xen/gntdev: prevent unsynchronized accesses to the map entry

vm_map_lookup_done should only be called when the gntdev has finished poking at
the entry.

Reported by:	alc
Reviewed by:	alc
MFC after:	1 week
Sponsored by:	Citrix Systems R&D
This commit is contained in:
royger 2017-02-27 15:31:15 +00:00
parent 0f1f4af770
commit 3217345841

View File

@ -743,26 +743,34 @@ gntdev_get_offset_for_vaddr(struct ioctl_gntdev_get_offset_for_vaddr *arg,
vm_prot_t prot; vm_prot_t prot;
boolean_t wired; boolean_t wired;
struct gntdev_gmap *gmap; struct gntdev_gmap *gmap;
int rc;
map = &td->td_proc->p_vmspace->vm_map; map = &td->td_proc->p_vmspace->vm_map;
error = vm_map_lookup(&map, arg->vaddr, VM_PROT_NONE, &entry, error = vm_map_lookup(&map, arg->vaddr, VM_PROT_NONE, &entry,
&mem, &pindex, &prot, &wired); &mem, &pindex, &prot, &wired);
if (error != KERN_SUCCESS) if (error != KERN_SUCCESS)
return (EINVAL); return (EINVAL);
vm_map_lookup_done(map, entry);
if ((mem->type != OBJT_MGTDEVICE) || if ((mem->type != OBJT_MGTDEVICE) ||
(mem->un_pager.devp.ops != &gntdev_gmap_pg_ops)) (mem->un_pager.devp.ops != &gntdev_gmap_pg_ops)) {
return (EINVAL); rc = EINVAL;
goto out;
}
gmap = mem->handle; gmap = mem->handle;
if (gmap == NULL || if (gmap == NULL ||
(entry->end - entry->start) != (gmap->count * PAGE_SIZE)) (entry->end - entry->start) != (gmap->count * PAGE_SIZE)) {
return (EINVAL); rc = EINVAL;
goto out;
}
arg->count = gmap->count; arg->count = gmap->count;
arg->offset = gmap->file_index; arg->offset = gmap->file_index;
return (0); rc = 0;
out:
vm_map_lookup_done(map, entry);
return (rc);
} }
/*-------------------- Grant Mapping Pager ----------------------------------*/ /*-------------------- Grant Mapping Pager ----------------------------------*/