[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.8] gnttab: set page refcount for copy-on-grant-transfer
commit b9b0c46ac4740bde3b82363a5663d8ae5bf78547 Author: Jan Beulich <jbeulich@xxxxxxxx> AuthorDate: Tue Mar 5 15:40:27 2019 +0100 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Tue Mar 5 15:40:27 2019 +0100 gnttab: set page refcount for copy-on-grant-transfer Commit 5cc77f9098 ("32-on-64: Fix domain address-size clamping, implement"), which introduced this functionality, took care of clearing the old page's PGC_allocated, but failed to set the bit (and install the associated reference) on the newly allocated one. Furthermore the "mfn" local variable was never updated, and hence the wrong MFN was passed to guest_physmap_add_page() (and back to the destination domain) in this case, leading to an IOMMU mapping into an unowned page. Ideally the code would use assign_pages(), but the call to gnttab_prepare_for_transfer() sits in the middle of the actions mirroring that function. This is XSA-284. Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Acked-by: George Dunlap <george.dunlap@xxxxxxxxxx> master commit: 6d4f36c3fecc0a6a0991716199612c81d909316e master date: 2019-03-05 13:45:58 +0100 --- xen/common/grant_table.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index a8987c0865..27cce176a3 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -2011,6 +2011,8 @@ gnttab_transfer( page->count_info &= ~(PGC_count_mask|PGC_allocated); free_domheap_page(page); page = new_page; + page->count_info = PGC_allocated | 1; + mfn = page_to_mfn(page); } spin_lock(&e->page_alloc_lock); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.8 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |