>>> On 11.02.19 at 18:46, <[email protected]> wrote: > @@ -948,6 +951,11 @@ static inline void p2m_entry_modify(struct p2m_domain > *p2m, p2m_type_t nt, > p2m->ioreq.entry_count++; > break; > > + case p2m_map_foreign: > + BUG_ON(!mfn_valid(nfn) || > + !page_get_owner_and_reference(mfn_to_page(nfn))); > + break;
Asserting that the passed in MFN is valid is fine. Asserting that a reference can be got is not, as this sets us up for a DoS in case of a refcount overflow, or the page having got ballooned out by its owner. That is, the issue of you folding the two original calls into one is wider than just the two distinct error codes getting lost that were previously produced - you can't (currently) report up any error from this low layer. (And I'm sorry, I should have noticed this on v1 already.) Jan _______________________________________________ Xen-devel mailing list [email protected] https://lists.xenproject.org/mailman/listinfo/xen-devel
