[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.11] gnttab: set page refcount for copy-on-grant-transfer

commit 1028304d4244df2ee9af0ca37ee8a6f998c61d9c
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Mar 5 14:58:42 2019 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Mar 5 14:58:42 2019 +0100

    gnttab: set page refcount for copy-on-grant-transfer
    Commit 5cc77f9098 ("32-on-64: Fix domain address-size clamping,
    implement"), which introduced this functionality, took care of clearing
    the old page's PGC_allocated, but failed to set the bit (and install the
    associated reference) on the newly allocated one. Furthermore the "mfn"
    local variable was never updated, and hence the wrong MFN was passed to
    guest_physmap_add_page() (and back to the destination domain) in this
    case, leading to an IOMMU mapping into an unowned page.
    Ideally the code would use assign_pages(), but the call to
    gnttab_prepare_for_transfer() sits in the middle of the actions
    mirroring that function.
    This is XSA-284.
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Acked-by: George Dunlap <george.dunlap@xxxxxxxxxx>
    master commit: 6d4f36c3fecc0a6a0991716199612c81d909316e
    master date: 2019-03-05 13:45:58 +0100
 xen/common/grant_table.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index 231ecf509a..c0585d33f4 100644
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -2205,6 +2205,8 @@ gnttab_transfer(
             page->count_info &= ~(PGC_count_mask|PGC_allocated);
             page = new_page;
+            page->count_info = PGC_allocated | 1;
+            mfn = page_to_mfn(page);
generated by git-patchbot for /home/xen/git/xen.git#stable-4.11

Xen-changelog mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.