| commit | b260cdec21aad153d2114b6452fddb3c6e43b393 | |
| author | David Gibson <david@gibson.dropbear.id.au> | |
| Thu, 14 Feb 2019 04:39:13 +0000 (14 15:39 +1100) | ||
| committer | Michael Roth <mdroth@linux.vnet.ibm.com> | |
| Tue, 30 Jul 2019 17:33:37 +0000 (30 12:33 -0500) | ||
| tree | 092d05367fa87fffd655e1838ac6ddc34927c61e | treesnapshot (tar.gz zip) |
| parent | 7a31a0af31220617b628184044d8b94f07dafc31 | commitdiff |
virtio-balloon: Corrections to address verification
The virtio-balloon device's verification of the address given to it by the
guest has a number of faults:
* The addresses here are guest physical addresses, which should be
'hwaddr' rather than 'ram_addr_t' (the distinction is admittedly
pretty subtle and confusing)
* We don't check for section.mr being NULL, which is the main way that
memory_region_find() reports basic failures. We really need to check
that before looking at any other section fields, because
memory_region_find() doesn't initialize them on the failure path
* We're passing a length of '1' to memory_region_find(), but really the
guest is requesting that we put the entire page into the balloon,
so it makes more sense to call it with BALLOON_PAGE_SIZE
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20190214043916.22128-3-david@gibson.dropbear.id.au>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit b218a70e6ae882f52cc339ae965f515a36a9139f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The virtio-balloon device's verification of the address given to it by the
guest has a number of faults:
* The addresses here are guest physical addresses, which should be
'hwaddr' rather than 'ram_addr_t' (the distinction is admittedly
pretty subtle and confusing)
* We don't check for section.mr being NULL, which is the main way that
memory_region_find() reports basic failures. We really need to check
that before looking at any other section fields, because
memory_region_find() doesn't initialize them on the failure path
* We're passing a length of '1' to memory_region_find(), but really the
guest is requesting that we put the entire page into the balloon,
so it makes more sense to call it with BALLOON_PAGE_SIZE
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20190214043916.22128-3-david@gibson.dropbear.id.au>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit b218a70e6ae882f52cc339ae965f515a36a9139f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
| hw/virtio/virtio-balloon.c | diffblobblamehistory |