From b04f83b64abef181836e224f707d00b6776bf43c Mon Sep 17 00:00:00 2001 From: "sos22@labyrinth.cl.cam.ac.uk" Date: Wed, 9 Jul 2003 12:40:18 +0000 Subject: [PATCH] bitkeeper revision 1.318 (3f0c0d32X6-3AFhzwevHsWBPIyJBTg) Make sure that the page table updates pointed to by the pgt_update_arr parameter of the DOPGUPDATES ioctl really are direct mapped. It would also be valid to pin them in memory with mlock, but it's too much effort to check that as well. --- .../arch/xeno/drivers/dom0/dom0_core.c | 29 +++++++++++++------ 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/xenolinux-2.4.21-sparse/arch/xeno/drivers/dom0/dom0_core.c b/xenolinux-2.4.21-sparse/arch/xeno/drivers/dom0/dom0_core.c index b2d3c8d057..32e6e39901 100644 --- a/xenolinux-2.4.21-sparse/arch/xeno/drivers/dom0/dom0_core.c +++ b/xenolinux-2.4.21-sparse/arch/xeno/drivers/dom0/dom0_core.c @@ -50,6 +50,7 @@ static struct proc_dir_entry *dom_list_intf; int direct_unmap(struct mm_struct *, unsigned long, unsigned long); unsigned long direct_mmap(unsigned long phys_addr, unsigned long size, pgprot_t prot, int flag, int tot_pages); +struct list_head * find_direct(struct list_head *, unsigned long); static ssize_t dom_usage_read(struct file * file, char * buff, size_t size, loff_t * off) { @@ -350,15 +351,25 @@ static int handle_dom0_cmd_unmapdommem(unsigned long data) static int handle_dom0_cmd_dopgupdates(unsigned long data) { - struct dom0_dopgupdates_args argbuf; - - if (copy_from_user(&argbuf, (void *)data, sizeof(argbuf))) - return -EFAULT; - - /* argbuf.pgt_update_arr had better be direct mapped... */ - /* XXX check this */ - return HYPERVISOR_pt_update((void *)argbuf.pgt_update_arr, - argbuf.num_pgt_updates); + struct dom0_dopgupdates_args argbuf; + struct list_head *entry; + direct_mmap_node_t *node; + + if (copy_from_user(&argbuf, (void *)data, sizeof(argbuf))) + return -EFAULT; + + /* argbuf.pgt_update_arr had better be direct mapped... */ + entry = find_direct(¤t->mm->context.direct_list, + argbuf.pgt_update_arr); + if (entry == ¤t->mm->context.direct_list) + return -EINVAL; + node = list_entry(entry, direct_mmap_node_t, list); + if (node->vm_start > argbuf.pgt_update_arr || + node->vm_end <= argbuf.pgt_update_arr * sizeof(page_update_request_t)) + return -EINVAL; + + return HYPERVISOR_pt_update((void *)argbuf.pgt_update_arr, + argbuf.num_pgt_updates); } static int dom0_cmd_ioctl(struct inode *inode, struct file *file, -- 2.30.2