Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 19 Jan 2015 06:51:05 +0000 (UTC)
From:      Neel Natu <neel@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r277359 - head/lib/libvmmapi
Message-ID:  <201501190651.t0J6p5TV032866@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: neel
Date: Mon Jan 19 06:51:04 2015
New Revision: 277359
URL: https://svnweb.freebsd.org/changeset/base/277359

Log:
  Fix a bug in libvmmapi 'vm_copy_setup()' where it would return success even if
  the 'gpa' was in the guest MMIO region. This would manifest as a segmentation
  fault in 'vm_map_copyin()' or 'vm_map_copyout()' because 'vm_map_gpa()' would
  return NULL for this 'gpa'.
  
  Fix this by calling 'vm_map_gpa()' in 'vm_copy_setup' and returning a failure
  if the 'gpa' cannot be mapped. This matches the behavior of 'vm_copy_setup()'
  in vmm.ko.
  
  MFC after:	1 week

Modified:
  head/lib/libvmmapi/vmmapi.c
  head/lib/libvmmapi/vmmapi.h

Modified: head/lib/libvmmapi/vmmapi.c
==============================================================================
--- head/lib/libvmmapi/vmmapi.c	Mon Jan 19 06:13:07 2015	(r277358)
+++ head/lib/libvmmapi/vmmapi.c	Mon Jan 19 06:51:04 2015	(r277359)
@@ -987,6 +987,7 @@ int
 vm_copy_setup(struct vmctx *ctx, int vcpu, struct vm_guest_paging *paging,
     uint64_t gla, size_t len, int prot, struct iovec *iov, int iovcnt)
 {
+	void *va;
 	uint64_t gpa;
 	int error, fault, i, n, off;
 
@@ -1006,7 +1007,11 @@ vm_copy_setup(struct vmctx *ctx, int vcp
 		off = gpa & PAGE_MASK;
 		n = min(len, PAGE_SIZE - off);
 
-		iov->iov_base = (void *)gpa;
+		va = vm_map_gpa(ctx, gpa, n);
+		if (va == NULL)
+			return (-1);
+
+		iov->iov_base = va;
 		iov->iov_len = n;
 		iov++;
 		iovcnt--;
@@ -1018,19 +1023,24 @@ vm_copy_setup(struct vmctx *ctx, int vcp
 }
 
 void
+vm_copy_teardown(struct vmctx *ctx, int vcpu, struct iovec *iov, int iovcnt)
+{
+
+	return;
+}
+
+void
 vm_copyin(struct vmctx *ctx, int vcpu, struct iovec *iov, void *vp, size_t len)
 {
 	const char *src;
 	char *dst;
-	uint64_t gpa;
 	size_t n;
 
 	dst = vp;
 	while (len) {
 		assert(iov->iov_len);
-		gpa = (uint64_t)iov->iov_base;
 		n = min(len, iov->iov_len);
-		src = vm_map_gpa(ctx, gpa, n);
+		src = iov->iov_base;
 		bcopy(src, dst, n);
 
 		iov++;
@@ -1045,15 +1055,13 @@ vm_copyout(struct vmctx *ctx, int vcpu, 
 {
 	const char *src;
 	char *dst;
-	uint64_t gpa;
 	size_t n;
 
 	src = vp;
 	while (len) {
 		assert(iov->iov_len);
-		gpa = (uint64_t)iov->iov_base;
 		n = min(len, iov->iov_len);
-		dst = vm_map_gpa(ctx, gpa, n);
+		dst = iov->iov_base;
 		bcopy(src, dst, n);
 
 		iov++;

Modified: head/lib/libvmmapi/vmmapi.h
==============================================================================
--- head/lib/libvmmapi/vmmapi.h	Mon Jan 19 06:13:07 2015	(r277358)
+++ head/lib/libvmmapi/vmmapi.h	Mon Jan 19 06:51:04 2015	(r277359)
@@ -137,6 +137,8 @@ void	vm_copyin(struct vmctx *ctx, int vc
 	    void *host_dst, size_t len);
 void	vm_copyout(struct vmctx *ctx, int vcpu, const void *host_src,
 	    struct iovec *guest_iov, size_t len);
+void	vm_copy_teardown(struct vmctx *ctx, int vcpu, struct iovec *iov,
+	    int iovcnt);
 
 /* RTC */
 int	vm_rtc_write(struct vmctx *ctx, int offset, uint8_t value);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201501190651.t0J6p5TV032866>