|
 |
12be10b |
From: Jan Beulich <jbeulich@suse.com>
|
|
|
12be10b |
Subject: gnttab: set page refcount for copy-on-grant-transfer
|
|
|
12be10b |
|
|
|
12be10b |
Commit 5cc77f9098 ("32-on-64: Fix domain address-size clamping,
|
|
|
12be10b |
implement"), which introduced this functionality, took care of clearing
|
|
|
12be10b |
the old page's PGC_allocated, but failed to set the bit (and install the
|
|
|
12be10b |
associated reference) on the newly allocated one. Furthermore the "mfn"
|
|
|
12be10b |
local variable was never updated, and hence the wrong MFN was passed to
|
|
|
12be10b |
guest_physmap_add_page() (and back to the destination domain) in this
|
|
|
12be10b |
case, leading to an IOMMU mapping into an unowned page.
|
|
|
12be10b |
|
|
|
12be10b |
Ideally the code would use assign_pages(), but the call to
|
|
|
12be10b |
gnttab_prepare_for_transfer() sits in the middle of the actions
|
|
|
12be10b |
mirroring that function.
|
|
|
12be10b |
|
|
|
12be10b |
This is XSA-284.
|
|
|
12be10b |
|
|
|
12be10b |
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
|
12be10b |
Acked-by: George Dunlap <george.dunlap@citrix.com>
|
|
|
12be10b |
|
|
|
12be10b |
--- a/xen/common/grant_table.c
|
|
|
12be10b |
+++ b/xen/common/grant_table.c
|
|
|
12be10b |
@@ -2183,6 +2183,8 @@ gnttab_transfer(
|
|
|
12be10b |
page->count_info &= ~(PGC_count_mask|PGC_allocated);
|
|
|
12be10b |
free_domheap_page(page);
|
|
|
12be10b |
page = new_page;
|
|
|
12be10b |
+ page->count_info = PGC_allocated | 1;
|
|
|
12be10b |
+ mfn = page_to_mfn(page);
|
|
|
12be10b |
}
|
|
|
12be10b |
|
|
|
12be10b |
spin_lock(&e->page_alloc_lock);
|