From: Jan Beulich Date: Tue, 12 Mar 2019 13:39:46 +0000 (+0100) Subject: x86/HVM: don't crash guest in hvmemul_find_mmio_cache() X-Git-Tag: archive/raspbian/4.14.0+80-gd101b417b7-1+rpi1^2~63^2~2500 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=a43c1dec246bdee484e6a3de001cc6850a107abe;p=xen.git x86/HVM: don't crash guest in hvmemul_find_mmio_cache() Commit 35a61c05ea ("x86emul: adjust handling of AVX2 gathers") builds upon the fact that the domain will actually survive running out of MMIO result buffer space. Drop the domain_crash() invocation. Also delay incrementing of the usage counter, such that the function can't possibly use/return an out-of-bounds slot/pointer in case execution subsequently makes it into the function again without a prior reset of state. Signed-off-by: Jan Beulich Reviewed-by: Paul Durrant --- diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c index 2d02ef1521..754baf68d5 100644 --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -966,12 +966,11 @@ static struct hvm_mmio_cache *hvmemul_find_mmio_cache( return cache; } - i = vio->mmio_cache_count++; + i = vio->mmio_cache_count; if( i == ARRAY_SIZE(vio->mmio_cache) ) - { - domain_crash(current->domain); return NULL; - } + + ++vio->mmio_cache_count; cache = &vio->mmio_cache[i]; memset(cache, 0, sizeof (*cache));