From 95906bf0f0b03a30a5f104b8ca89fa1ac0286f32 Mon Sep 17 00:00:00 2001 From: George Dunlap Date: Thu, 22 Jun 2017 09:53:18 +0200 Subject: [PATCH] gnttab: remove host map in the event of a grant_map failure The current code appropriately removes the reference and type counts on failure, but leaves the mapping set up. As the only path which can trigger this is failure from IOMMU manipulation, and as unprivileged domains are being crashed in that case, this is not by itself a security issue. Reported-by: Jan Beulich Signed-off-by: George Dunlap Reviewed-by: Jan Beulich --- xen/common/grant_table.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index d3d8392c52..4316bf15be 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -764,6 +764,7 @@ __gnttab_map_grant_ref( u32 old_pin; u32 act_pin; unsigned int cache_flags, refcnt = 0, typecnt = 0; + bool host_map_created = false; struct active_grant_entry *act = NULL; struct grant_mapping *mt; grant_entry_header_t *shah; @@ -923,6 +924,8 @@ __gnttab_map_grant_ref( cache_flags); if ( rc != GNTST_okay ) goto undo_out; + + host_map_created = true; } } else if ( owner == rd || owner == dom_cow ) @@ -960,6 +963,8 @@ __gnttab_map_grant_ref( rc = create_grant_host_mapping(op->host_addr, frame, op->flags, 0); if ( rc != GNTST_okay ) goto undo_out; + + host_map_created = true; } } else @@ -1030,6 +1035,12 @@ __gnttab_map_grant_ref( return; undo_out: + if ( host_map_created ) + { + replace_grant_host_mapping(op->host_addr, frame, 0, op->flags); + gnttab_flush_tlb(ld); + } + while ( typecnt-- ) put_page_type(pg); -- 2.30.2