This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-devel] xen crash in tmem: checking a xen pfn for domain ownership

To: Keir Fraser <keir.fraser@xxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxxxx>
Subject: [Xen-devel] xen crash in tmem: checking a xen pfn for domain ownership
From: Dan Magenheimer <dan.magenheimer@xxxxxxxxxx>
Date: Fri, 17 Sep 2010 09:29:54 -0700 (PDT)
Cc: Xen-devel <Xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Fri, 17 Sep 2010 09:33:37 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Does the construct:

  xen_pfn_t gpfn;
  p2m_type_t t;
  unsigned long mfn;

  mfn = mfn_x(gfn_to_mfn(current->domain, gpfn, &t));
  if (t != p2m_ram_rw || cli_mfn == INVALID_MFN)
      return NULL; /* bad */
  return map_domain_page(mfn)

somehow check to ensure that pfn belongs to current->domain?
(See cli_mfn_to_va() in common/tmem_xen.c.)

If not, is there an easy way to perform that check?
(preferably one that works for both HVM and PV guests)

In debugging a tmem Linux-side guest patch, I discovered
that a bad mfn passed by the guest can crash Xen and
I think this assumption might be the problem.


Xen-devel mailing list