ia64/linux-2.6.18-xen.hg

changeset 850:b358ebf1c416

usbfront: do not assume sequentially mapped pages

xenhcd_gnttab_map in usbfront-q.c looks up the mfn of the start of the
usb transfer buffer. But the buffer may span several pages, and the
current code simply increments the obtained mfn. Needless to say this
is an unwarranted assumption. It causes large transfers to be
corrupted and/or to overwrite other parts of memory.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
author Keir Fraser <keir.fraser@citrix.com>
date Tue Mar 31 12:01:50 2009 +0100 (2009-03-31)
parents 3a4410c4504e
children 67a7ffcc5067
files drivers/xen/usbfront/usbfront-q.c
line diff
     1.1 --- a/drivers/xen/usbfront/usbfront-q.c	Tue Mar 31 12:00:53 2009 +0100
     1.2 +++ b/drivers/xen/usbfront/usbfront-q.c	Tue Mar 31 12:01:50 2009 +0100
     1.3 @@ -106,12 +106,15 @@ static inline void xenhcd_gnttab_map(str
     1.4  	unsigned int bytes;
     1.5  	int i;
     1.6  
     1.7 -	page = virt_to_page(addr);
     1.8 -	buffer_pfn = page_to_phys(page) >> PAGE_SHIFT;
     1.9 -	offset = offset_in_page(addr);
    1.10  	len = length;
    1.11  
    1.12  	for(i = 0;i < nr_pages;i++){
    1.13 +		BUG_ON(!len);
    1.14 +
    1.15 +		page = virt_to_page(addr);
    1.16 +		buffer_pfn = page_to_phys(page) >> PAGE_SHIFT;
    1.17 +		offset = offset_in_page(addr);
    1.18 +
    1.19  		bytes = PAGE_SIZE - offset;
    1.20  		if(bytes > len)
    1.21  			bytes = len;
    1.22 @@ -123,9 +126,8 @@ static inline void xenhcd_gnttab_map(str
    1.23  		seg[i].offset = (uint16_t)offset;
    1.24  		seg[i].length = (uint16_t)bytes;
    1.25  
    1.26 -		buffer_pfn++;
    1.27 +		addr += bytes;
    1.28  		len -= bytes;
    1.29 -		offset = 0;
    1.30  	}
    1.31  }
    1.32