From b8aa60db3dafb2cd1414d3204b53ca0a7a8ef493 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <royger@FreeBSD.org>
Date: Mon, 27 Feb 2017 15:31:15 +0000
Subject: [PATCH] xen/gntdev: prevent unsynchronized accesses to the map entry

vm_map_lookup_done should only be called when the gntdev has finished poking at
the entry.

Reported by:	alc
Reviewed by:	alc
MFC after:	1 week
Sponsored by:	Citrix Systems R&D
---
 sys/dev/xen/gntdev/gntdev.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/sys/dev/xen/gntdev/gntdev.c b/sys/dev/xen/gntdev/gntdev.c
index 432331d37374..964ac1a683aa 100644
--- a/sys/dev/xen/gntdev/gntdev.c
+++ b/sys/dev/xen/gntdev/gntdev.c
@@ -743,26 +743,34 @@ gntdev_get_offset_for_vaddr(struct ioctl_gntdev_get_offset_for_vaddr *arg,
 	vm_prot_t prot;
 	boolean_t wired;
 	struct gntdev_gmap *gmap;
+	int rc;
 
 	map = &td->td_proc->p_vmspace->vm_map;
 	error = vm_map_lookup(&map, arg->vaddr, VM_PROT_NONE, &entry,
 		    &mem, &pindex, &prot, &wired);
 	if (error != KERN_SUCCESS)
 		return (EINVAL);
-	vm_map_lookup_done(map, entry);
 
 	if ((mem->type != OBJT_MGTDEVICE) ||
-	    (mem->un_pager.devp.ops != &gntdev_gmap_pg_ops))
-		return (EINVAL);
+	    (mem->un_pager.devp.ops != &gntdev_gmap_pg_ops)) {
+		rc = EINVAL;
+		goto out;
+	}
 
 	gmap = mem->handle;
 	if (gmap == NULL ||
-	    (entry->end - entry->start) != (gmap->count * PAGE_SIZE))
-		return (EINVAL);
+	    (entry->end - entry->start) != (gmap->count * PAGE_SIZE)) {
+		rc = EINVAL;
+		goto out;
+	}
 
 	arg->count = gmap->count;
 	arg->offset = gmap->file_index;
-	return (0);
+	rc = 0;
+
+out:
+	vm_map_lookup_done(map, entry);
+	return (rc);
 }
 
 /*-------------------- Grant Mapping Pager  ----------------------------------*/