c Fri Mar 27 17:53:12 2009 +0100
@@ -106,12 +106,15 @@ static inline void xenhcd_gnttab_map(str
        unsigned int bytes;
        int i;
 
-       page = virt_to_page(addr);
-       buffer_pfn = page_to_phys(page) >> PAGE_SHIFT;
-       offset = offset_in_page(addr);
        len = length;
 
        for(i = 0;i < nr_pages;i++){
+               BUG_ON(!len);
+
+               page = virt_to_page(addr);
+               buffer_pfn = page_to_phys(page) >> PAGE_SHIFT;
+               offset = offset_in_page(addr);
+
                bytes = PAGE_SIZE - offset;
                if(bytes > len)
                        bytes = len;
@@ -123,9 +126,8 @@ static inline void xenhcd_gnttab_map(str
                seg[i].offset = (uint16_t)offset;
                seg[i].length = (uint16_t)bytes;
 
-               buffer_pfn++;
+               addr += bytes;
                len -= bytes;
-               offset = 0;
        }
 }
 

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel