From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jeremy Fitzhardinge <jeremy@goop.org>
Subject: Re: [PATCH] xen-gntdev: prevent using
 UNMAP_NOTIFY_CLEAR_BYTE on read-only mappings
Date: Wed, 09 Feb 2011 14:22:45 -0800
Message-ID: <4D5313B5.2030200@goop.org>
References: <1296753544-13323-1-git-send-email-dgdegra@tycho.nsa.gov>
	<20110207231416.GA12956@dumpdata.com>
	<4D514FAE.4000709@tycho.nsa.gov>
	<20110208225856.GA9714@dumpdata.com>
	<4D52FA23.5060905@tycho.nsa.gov>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xensource.com>
In-Reply-To: <4D52FA23.5060905@tycho.nsa.gov>
List-Unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: xen-devel@lists.xensource.com, Ian.Campbell@citrix.com, Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
List-Id: xen-devel@lists.xenproject.org

On 02/09/2011 12:33 PM, Daniel De Graaf wrote:
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
>
> diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
> index 4687cd5..00e4644 100644
> --- a/drivers/xen/gntdev.c
> +++ b/drivers/xen/gntdev.c
> @@ -291,7 +291,7 @@ static int __unmap_grant_pages(struct grant_map *map, int offset, int pages)
>  		if (pgno >= offset && pgno < offset + pages && use_ptemod) {
>  			void __user *tmp;
>  			tmp = map->vma->vm_start + map->notify.addr;
> -			copy_to_user(tmp, &err, 1);
> +			WARN_ON(copy_to_user(tmp, &err, 1));

Please don't put side-effecty predicates in WARN_ON/BUG_ON.

There's no useful report we can return?

    J

>  			map->notify.flags &= ~UNMAP_NOTIFY_CLEAR_BYTE;
>  		} else if (pgno >= offset && pgno < offset + pages) {
>  			uint8_t *tmp = kmap(map->pages[pgno]);
> @@ -596,6 +596,12 @@ static long gntdev_ioctl_notify(struct gntdev_priv *priv, void __user *u)
>  	goto unlock_out;
>  
>   found:
> +	if ((op.action & UNMAP_NOTIFY_CLEAR_BYTE) &&
> +			(op.flags & GNTMAP_readonly)) {
> +		rc = -EINVAL;
> +		goto unlock_out;
> +	}
> +
>  	map->notify.flags = op.action;
>  	map->notify.addr = op.index - (map->index << PAGE_SHIFT);
>  	map->notify.event = op.event_channel_port;
>