Returning back truncated frame numbers is unhelpful: Quite likely they're not owned by the domain (if it's PV), or we may misguide the guest into writing grant entries into a page that it actually uses for other purposes.
Signed-off-by: Jan Beulich <[email protected]> --- v2: Drop use of VALID_M2P(). Use "break". Move type change for "frame" here (from earlier patch). --- RFC: Arguably in the 32-bit PV case it may be necessary to instead put in place an explicit address restriction when allocating ->shared_raw[N]. This is currently implicit by alloc_xenheap_page() only returning memory covered by the direct-map. --- unstable.orig/xen/common/compat/grant_table.c 2022-10-10 11:02:21.198223952 +0200 +++ unstable/xen/common/compat/grant_table.c 2022-10-10 10:31:25.000000000 +0200 @@ -176,7 +176,12 @@ int compat_grant_table_op( { \ for ( i = 0; i < (_s_)->nr_frames; ++i ) \ { \ - unsigned int frame = (_s_)->frame_list.p[i]; \ + compat_pfn_t frame = (_s_)->frame_list.p[i]; \ + if ( frame != (_s_)->frame_list.p[i] ) \ + { \ + (_s_)->status = GNTST_address_too_big; \ + break; \ + } \ if ( __copy_to_compat_offset((_d_)->frame_list, \ i, &frame, 1) ) \ { \
