From 2bdf72b25a8f02929e8397c3f1eb14e34ca21a2b Mon Sep 17 00:00:00 2001
From: Keir Fraser <keir.fraser@citrix.com>
Date: Thu, 6 Dec 2007 11:24:02 +0000
Subject: [PATCH] [XEN, 32on64]: Correct continuation translation for large
 compat_mmuext hypercalls.

At the point where we translate the continuation "nat_ops" points to
the beginning of the batch of "i" entries, therefore it must be
incremented by the number of entries processed "i - left". At the same
point "cmp_uops" points to the end of the batch of entries and must
therefore be decremented by "left".

The new count value has already been set by do_mmuext_op to "left" and
therefore it is correct to add "count - i" since that is the number of
entries that remain after this batch.

Signed-off-by: Ian Campbell <ian.campbell@xensource.com>
---
 xen/arch/x86/x86_64/compat/mm.c    | 5 ++---
 xen/include/asm-x86/guest_access.h | 1 +
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/xen/arch/x86/x86_64/compat/mm.c b/xen/arch/x86/x86_64/compat/mm.c
index 6fc1206c5f..14a5f3001f 100644
--- a/xen/arch/x86/x86_64/compat/mm.c
+++ b/xen/arch/x86/x86_64/compat/mm.c
@@ -298,9 +298,8 @@ int compat_mmuext_op(XEN_GUEST_HANDLE(mmuext_op_compat_t) cmp_uops,
 
                 BUG_ON(left == arg1);
                 BUG_ON(left > count);
-                guest_handle_add_offset(nat_ops, count - left);
-                BUG_ON(left + i < count);
-                guest_handle_add_offset(cmp_uops, (signed int)(count - left - i));
+                guest_handle_add_offset(nat_ops, i - left);
+                guest_handle_subtract_offset(cmp_uops, left);
                 left = 1;
                 BUG_ON(!hypercall_xlat_continuation(&left, 0x01, nat_ops, cmp_uops));
                 BUG_ON(left != arg1);
diff --git a/xen/include/asm-x86/guest_access.h b/xen/include/asm-x86/guest_access.h
index f95a4d1694..75f1f3097d 100644
--- a/xen/include/asm-x86/guest_access.h
+++ b/xen/include/asm-x86/guest_access.h
@@ -17,6 +17,7 @@
 
 /* Offset the given guest handle into the array it refers to. */
 #define guest_handle_add_offset(hnd, nr) ((hnd).p += (nr))
+#define guest_handle_subtract_offset(hnd, nr) ((hnd).p -= (nr))
 
 /* Cast a guest handle to the specified type of handle. */
 #define guest_handle_cast(hnd, type) ({         \
-- 
2.30.2