[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [BUG] incorrect goto in gnttab_setup_table overdecrements the preemption counter



On 29/11/17 14:34, Jann Horn wrote:
> On Wed, Nov 29, 2017 at 3:32 PM, Andrew Cooper
> <andrew.cooper3@xxxxxxxxxx> wrote:
>> On 29/11/17 14:23, Jann Horn wrote:
>>> gnttab_setup_table() has the following code:
>>>
>>> =============================================
>>> static long
>>> gnttab_setup_table(
>>>     XEN_GUEST_HANDLE_PARAM(gnttab_setup_table_t) uop, unsigned int count)
>>> {
>>>     struct gnttab_setup_table op;
>>>     struct domain *d;
>>>     struct grant_table *gt;
>>>     int            i;
>>>     xen_pfn_t  gmfn;
>>>
>>>     [...]
>>>
>>>     d = rcu_lock_domain_by_any_id(op.dom);
>>>     if ( d == NULL )
>>>     {
>>>         gdprintk(XENLOG_INFO, "Bad domid %d.\n", op.dom);
>>>         op.status = GNTST_bad_domain;
>>>         goto out2;
>>>     }
>>>
>>>     [...]
>>>  out2:
>>>     rcu_unlock_domain(d);
>>>  out1:
>>>     if ( unlikely(__copy_field_to_guest(uop, &op, status)) )
>>>         return -EFAULT;
>>>
>>>     return 0;
>>> }
>>> =============================================
>>> <snip>
>>>
>>> This results in the following crash in a debug build of Xen 4.9.1:
>> Thanks for the report.
>>
>> This was fixed in master by
>> http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=5e436e7a45082ea2cadc176c19e1df46c178448f
>> but it looks like its not been backported to older releases.
> Urgh. I guess I really ought to fuzz master, not releases.

Actually, at this point it would be particularly helpful, as we are just
coming up to the 4.10 release.

The staging branch is slightly ahead of master at the moment (pending
completion of tests), and contains the fixes for the XSAs released
yesterday.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.