Like done in gnttab_setup_table(), check the handle once early in the
function and use the lighter-weight (for PV) copying function in the
loop.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -3261,6 +3261,9 @@ gnttab_get_status_frames(XEN_GUEST_HANDL
         return -EFAULT;
     }
 
+    if ( !guest_handle_okay(op.frame_list, op.nr_frames) )
+        return -EFAULT;
+
     d = rcu_lock_domain_by_any_id(op.dom);
     if ( d == NULL )
     {
@@ -3301,7 +3304,7 @@ gnttab_get_status_frames(XEN_GUEST_HANDL
     for ( i = 0; i < op.nr_frames; i++ )
     {
         gmfn = gfn_x(gnttab_status_gfn(d, gt, i));
-        if ( copy_to_guest_offset(op.frame_list, i, &gmfn, 1) )
+        if ( __copy_to_guest_offset(op.frame_list, i, &gmfn, 1) )
             op.status = GNTST_bad_virt_addr;
     }
 

Hi Jan,

On 26/08/2021 11:13, Jan Beulich wrote:
> Like done in gnttab_setup_table(), check the handle once early in the
> function and use the lighter-weight (for PV) copying function in the
> loop.
> 
> Signed-off-by: Jan Beulich <jbeulich@suse.com>

Reviewed-by: Julien Grall <jgrall@amazon.com>

Cheers,

> 
> --- a/xen/common/grant_table.c
> +++ b/xen/common/grant_table.c
> @@ -3261,6 +3261,9 @@ gnttab_get_status_frames(XEN_GUEST_HANDL
>           return -EFAULT;
>       }
>   
> +    if ( !guest_handle_okay(op.frame_list, op.nr_frames) )
> +        return -EFAULT;
> +
>       d = rcu_lock_domain_by_any_id(op.dom);
>       if ( d == NULL )
>       {
> @@ -3301,7 +3304,7 @@ gnttab_get_status_frames(XEN_GUEST_HANDL
>       for ( i = 0; i < op.nr_frames; i++ )
>       {
>           gmfn = gfn_x(gnttab_status_gfn(d, gt, i));
> -        if ( copy_to_guest_offset(op.frame_list, i, &gmfn, 1) )
> +        if ( __copy_to_guest_offset(op.frame_list, i, &gmfn, 1) )
>               op.status = GNTST_bad_virt_addr;
>       }
>   
> 

-- 
Julien Grall