|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 08/11] gnttab: remove host map in the event of a grant_map failure
From: George Dunlap <george.dunlap@xxxxxxxxxx>
The current code appropriately removes the reference and type counts
on failure, but leaves the mapping set up. As the only path which can
trigger this is failure from IOMMU manipulation, and as unprivileged
domains are being crashed in that case, this is not by itself a
security issue.
Reported-by: Jan Beulich <jbeulich@xxxxxxxx>
Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -764,6 +764,7 @@ __gnttab_map_grant_ref(
u32 old_pin;
u32 act_pin;
unsigned int cache_flags, refcnt = 0, typecnt = 0;
+ bool host_map_created = false;
struct active_grant_entry *act = NULL;
struct grant_mapping *mt;
grant_entry_header_t *shah;
@@ -923,6 +924,8 @@ __gnttab_map_grant_ref(
cache_flags);
if ( rc != GNTST_okay )
goto undo_out;
+
+ host_map_created = true;
}
}
else if ( owner == rd || owner == dom_cow )
@@ -960,6 +963,8 @@ __gnttab_map_grant_ref(
rc = create_grant_host_mapping(op->host_addr, frame, op->flags, 0);
if ( rc != GNTST_okay )
goto undo_out;
+
+ host_map_created = true;
}
}
else
@@ -1030,6 +1035,12 @@ __gnttab_map_grant_ref(
return;
undo_out:
+ if ( host_map_created )
+ {
+ replace_grant_host_mapping(op->host_addr, frame, 0, op->flags);
+ gnttab_flush_tlb(ld);
+ }
+
while ( typecnt-- )
put_page_type(pg);
Attachment:
gnttab-remove-host-map.patch _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |