|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [linux-2.6.18-xen] usbfront: do not assume sequentially mapped pages
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1238497310 -3600
# Node ID b358ebf1c41664c7a7cf5b33feb5df779631229f
# Parent 3a4410c4504ea64f2c1e873df3234938366050ad
usbfront: do not assume sequentially mapped pages
xenhcd_gnttab_map in usbfront-q.c looks up the mfn of the start of the
usb transfer buffer. But the buffer may span several pages, and the
current code simply increments the obtained mfn. Needless to say this
is an unwarranted assumption. It causes large transfers to be
corrupted and/or to overwrite other parts of memory.
Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
---
drivers/xen/usbfront/usbfront-q.c | 12 +++++++-----
1 files changed, 7 insertions(+), 5 deletions(-)
diff -r 3a4410c4504e -r b358ebf1c416 drivers/xen/usbfront/usbfront-q.c
--- a/drivers/xen/usbfront/usbfront-q.c Tue Mar 31 12:00:53 2009 +0100
+++ b/drivers/xen/usbfront/usbfront-q.c Tue Mar 31 12:01:50 2009 +0100
@@ -106,12 +106,15 @@ static inline void xenhcd_gnttab_map(str
unsigned int bytes;
int i;
- page = virt_to_page(addr);
- buffer_pfn = page_to_phys(page) >> PAGE_SHIFT;
- offset = offset_in_page(addr);
len = length;
for(i = 0;i < nr_pages;i++){
+ BUG_ON(!len);
+
+ page = virt_to_page(addr);
+ buffer_pfn = page_to_phys(page) >> PAGE_SHIFT;
+ offset = offset_in_page(addr);
+
bytes = PAGE_SIZE - offset;
if(bytes > len)
bytes = len;
@@ -123,9 +126,8 @@ static inline void xenhcd_gnttab_map(str
seg[i].offset = (uint16_t)offset;
seg[i].length = (uint16_t)bytes;
- buffer_pfn++;
+ addr += bytes;
len -= bytes;
- offset = 0;
}
}
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |