Like done in gnttab_setup_table(), check the handle once early in the function and use the lighter-weight (for PV) copying function in the loop.
Signed-off-by: Jan Beulich <[email protected]> --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -3261,6 +3261,9 @@ gnttab_get_status_frames(XEN_GUEST_HANDL return -EFAULT; } + if ( !guest_handle_okay(op.frame_list, op.nr_frames) ) + return -EFAULT; + d = rcu_lock_domain_by_any_id(op.dom); if ( d == NULL ) { @@ -3301,7 +3304,7 @@ gnttab_get_status_frames(XEN_GUEST_HANDL for ( i = 0; i < op.nr_frames; i++ ) { gmfn = gfn_x(gnttab_status_gfn(d, gt, i)); - if ( copy_to_guest_offset(op.frame_list, i, &gmfn, 1) ) + if ( __copy_to_guest_offset(op.frame_list, i, &gmfn, 1) ) op.status = GNTST_bad_virt_addr; }
