From owner-svn-src-all@freebsd.org Mon Feb 27 15:31:16 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CC63ACF0926; Mon, 27 Feb 2017 15:31:16 +0000 (UTC) (envelope-from royger@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9934A5F5; Mon, 27 Feb 2017 15:31:16 +0000 (UTC) (envelope-from royger@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v1RFVFEO036206; Mon, 27 Feb 2017 15:31:15 GMT (envelope-from royger@FreeBSD.org) Received: (from royger@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v1RFVFUa036205; Mon, 27 Feb 2017 15:31:15 GMT (envelope-from royger@FreeBSD.org) Message-Id: <201702271531.v1RFVFUa036205@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: royger set sender to royger@FreeBSD.org using -f From: =?UTF-8?Q?Roger_Pau_Monn=c3=a9?= Date: Mon, 27 Feb 2017 15:31:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r314340 - head/sys/dev/xen/gntdev X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Feb 2017 15:31:16 -0000 Author: royger Date: Mon Feb 27 15:31:15 2017 New Revision: 314340 URL: https://svnweb.freebsd.org/changeset/base/314340 Log: xen/gntdev: prevent unsynchronized accesses to the map entry vm_map_lookup_done should only be called when the gntdev has finished poking at the entry. Reported by: alc Reviewed by: alc MFC after: 1 week Sponsored by: Citrix Systems R&D Modified: head/sys/dev/xen/gntdev/gntdev.c Modified: head/sys/dev/xen/gntdev/gntdev.c ============================================================================== --- head/sys/dev/xen/gntdev/gntdev.c Mon Feb 27 15:30:27 2017 (r314339) +++ head/sys/dev/xen/gntdev/gntdev.c Mon Feb 27 15:31:15 2017 (r314340) @@ -743,26 +743,34 @@ gntdev_get_offset_for_vaddr(struct ioctl vm_prot_t prot; boolean_t wired; struct gntdev_gmap *gmap; + int rc; map = &td->td_proc->p_vmspace->vm_map; error = vm_map_lookup(&map, arg->vaddr, VM_PROT_NONE, &entry, &mem, &pindex, &prot, &wired); if (error != KERN_SUCCESS) return (EINVAL); - vm_map_lookup_done(map, entry); if ((mem->type != OBJT_MGTDEVICE) || - (mem->un_pager.devp.ops != &gntdev_gmap_pg_ops)) - return (EINVAL); + (mem->un_pager.devp.ops != &gntdev_gmap_pg_ops)) { + rc = EINVAL; + goto out; + } gmap = mem->handle; if (gmap == NULL || - (entry->end - entry->start) != (gmap->count * PAGE_SIZE)) - return (EINVAL); + (entry->end - entry->start) != (gmap->count * PAGE_SIZE)) { + rc = EINVAL; + goto out; + } arg->count = gmap->count; arg->offset = gmap->file_index; - return (0); + rc = 0; + +out: + vm_map_lookup_done(map, entry); + return (rc); } /*-------------------- Grant Mapping Pager ----------------------------------*/