From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1K64FX-00078U-Ih
	for qemu-devel@nongnu.org; Tue, 10 Jun 2008 09:50:59 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1K64FW-00078G-6d
	for qemu-devel@nongnu.org; Tue, 10 Jun 2008 09:50:59 -0400
Received: from [199.232.76.173] (port=51853 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1K64FW-00078D-1e
	for qemu-devel@nongnu.org; Tue, 10 Jun 2008 09:50:58 -0400
Received: from rv-out-0708.google.com ([209.85.198.250]:17076)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <laurent.desnogues@gmail.com>) id 1K64FV-0002xH-GG
	for qemu-devel@nongnu.org; Tue, 10 Jun 2008 09:50:57 -0400
Received: by rv-out-0708.google.com with SMTP id f25so2339786rvb.22
	for <qemu-devel@nongnu.org>; Tue, 10 Jun 2008 06:50:56 -0700 (PDT)
Message-ID: <761ea48b0806100640o746cd40fk832540e414e4c9dd@mail.gmail.com>
Date: Tue, 10 Jun 2008 15:40:55 +0200
From: "Laurent Desnogues" <laurent.desnogues@gmail.com>
Subject: Re: [Qemu-devel] [4710] Prevent guest reusing host memory allocations.
In-Reply-To: <761ea48b0806091019y5fc22d27k15e7b316705633ff@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <E1K5his-0003to-IU@cvs.savannah.gnu.org>
	<761ea48b0806091019y5fc22d27k15e7b316705633ff@mail.gmail.com>
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

On Mon, Jun 9, 2008 at 7:19 PM, Laurent Desnogues
<laurent.desnogues@gmail.com> wrote:
> On Mon, Jun 9, 2008 at 3:47 PM, Paul Brook <paul@nowt.org> wrote:
>> Modified: trunk/exec.c
>> ===================================================================
>> --- trunk/exec.c        2008-06-09 12:10:22 UTC (rev 4709)
>> +++ trunk/exec.c        2008-06-09 13:47:45 UTC (rev 4710)
>> @@ -263,13 +263,33 @@
> [...]
>> +#if defined(CONFIG_USER_ONLY)
>> +        unsigned long addr;
>> +        size_t len = sizeof(PageDesc) * L2_SIZE;
>> +        /* Don't use qemu_malloc because it may recurse.  */
>> +        p = mmap(0, len, PROT_READ | PROT_WRITE,
>> +                 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
>>         *lp = p;
>> +        addr = h2g(p);
>> +        if (addr == (target_ulong)addr) {
>> +            page_set_flags(addr & TARGET_PAGE_MASK,
>> +                           TARGET_PAGE_ALIGN(addr + len),
>> +                           PAGE_RESERVED);
>> +        }
>
> I don't understand what the test is supposed to do, to me it looks
> like it can't fail since we have:
>
> #define h2g(x) ((target_ulong)(x - GUEST_BASE))
>
> Did I miss something?

I guess addr = h2g(p); should be replaced with

    addr = (unsigned long)p;

BTW this makes me think that perhaps GUEST_BASE should
be used here and if that's true in some other places as well
(qemu_vmalloc for instance).

These are all *wild guesses* from someone who doesn't fully
understand qemu...


Laurent