[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.5] mm: populate_physmap: validate correctly the gfn for direct mapped domain

commit fabd2cffef1eaf94159b941edb1dc05c8cf20597
Author:     Julien Grall <julien.grall@xxxxxxxxxx>
AuthorDate: Thu Sep 10 15:31:30 2015 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Sep 10 15:31:30 2015 +0200

    mm: populate_physmap: validate correctly the gfn for direct mapped domain
    
    Direct mapped domain has already the memory allocated 1:1, so we are
    directly using the gfn as mfn to map the RAM in the guest.
    
    While we are validating that the page associated to the first mfn belongs to
    the domain, the subsequent MFN are not validated when the extent_order
    is > 0.
    
    This may result to map memory region (MMIO, RAM) which doesn't belong to the
    domain.
    
    Although, only DOM0 on ARM is using a direct memory mapped. So it
    doesn't affect any guest (at least on the upstream version) or even x86.
    
    Signed-off-by: Julien Grall <julien.grall@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    Release-acked-by: Wei Liu <wei.liu2@xxxxxxxxxx>
    Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
    master commit: 9503ab0e9c6a41a1ee7a70c8ea9313d08ebaa8c5
    master date: 2015-08-13 14:41:09 +0200
---
 xen/common/memory.c |   32 +++++++++++++++++++-------------
 1 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/xen/common/memory.c b/xen/common/memory.c
index e84ace9..29986a6 100644
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -126,22 +126,28 @@ static void populate_physmap(struct memop_args *a)
             if ( is_domain_direct_mapped(d) )
             {
                 mfn = gpfn;
-                if ( !mfn_valid(mfn) )
-                {
-                    gdprintk(XENLOG_INFO, "Invalid mfn %#"PRI_xen_pfn"\n",
-                             mfn);
-                    goto out;
-                }
 
-                page = mfn_to_page(mfn);
-                if ( !get_page(page, d) )
+                for ( j = 0; j < (1U << a->extent_order); j++, mfn++ )
                 {
-                    gdprintk(XENLOG_INFO,
-                             "mfn %#"PRI_xen_pfn" doesn't belong to the"
-                             " domain\n", mfn);
-                    goto out;
+                    if ( !mfn_valid(mfn) )
+                    {
+                        gdprintk(XENLOG_INFO, "Invalid mfn %#"PRI_xen_pfn"\n",
+                                 mfn);
+                        goto out;
+                    }
+
+                    page = mfn_to_page(mfn);
+                    if ( !get_page(page, d) )
+                    {
+                        gdprintk(XENLOG_INFO,
+                                 "mfn %#"PRI_xen_pfn" doesn't belong to the"
+                                 " domain\n", mfn);
+                        goto out;
+                    }
+                    put_page(page);
                 }
-                put_page(page);
+
+                page = mfn_to_page(gpfn);
             }
             else
                 page = alloc_domheap_pages(d, a->extent_order, a->memflags);
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.5

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.