xen/p2m/m2p/gnttab: do not add failed grant maps to m2p override

The caller will not undo a mapping which failed and therefore the
override will not be removed.

This is especially bad in the case of GNTMAP_contains_pte mapping type
mappings where m2p_add_override will destroy the kernel mapping of the
page.

This was observed via a failure of map_grant_pages in gntdev_mmap (due
to userspace using a bad grant reference), which left the page in
question unmapped (because it was a GNTMAP_contains_pte mapping) which
led to a crash later on.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

1 files changed, 4 insertions, 0 deletions

diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
index 9428ced04807..3745a318defc 100644
--- a/drivers/xen/grant-table.c
+++ b/drivers/xen/grant-table.c
@@ -462,6 +462,10 @@ int gnttab_map_refs(struct gnttab_map_grant_ref *map_ops,
                 return ret;
 
         for (i = 0; i < count; i++) {
+                /* Do not add to override if the map failed. */
+                if (map_ops[i].status)
+                        continue;
+
                 /* m2p override only supported for GNTMAP_contains_pte mappings */
                 if (!(map_ops[i].flags & GNTMAP_contains_pte))
                         continue;