[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Re: [PATCH] xen-gntdev: prevent using UNMAP_NOTIFY_CLEAR_BYTE on read-only mappings



On 02/09/2011 05:22 PM, Jeremy Fitzhardinge wrote:
> On 02/09/2011 12:33 PM, Daniel De Graaf wrote:
>> Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
>>
>> diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
>> index 4687cd5..00e4644 100644
>> --- a/drivers/xen/gntdev.c
>> +++ b/drivers/xen/gntdev.c
>> @@ -291,7 +291,7 @@ static int __unmap_grant_pages(struct grant_map *map, 
>> int offset, int pages)
>>              if (pgno >= offset && pgno < offset + pages && use_ptemod) {
>>                      void __user *tmp;
>>                      tmp = map->vma->vm_start + map->notify.addr;
>> -                    copy_to_user(tmp, &err, 1);
>> +                    WARN_ON(copy_to_user(tmp, &err, 1));
> 
> Please don't put side-effecty predicates in WARN_ON/BUG_ON.
> 
> There's no useful report we can return?
> 
>     J

This code is called when the application may be crashing or exiting, so
there is not guaranteed to be a return path to the program. The change
in the second part of this patch should prevent the copy_to_user from failing.

Placing the call inside WARN_ON is clearly a bad idea. Will resend a more sane
version of this patch with a comment explaining why we don't return.

> 
>>                      map->notify.flags &= ~UNMAP_NOTIFY_CLEAR_BYTE;
>>              } else if (pgno >= offset && pgno < offset + pages) {
>>                      uint8_t *tmp = kmap(map->pages[pgno]);
>> @@ -596,6 +596,12 @@ static long gntdev_ioctl_notify(struct gntdev_priv 
>> *priv, void __user *u)
>>      goto unlock_out;
>>  
>>   found:
>> +    if ((op.action & UNMAP_NOTIFY_CLEAR_BYTE) &&
>> +                    (op.flags & GNTMAP_readonly)) {
>> +            rc = -EINVAL;
>> +            goto unlock_out;
>> +    }
>> +
>>      map->notify.flags = op.action;
>>      map->notify.addr = op.index - (map->index << PAGE_SHIFT);
>>      map->notify.event = op.event_channel_port;
>>
> 


-- 
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.