From 59546c1897a90fe9af5ebbbb05ead8d98b4d17b9 Mon Sep 17 00:00:00 2001
From: Jan Beulich <jbeulich@suse.com>
Date: Wed, 23 Aug 2017 17:45:45 +0200
Subject: [PATCH] arm/mm: release grant lock on xenmem_add_to_physmap_one()
 error paths

Commit 55021ff9ab ("xen/arm: add_to_physmap_one: Avoid to map mfn 0 if
an error occurs") introduced error paths not releasing the grant table
lock. Replace them by a suitable check after the lock was dropped.

This is XSA-235.

Reported-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>
---
 xen/arch/arm/mm.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c
index a810a056d7..b39677eac9 100644
--- a/xen/arch/arm/mm.c
+++ b/xen/arch/arm/mm.c
@@ -1240,8 +1240,6 @@ int xenmem_add_to_physmap_one(
             idx &= ~XENMAPIDX_grant_table_status;
             if ( idx < nr_status_frames(d->grant_table) )
                 mfn = virt_to_mfn(d->grant_table->status[idx]);
-            else
-                return -EINVAL;
         }
         else
         {
@@ -1251,15 +1249,20 @@ int xenmem_add_to_physmap_one(
 
             if ( idx < nr_grant_frames(d->grant_table) )
                 mfn = virt_to_mfn(d->grant_table->shared_raw[idx]);
-            else
-                return -EINVAL;
         }
 
-        d->arch.grant_table_gfn[idx] = gfn;
+        if ( !mfn_eq(mfn, INVALID_MFN) )
+        {
+            d->arch.grant_table_gfn[idx] = gfn;
 
-        t = p2m_ram_rw;
+            t = p2m_ram_rw;
+        }
 
         grant_write_unlock(d->grant_table);
+
+        if ( mfn_eq(mfn, INVALID_MFN) )
+            return -EINVAL;
+
         break;
     case XENMAPSPACE_shared_info:
         if ( idx != 0 )
-- 
2.30.2