On Fri, Feb 15, 2019 at 08:18:31AM +0530, Souptick Joarder wrote: > Convert to use vm_map_pages() to map range of kernel > memory to user vma. > > map->count is passed to vm_map_pages() and internal API > verify map->count against count ( count = vma_pages(vma)) > for page array boundary overrun condition. This commit breaks gntdev driver. If vma->vm_pgoff > 0, vm_map_pages will: - use map->pages starting at vma->vm_pgoff instead of 0 - verify map->count against vma_pages()+vma->vm_pgoff instead of just vma_pages(). In practice, this breaks using a single gntdev FD for mapping multiple grants. It looks like vm_map_pages() is not a good fit for this code and IMO it should be reverted. > Signed-off-by: Souptick Joarder > Reviewed-by: Boris Ostrovsky > --- > drivers/xen/gntdev.c | 11 ++++------- > 1 file changed, 4 insertions(+), 7 deletions(-) > > diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c > index 5efc5ee..5d64262 100644 > --- a/drivers/xen/gntdev.c > +++ b/drivers/xen/gntdev.c > @@ -1084,7 +1084,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma) > int index = vma->vm_pgoff; > int count = vma_pages(vma); > struct gntdev_grant_map *map; > - int i, err = -EINVAL; > + int err = -EINVAL; > > if ((vma->vm_flags & VM_WRITE) && !(vma->vm_flags & VM_SHARED)) > return -EINVAL; > @@ -1145,12 +1145,9 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma) > goto out_put_map; > > if (!use_ptemod) { > - for (i = 0; i < count; i++) { > - err = vm_insert_page(vma, vma->vm_start + i*PAGE_SIZE, > - map->pages[i]); > - if (err) > - goto out_put_map; > - } > + err = vm_map_pages(vma, map->pages, map->count); > + if (err) > + goto out_put_map; > } else { > #ifdef CONFIG_X86 > /* -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?