The contents of the output arrays are undefined in both cases anyway when the operation itself gets marked as failed. There's no value in trying to continue after a guest memory access failure.
Signed-off-by: Jan Beulich <jbeul...@suse.com> --- There's also a curious difference between the two sub-ops wrt the use of SHARED_M2P(). --- a/xen/common/compat/grant_table.c +++ b/xen/common/compat/grant_table.c @@ -170,17 +170,14 @@ int compat_grant_table_op(unsigned int c if ( rc == 0 ) { #define XLAT_gnttab_setup_table_HNDL_frame_list(_d_, _s_) \ - do \ - { \ - if ( (_s_)->status == GNTST_okay ) \ + do { \ + for ( i = 0; (_s_)->status == GNTST_okay && \ + i < (_s_)->nr_frames; ++i ) \ { \ - for ( i = 0; i < (_s_)->nr_frames; ++i ) \ - { \ - unsigned int frame = (_s_)->frame_list.p[i]; \ - if ( __copy_to_compat_offset((_d_)->frame_list, \ - i, &frame, 1) ) \ - (_s_)->status = GNTST_bad_virt_addr; \ - } \ + compat_pfn_t frame = (_s_)->frame_list.p[i]; \ + if ( __copy_to_compat_offset((_d_)->frame_list, \ + i, &frame, 1) ) \ + (_s_)->status = GNTST_bad_virt_addr; \ } \ } while (0) XLAT_gnttab_setup_table(&cmp.setup, nat.setup); --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -2103,7 +2103,10 @@ gnttab_setup_table( BUG_ON(SHARED_M2P(gmfn)); if ( __copy_to_guest_offset(op.frame_list, i, &gmfn, 1) ) + { op.status = GNTST_bad_virt_addr; + break; + } } unlock: @@ -3289,17 +3292,15 @@ gnttab_get_status_frames(XEN_GUEST_HANDL "status frames, but has only %u\n", d->domain_id, op.nr_frames, nr_status_frames(gt)); op.status = GNTST_general_error; - goto unlock; } - for ( i = 0; i < op.nr_frames; i++ ) + for ( i = 0; op.status == GNTST_okay && i < op.nr_frames; i++ ) { gmfn = gfn_x(gnttab_status_gfn(d, gt, i)); if ( __copy_to_guest_offset(op.frame_list, i, &gmfn, 1) ) op.status = GNTST_bad_virt_addr; } - unlock: grant_read_unlock(gt); out2: rcu_unlock_domain(d);