6723311 vds accesses imported dring outside of LDC dring acquire/release calls

6724714 ldc_mem_unbind_handle passes invalid page size code to page_get_shift()
author: ha137994 <none@none> 2008-07-30 11:14:19 -0700
committer: ha137994 <none@none> 2008-07-30 11:14:19 -0700
commit: 5b7cb889d5dcadfe96f6a0188f0648131d49d3b3 (patch)
tree: a87e82d407faf8ea116116f1510c82f9e1ce69b7 /usr/src/uts/sun4v
parent: 31632b7349396ed48ad2afad7285d3b22935a30c (diff)
download: illumos-joyent-5b7cb889d5dcadfe96f6a0188f0648131d49d3b3.tar.gz
3 files changed, 17 insertions, 10 deletions
diff --git a/usr/src/uts/sun4v/io/ldc_shm.c b/usr/src/uts/sun4v/io/ldc_shm.c
index 0dc569ae17..0bc67e36f5 100644
--- a/usr/src/uts/sun4v/io/ldc_shm.c
+++ b/usr/src/uts/sun4v/io/ldc_shm.c
@@ -556,8 +556,6 @@ i_ldc_mem_bind_handle(ldc_mem_handle_t mhandle, caddr_t vaddr, size_t len,
 		/* store entry for this page */
 		memseg->pages[i].index = index;
 		memseg->pages[i].raddr = raddr;
-		memseg->pages[i].offset = poffset;
-		memseg->pages[i].size = psize;
 		memseg->pages[i].mte = &(mtbl->table[index]);
 
 		/* create the cookie */
@@ -724,7 +722,7 @@ ldc_mem_unbind_handle(ldc_mem_handle_t mhandle)
 		/* check for mapped pages, revocation cookie != 0 */
 		if (memseg->pages[i].mte->cookie) {
 
-			pg_size_code = page_szc(memseg->pages[i].size);
+			pg_size_code = page_szc(MMU_PAGESIZE);
 			pg_shift = page_get_shift(pg_size_code);
 			cookie_addr = IDX2COOKIE(memseg->pages[i].index,
 			    pg_size_code, pg_shift);
@@ -1430,7 +1428,6 @@ i_ldc_mem_map(ldc_mem_handle_t mhandle, ldc_mem_cookie_t *cookie,
 		/* Save all page and cookie information */
 		for (i = 0, tmpaddr = memseg->vaddr; i < npages; i++) {
 			memseg->pages[i].raddr = va_to_pa(tmpaddr);
-			memseg->pages[i].size = pg_size;
 			tmpaddr += pg_size;
 		}
 
@@ -2035,7 +2032,7 @@ i_ldc_mem_inject_dring_clear(ldc_chan_t *ldcp)
 			/* clear the entry from the table */
 			memseg->pages[i].mte->entry.ll = 0;
 
-			pg_size_code = page_szc(memseg->pages[i].size);
+			pg_size_code = page_szc(MMU_PAGESIZE);
 			pg_shift = page_get_shift(pg_size_code);
 			cookie_addr = IDX2COOKIE(memseg->pages[i].index,
 			    pg_size_code, pg_shift);
diff --git a/usr/src/uts/sun4v/io/vds.c b/usr/src/uts/sun4v/io/vds.c
index 969de0a7d2..8d313f2053 100644
--- a/usr/src/uts/sun4v/io/vds.c
+++ b/usr/src/uts/sun4v/io/vds.c
@@ -4281,8 +4281,6 @@ vd_process_dring_reg_msg(vd_t *vd, vio_msg_t *msg, size_t msglen)
 
 
 	/* Initialize for valid message and mapped dring */
-	PR1("descriptor size = %u, dring length = %u",
-	    vd->descriptor_size, vd->dring_len);
 	vd->initialized |= VD_DRING;
 	vd->dring_ident = 1;	/* "There Can Be Only One" */
 	vd->dring = dring_minfo.vaddr;
@@ -4290,6 +4288,8 @@ vd_process_dring_reg_msg(vd_t *vd, vio_msg_t *msg, size_t msglen)
 	vd->dring_len = reg_msg->num_descriptors;
 	vd->dring_mtype = dring_minfo.mtype;
 	reg_msg->dring_ident = vd->dring_ident;
+	PR1("descriptor size = %u, dring length = %u",
+	    vd->descriptor_size, vd->dring_len);
 
 	/*
 	 * Allocate and initialize a "shadow" array of data structures for
@@ -4300,7 +4300,6 @@ vd_process_dring_reg_msg(vd_t *vd, vio_msg_t *msg, size_t msglen)
 	for (int i = 0; i < vd->dring_len; i++) {
 		vd->dring_task[i].vd		= vd;
 		vd->dring_task[i].index		= i;
-		vd->dring_task[i].request	= &VD_DRING_ELEM(i)->payload;
 
 		status = ldc_mem_alloc_handle(vd->ldc_handle,
 		    &(vd->dring_task[i].mhdl));
@@ -4309,6 +4308,13 @@ vd_process_dring_reg_msg(vd_t *vd, vio_msg_t *msg, size_t msglen)
 			return (ENXIO);
 		}
 
+		/*
+		 * The descriptor payload varies in length. Calculate its
+		 * size by subtracting the header size from the total
+		 * descriptor size.
+		 */
+		vd->dring_task[i].request = kmem_zalloc((vd->descriptor_size -
+		    sizeof (vio_dring_entry_hdr_t)), KM_SLEEP);
 		vd->dring_task[i].msg = kmem_alloc(vd->max_msglen, KM_SLEEP);
 	}
 
@@ -4467,6 +4473,8 @@ vd_process_element(vd_t *vd, vd_task_type_t type, uint32_t idx,
 	ready = (elem->hdr.dstate == VIO_DESC_READY);
 	if (ready) {
 		elem->hdr.dstate = VIO_DESC_ACCEPTED;
+		bcopy(&elem->payload, vd->dring_task[idx].request,
+		    (vd->descriptor_size - sizeof (vio_dring_entry_hdr_t)));
 	} else {
 		PR0("descriptor %u not ready", idx);
 		VD_DUMP_DRING_ELEM(elem);
@@ -6301,6 +6309,10 @@ vd_free_dring_task(vd_t *vdp)
 		/* Free all dring_task memory handles */
 		for (int i = 0; i < vdp->dring_len; i++) {
 			(void) ldc_mem_free_handle(vdp->dring_task[i].mhdl);
+			kmem_free(vdp->dring_task[i].request,
+			    (vdp->descriptor_size -
+			    sizeof (vio_dring_entry_hdr_t)));
+			vdp->dring_task[i].request = NULL;
 			kmem_free(vdp->dring_task[i].msg, vdp->max_msglen);
 			vdp->dring_task[i].msg = NULL;
 		}
diff --git a/usr/src/uts/sun4v/sys/ldc_impl.h b/usr/src/uts/sun4v/sys/ldc_impl.h
index da28695afd..ac027cbbcf 100644
--- a/usr/src/uts/sun4v/sys/ldc_impl.h
+++ b/usr/src/uts/sun4v/sys/ldc_impl.h
@@ -341,8 +341,6 @@ typedef struct ldc_mtbl {
  */
 typedef struct ldc_page {
 	uintptr_t		raddr;		/* Exported page RA */
-	uint64_t		offset;		/* Exported page offset */
-	size_t			size;		/* Exported page size */
 	uint64_t		index;		/* Index in map table */
 	ldc_mte_slot_t		*mte;		/* Map table entry */
 } ldc_page_t;
author	ha137994 <none@none>	2008-07-30 11:14:19 -0700
committer	ha137994 <none@none>	2008-07-30 11:14:19 -0700
commit	5b7cb889d5dcadfe96f6a0188f0648131d49d3b3 (patch)
tree	a87e82d407faf8ea116116f1510c82f9e1ce69b7 /usr/src/uts/sun4v
parent	31632b7349396ed48ad2afad7285d3b22935a30c (diff)
download	illumos-joyent-5b7cb889d5dcadfe96f6a0188f0648131d49d3b3.tar.gz