Author: royger
Date: Mon Feb 27 15:31:15 2017
New Revision: 314340
URL: https://svnweb.freebsd.org/changeset/base/314340
Log:
xen/gntdev: prevent unsynchronized accesses to the map entry
vm_map_lookup_done should only be called when the gntdev has finished poking
at
the entry.
Reported by: alc
Reviewed by: alc
MFC after: 1 week
Sponsored by: Citrix Systems R&D
Modified:
head/sys/dev/xen/gntdev/gntdev.c
Modified: head/sys/dev/xen/gntdev/gntdev.c
==============================================================================
--- head/sys/dev/xen/gntdev/gntdev.c Mon Feb 27 15:30:27 2017
(r314339)
+++ head/sys/dev/xen/gntdev/gntdev.c Mon Feb 27 15:31:15 2017
(r314340)
@@ -743,26 +743,34 @@ gntdev_get_offset_for_vaddr(struct ioctl
vm_prot_t prot;
boolean_t wired;
struct gntdev_gmap *gmap;
+ int rc;
map = &td->td_proc->p_vmspace->vm_map;
error = vm_map_lookup(&map, arg->vaddr, VM_PROT_NONE, &entry,
&mem, &pindex, &prot, &wired);
if (error != KERN_SUCCESS)
return (EINVAL);
- vm_map_lookup_done(map, entry);
if ((mem->type != OBJT_MGTDEVICE) ||
- (mem->un_pager.devp.ops != &gntdev_gmap_pg_ops))
- return (EINVAL);
+ (mem->un_pager.devp.ops != &gntdev_gmap_pg_ops)) {
+ rc = EINVAL;
+ goto out;
+ }
gmap = mem->handle;
if (gmap == NULL ||
- (entry->end - entry->start) != (gmap->count * PAGE_SIZE))
- return (EINVAL);
+ (entry->end - entry->start) != (gmap->count * PAGE_SIZE)) {
+ rc = EINVAL;
+ goto out;
+ }
arg->count = gmap->count;
arg->offset = gmap->file_index;
- return (0);
+ rc = 0;
+
+out:
+ vm_map_lookup_done(map, entry);
+ return (rc);
}
/*-------------------- Grant Mapping Pager
----------------------------------*/
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
