gnttab: remove host map in the event of a grant_map failure

The current code appropriately removes the reference and type counts
on failure, but leaves the mapping set up. As the only path which can
trigger this is failure from IOMMU manipulation, and as unprivileged
domains are being crashed in that case, this is not by itself a
security issue.

Reported-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: George Dunlap <george.dunlap@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index d3d8392c525e2c9f45b30dd644a843d424294553..4316bf15bea8dd4416da8d6c1520e5d5c966ea93 100644 (file)
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -764,6 +764,7 @@ __gnttab_map_grant_ref(
     u32            old_pin;
     u32            act_pin;
     unsigned int   cache_flags, refcnt = 0, typecnt = 0;
+    bool           host_map_created = false;
     struct active_grant_entry *act = NULL;
     struct grant_mapping *mt;
     grant_entry_header_t *shah;
@@ -923,6 +924,8 @@ __gnttab_map_grant_ref(
                                            cache_flags);
             if ( rc != GNTST_okay )
                 goto undo_out;
+
+            host_map_created = true;
         }
     }
     else if ( owner == rd || owner == dom_cow )
@@ -960,6 +963,8 @@ __gnttab_map_grant_ref(
             rc = create_grant_host_mapping(op->host_addr, frame, op->flags, 0);
             if ( rc != GNTST_okay )
                 goto undo_out;
+
+            host_map_created = true;
         }
     }
     else
@@ -1030,6 +1035,12 @@ __gnttab_map_grant_ref(
     return;
 
  undo_out:
+    if ( host_map_created )
+    {
+        replace_grant_host_mapping(op->host_addr, frame, 0, op->flags);
+        gnttab_flush_tlb(ld);
+    }
+
     while ( typecnt-- )
         put_page_type(pg);