[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] compat_mmuext_op - continuation code is wrong

289         err = do_mmuext_op(nat_ops, i | preempt_mask, pdone, foreigndom);

If preempt_mask is set, we immediately hit a pre-emption, then we get:

2003     if ( unlikely(count & MMU_UPDATE_PREEMPTED) )
2004     {
2005         count &= ~MMU_UPDATE_PREEMPTED;
2006         if ( unlikely(!guest_handle_is_null(pdone)) )
2007             (void)copy_from_guest(&done, pdone, 1);
2008     }

But we never initialised the guest's "pdone" at any point. So we can
copy in an uninit stack value into 'done', add 'i' to it, then copy it
back out. On Solaris, we assert that the success count == what we passed
in, so this breaks Solaris 32/64

I'm running on 3.1 with a couple of fixes from unstable to make it work
at all. The below patch works for us but I'm not confident in its
correctness.

regards
john

diff --git a/xen/arch/x86/x86_64/compat/mm.c b/xen/arch/x86/x86_64/compat/mm.c
--- a/xen/arch/x86/x86_64/compat/mm.c
+++ b/xen/arch/x86/x86_64/compat/mm.c
@@ -4,6 +4,7 @@
 #include <xen/multicall.h>
 #include <compat/memory.h>
 #include <compat/xen.h>
+#include <xen/config.h>
 
 int compat_set_gdt(XEN_GUEST_HANDLE(uint) frame_list, unsigned int entries)
 {
@@ -180,6 +181,7 @@ int compat_mmuext_op(XEN_GUEST_HANDLE(mm
                      unsigned int foreigndom)
 {
     unsigned int i, preempt_mask;
+    unsigned int origcount;
     int rc = 0;
     XEN_GUEST_HANDLE(mmuext_op_t) nat_ops;
 
@@ -191,6 +193,8 @@ int compat_mmuext_op(XEN_GUEST_HANDLE(mm
 
     set_xen_guest_handle(nat_ops, (void 
*)COMPAT_ARG_XLAT_VIRT_START(current->vcpu_id));
 
+    origcount = count;
+
     for ( ; count; count -= i )
     {
         mmuext_op_t *nat_op = nat_ops.p;
@@ -199,6 +203,17 @@ int compat_mmuext_op(XEN_GUEST_HANDLE(mm
 
         if ( hypercall_preempt_check() )
         {
+            /*
+             * If this is the first time around, and we've not
+             * pre-empted before, we must initialise pdone (see start of
+             * do_mmuext_op()).
+             */
+            if (!preempt_mask && origcount == count)
+            {
+                unsigned int zero = 0;
+                (void) copy_to_guest(pdone, &zero, 1);
+            }
+
             rc = hypercall_create_continuation(
                 __HYPERVISOR_mmuext_op, "hihi",
                 cmp_uops, count | MMU_UPDATE_PREEMPTED, pdone, foreigndom);

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.