[XEN] gnttab: Initialise maptrack->flags

__gnttab_unmap_grant_ref verifies the validity of the handle by
checking it against maptrack_limit and making sure that the flags
field at the given handle is non-zero.

This means that the flags of an unused handle should be zero in
order to prevent unused handles from getting past this check.

However, we don't seem to set it to zero to begin with when we
allocate the maptrack table.  This could potentially lead to the
corruption of the other domain's internal state, and/or the hypervisor's
internal state.

This patch makes sure that it is zeroed.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index be393d0dcb1f88702d1b4848e7f79a644429a0fd..e2eac58487e14c25b6dd7d951be1a4994a786d2a 100644 (file)
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -156,7 +156,10 @@ __gnttab_map_grant_ref(
 
         memcpy(new_mt, lgt->maptrack, PAGE_SIZE << lgt->maptrack_order);
         for ( i = lgt->maptrack_limit; i < (lgt->maptrack_limit << 1); i++ )
+        {
             new_mt[i].ref = i+1;
+            new_mt[i].flags = 0;
+        }
 
         free_xenheap_pages(lgt->maptrack, lgt->maptrack_order);
         lgt->maptrack          = new_mt;