usbfront: do not assume sequentially mapped pages

xenhcd_gnttab_map in usbfront-q.c looks up the mfn of the start of the
usb transfer buffer.  But the buffer may span several pages, and the
current code simply increments the obtained mfn.  Needless to say this
is an unwarranted assumption.  It causes large transfers to be
corrupted and/or to overwrite other parts of memory.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>

diff --git a/drivers/xen/usbfront/usbfront-q.c b/drivers/xen/usbfront/usbfront-q.c
index 0c5325cc6627e55f4002cb30f4cbf5f3f2049d64..cebc08caa314563346df4a0ad925c2a838ab147a 100644 (file)
--- a/drivers/xen/usbfront/usbfront-q.c
+++ b/drivers/xen/usbfront/usbfront-q.c
@@ -106,12 +106,15 @@ static inline void xenhcd_gnttab_map(struct usbfront_info *info,
        unsigned int bytes;
        int i;
 
-       page = virt_to_page(addr);
-       buffer_pfn = page_to_phys(page) >> PAGE_SHIFT;
-       offset = offset_in_page(addr);
        len = length;
 
        for(i = 0;i < nr_pages;i++){
+               BUG_ON(!len);
+
+               page = virt_to_page(addr);
+               buffer_pfn = page_to_phys(page) >> PAGE_SHIFT;
+               offset = offset_in_page(addr);
+
                bytes = PAGE_SIZE - offset;
                if(bytes > len)
                        bytes = len;
@@ -123,9 +126,8 @@ static inline void xenhcd_gnttab_map(struct usbfront_info *info,
                seg[i].offset = (uint16_t)offset;
                seg[i].length = (uint16_t)bytes;
 
-               buffer_pfn++;
+               addr += bytes;
                len -= bytes;
-               offset = 0;
        }
 }