main/xen/xsa235-4.6.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

From: Jan Beulich <jbeulich@suse.com>
Subject: arm/mm: release grant lock on xenmem_add_to_physmap_one() error paths

Commit 55021ff9ab ("xen/arm: add_to_physmap_one: Avoid to map mfn 0 if
an error occurs") introduced error paths not releasing the grant table
lock. Replace them by a suitable check after the lock was dropped.

This is XSA-235.

Reported-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>

--- a/xen/arch/arm/mm.c
+++ b/xen/arch/arm/mm.c
@@ -1073,7 +1073,7 @@ int xenmem_add_to_physmap_one(
             if ( idx < nr_status_frames(d->grant_table) )
                 mfn = virt_to_mfn(d->grant_table->status[idx]);
             else
-                return -EINVAL;
+                mfn = INVALID_MFN;
         }
         else
         {
@@ -1084,14 +1084,21 @@ int xenmem_add_to_physmap_one(
             if ( idx < nr_grant_frames(d->grant_table) )
                 mfn = virt_to_mfn(d->grant_table->shared_raw[idx]);
             else
-                return -EINVAL;
+                mfn = INVALID_MFN;
         }
         
-        d->arch.grant_table_gpfn[idx] = gpfn;
+        if ( mfn != INVALID_MFN )
+        {
+            d->arch.grant_table_gpfn[idx] = gpfn;
 
-        t = p2m_ram_rw;
+            t = p2m_ram_rw;
+        }
 
         write_unlock(&d->grant_table->lock);
+
+        if ( mfn == INVALID_MFN )
+            return -EINVAL;
+
         break;
     case XENMAPSPACE_shared_info:
         if ( idx != 0 )