[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.3] hvm_save_one: return correct data

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Sat, 11 Jan 2014 02:15:40 +0000
Delivery-date: Sat, 11 Jan 2014 02:15:44 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>

commit 670d64aed01e27d3e8b783fd83dc29bc46a808b7
Author:     Don Slutz <dslutz@xxxxxxxxxxx>
AuthorDate: Fri Jan 10 11:13:00 2014 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Fri Jan 10 11:13:00 2014 +0100

    hvm_save_one: return correct data
    
    It is possible that hvm_sr_handlers[typecode].save does not use all
    the provided room.  Also it can use variable sized records.  In both
    cases, using:
    
       instance * hvm_sr_handlers[typecode].size
    
    does not select the correct instance.  Add code to search for the
    correct instance.
    
    Signed-off-by: Don Slutz <dslutz@xxxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    Acked-by: Keir Fraser <keir@xxxxxxx>
    master commit: e019c606f598eb76585cc5d26a242a40dfc4d580
    master date: 2014-01-08 09:15:03 +0100
---
 xen/common/hvm/save.c |   34 ++++++++++++++++++++++++----------
 1 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/xen/common/hvm/save.c b/xen/common/hvm/save.c
index de76ada..6c16399 100644
--- a/xen/common/hvm/save.c
+++ b/xen/common/hvm/save.c
@@ -98,9 +98,6 @@ int hvm_save_one(struct domain *d, uint16_t typecode, 
uint16_t instance,
     else 
         sz = hvm_sr_handlers[typecode].size;
     
-    if ( (instance + 1) * hvm_sr_handlers[typecode].size > sz )
-        return -EINVAL;
-
     ctxt.size = sz;
     ctxt.data = xmalloc_bytes(sz);
     if ( !ctxt.data )
@@ -112,13 +109,30 @@ int hvm_save_one(struct domain *d, uint16_t typecode, 
uint16_t instance,
                d->domain_id, typecode);
         rv = -EFAULT;
     }
-    else if ( copy_to_guest(handle,
-                            ctxt.data 
-                            + (instance * hvm_sr_handlers[typecode].size) 
-                            + sizeof (struct hvm_save_descriptor), 
-                            hvm_sr_handlers[typecode].size
-                            - sizeof (struct hvm_save_descriptor)) )
-        rv = -EFAULT;
+    else
+    {
+        uint32_t off;
+        const struct hvm_save_descriptor *desc;
+
+        rv = -EBADSLT;
+        for ( off = 0; off < (ctxt.cur - sizeof(*desc)); off += desc->length )
+        {
+            desc = (void *)(ctxt.data + off);
+            /* Move past header */
+            off += sizeof(*desc);
+            if ( instance == desc->instance )
+            {
+                uint32_t copy_length = desc->length;
+
+                if ( off + copy_length > ctxt.cur )
+                    copy_length = ctxt.cur - off;
+                rv = 0;
+                if ( copy_to_guest(handle, ctxt.data + off, copy_length) )
+                    rv = -EFAULT;
+                break;
+            }
+        }
+    }
 
     xfree(ctxt.data);
     return rv;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.3

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

Prev by Date: [Xen-changelog] [xen stable-4.3] AMD/IOMMU: fix infinite loop due to ivrs_bdf_entries larger than 16-bit value
Next by Date: [Xen-changelog] [xen master] dbg_rw_guest_mem: need to call put_gfn in error path
Previous by thread: [Xen-changelog] [xen stable-4.3] AMD/IOMMU: fix infinite loop due to ivrs_bdf_entries larger than 16-bit value
Next by thread: [Xen-changelog] [xen master] dbg_rw_guest_mem: need to call put_gfn in error path
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.