On 15/08/17 14:49, Jan Beulich wrote: > Processing of transitive grants must not use the fast path, or else > reference counting breaks due to the skipped recursive call to > __acquire_grant_for_copy() (its __release_grant_for_copy() > counterpart occurs independent of original pin count). Furthermore > after re-acquiring temporarily dropped locks we need to verify no grant > properties changed if the original pin count was non-zero; checking > just the pin counts is sufficient only for well-behaved guests. As a > result, __release_grant_for_copy() needs to mirror that new behavior. > > Furthermore a __release_grant_for_copy() invocation was missing on the > retry path of __acquire_grant_for_copy(), and gnttab_set_version() also > needs to bail out upon encountering a transitive grant. > > This is part of XSA-226. > > Reported-by: Andrew Cooper <andrew.coop...@citrix.com> > Signed-off-by: Jan Beulich <jbeul...@suse.com>
Reviewed-by: Andrew Cooper <andrew.coop...@citrix.com> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel