svn commit: r314340 - head/sys/dev/xen/gntdev

[Roger Pau Monné]

Author: royger
Date: Mon Feb 27 15:31:15 2017
New Revision: 314340
URL: https://svnweb.freebsd.org/changeset/base/314340

Log:
  xen/gntdev: prevent unsynchronized accesses to the map entry
  
  vm_map_lookup_done should only be called when the gntdev has finished poking at
  the entry.
  
  Reported by:	alc
  Reviewed by:	alc
  MFC after:	1 week
  Sponsored by:	Citrix Systems R&D

Modified:
  head/sys/dev/xen/gntdev/gntdev.c

Modified: head/sys/dev/xen/gntdev/gntdev.c
==============================================================================
--- head/sys/dev/xen/gntdev/gntdev.c	Mon Feb 27 15:30:27 2017	(r314339)
+++ head/sys/dev/xen/gntdev/gntdev.c	Mon Feb 27 15:31:15 2017	(r314340)
@@ -743,26 +743,34 @@ gntdev_get_offset_for_vaddr(struct ioctl
 	vm_prot_t prot;
 	boolean_t wired;
 	struct gntdev_gmap *gmap;
+	int rc;
 
 	map = &td->td_proc->p_vmspace->vm_map;
 	error = vm_map_lookup(&map, arg->vaddr, VM_PROT_NONE, &entry,
 		    &mem, &pindex, &prot, &wired);
 	if (error != KERN_SUCCESS)
 		return (EINVAL);
-	vm_map_lookup_done(map, entry);
 
 	if ((mem->type != OBJT_MGTDEVICE) ||
-	    (mem->un_pager.devp.ops != &gntdev_gmap_pg_ops))
-		return (EINVAL);
+	    (mem->un_pager.devp.ops != &gntdev_gmap_pg_ops)) {
+		rc = EINVAL;
+		goto out;
+	}
 
 	gmap = mem->handle;
 	if (gmap == NULL ||
-	    (entry->end - entry->start) != (gmap->count * PAGE_SIZE))
-		return (EINVAL);
+	    (entry->end - entry->start) != (gmap->count * PAGE_SIZE)) {
+		rc = EINVAL;
+		goto out;
+	}
 
 	arg->count = gmap->count;
 	arg->offset = gmap->file_index;
-	return (0);
+	rc = 0;
+
+out:
+	vm_map_lookup_done(map, entry);
+	return (rc);
 }
 
 /*-------------------- Grant Mapping Pager  ----------------------------------*/