03ecfa81e7
Discovered we needed to augment a previous security patch with two additional patches to complete a clean fix. OBS-URL: https://build.opensuse.org/request/show/517094 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=353
85 lines
3.4 KiB
Diff
85 lines
3.4 KiB
Diff
From 9ca38f9940fd21f0a24f5a5bfac69f81561096f9 Mon Sep 17 00:00:00 2001
|
|
From: Anthony PERARD <anthony.perard@citrix.com>
|
|
Date: Wed, 26 Jul 2017 17:53:26 +0100
|
|
Subject: [PATCH] exec: Add lock parameter to qemu_ram_ptr_length
|
|
|
|
Commit 04bf2526ce87f21b32c9acba1c5518708c243ad0 (exec: use
|
|
qemu_ram_ptr_length to access guest ram) start using qemu_ram_ptr_length
|
|
instead of qemu_map_ram_ptr, but when used with Xen, the behavior of
|
|
both function is different. They both call xen_map_cache, but one with
|
|
"lock", meaning the mapping of guest memory is never released
|
|
implicitly, and the second one without, which means, mapping can be
|
|
release later, when needed.
|
|
|
|
In the context of address_space_{read,write}_continue, the ptr to those
|
|
mapping should not be locked because it is used immediatly and never
|
|
used again.
|
|
|
|
The lock parameter make it explicit in which context qemu_ram_ptr_length
|
|
is called.
|
|
|
|
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
|
|
Message-Id: <20170726165326.10327-1-anthony.perard@citrix.com>
|
|
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
(cherry picked from commit f5aa69bdc3418773f26747ca282c291519626ece)
|
|
[BR: infrastructure for BSC#1048902]
|
|
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
|
---
|
|
exec.c | 12 ++++++------
|
|
1 file changed, 6 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/exec.c b/exec.c
|
|
index 8f45b902e4..9ef33e4f65 100644
|
|
--- a/exec.c
|
|
+++ b/exec.c
|
|
@@ -2026,7 +2026,7 @@ void *qemu_map_ram_ptr(RAMBlock *ram_block, ram_addr_t addr)
|
|
* Called within RCU critical section.
|
|
*/
|
|
static void *qemu_ram_ptr_length(RAMBlock *ram_block, ram_addr_t addr,
|
|
- hwaddr *size)
|
|
+ hwaddr *size, bool lock)
|
|
{
|
|
RAMBlock *block = ram_block;
|
|
if (*size == 0) {
|
|
@@ -2045,10 +2045,10 @@ static void *qemu_ram_ptr_length(RAMBlock *ram_block, ram_addr_t addr,
|
|
* In that case just map the requested area.
|
|
*/
|
|
if (block->offset == 0) {
|
|
- return xen_map_cache(addr, *size, 1, true);
|
|
+ return xen_map_cache(addr, *size, lock, lock);
|
|
}
|
|
|
|
- block->host = xen_map_cache(block->offset, block->max_length, 1, true);
|
|
+ block->host = xen_map_cache(block->offset, block->max_length, 1, lock);
|
|
}
|
|
|
|
return ramblock_ptr(block, addr);
|
|
@@ -2767,7 +2767,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr,
|
|
}
|
|
} else {
|
|
/* RAM case */
|
|
- ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
|
|
+ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l, false);
|
|
memcpy(ptr, buf, l);
|
|
invalidate_and_set_dirty(mr, addr1, l);
|
|
}
|
|
@@ -2858,7 +2858,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr,
|
|
}
|
|
} else {
|
|
/* RAM case */
|
|
- ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
|
|
+ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l, false);
|
|
memcpy(buf, ptr, l);
|
|
}
|
|
|
|
@@ -3169,7 +3169,7 @@ void *address_space_map(AddressSpace *as,
|
|
|
|
memory_region_ref(mr);
|
|
*plen = address_space_extend_translation(as, addr, len, mr, xlat, l, is_write);
|
|
- ptr = qemu_ram_ptr_length(mr->ram_block, xlat, plen);
|
|
+ ptr = qemu_ram_ptr_length(mr->ram_block, xlat, plen, true);
|
|
rcu_read_unlock();
|
|
|
|
return ptr;
|