On 29/11/17 14:23, Jann Horn wrote:
> gnttab_setup_table() has the following code:
>
> =============================================
> static long
> gnttab_setup_table(
> XEN_GUEST_HANDLE_PARAM(gnttab_setup_table_t) uop, unsigned int count)
> {
> struct gnttab_setup_table op;
> struct domain *d;
> struct grant_table *gt;
> int i;
> xen_pfn_t gmfn;
>
> [...]
>
> d = rcu_lock_domain_by_any_id(op.dom);
> if ( d == NULL )
> {
> gdprintk(XENLOG_INFO, "Bad domid %d.\n", op.dom);
> op.status = GNTST_bad_domain;
> goto out2;
> }
>
> [...]
> out2:
> rcu_unlock_domain(d);
> out1:
> if ( unlikely(__copy_field_to_guest(uop, &op, status)) )
> return -EFAULT;
>
> return 0;
> }
> =============================================
> <snip>
>
> This results in the following crash in a debug build of Xen 4.9.1:
Thanks for the report.
This was fixed in master by
http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=5e436e7a45082ea2cadc176c19e1df46c178448f
but it looks like its not been backported to older releases.
Jan: Thoughts? This isn't a security issue, but it would be better if
the stable trees had fewer asserts which could be hit.
~Andrew
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
