From: George Dunlap Date: Thu, 22 Jun 2017 07:53:18 +0000 (+0200) Subject: gnttab: remove host map in the event of a grant_map failure X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=95906bf0f0b03a30a5f104b8ca89fa1ac0286f32;p=people%2Froyger%2Fxen.git gnttab: remove host map in the event of a grant_map failure The current code appropriately removes the reference and type counts on failure, but leaves the mapping set up. As the only path which can trigger this is failure from IOMMU manipulation, and as unprivileged domains are being crashed in that case, this is not by itself a security issue. Reported-by: Jan Beulich Signed-off-by: George Dunlap Reviewed-by: Jan Beulich --- diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index d3d8392c52..4316bf15be 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -764,6 +764,7 @@ __gnttab_map_grant_ref( u32 old_pin; u32 act_pin; unsigned int cache_flags, refcnt = 0, typecnt = 0; + bool host_map_created = false; struct active_grant_entry *act = NULL; struct grant_mapping *mt; grant_entry_header_t *shah; @@ -923,6 +924,8 @@ __gnttab_map_grant_ref( cache_flags); if ( rc != GNTST_okay ) goto undo_out; + + host_map_created = true; } } else if ( owner == rd || owner == dom_cow ) @@ -960,6 +963,8 @@ __gnttab_map_grant_ref( rc = create_grant_host_mapping(op->host_addr, frame, op->flags, 0); if ( rc != GNTST_okay ) goto undo_out; + + host_map_created = true; } } else @@ -1030,6 +1035,12 @@ __gnttab_map_grant_ref( return; undo_out: + if ( host_map_created ) + { + replace_grant_host_mapping(op->host_addr, frame, 0, op->flags); + gnttab_flush_tlb(ld); + } + while ( typecnt-- ) put_page_type(pg);