From 5b7f356ae7c34055bed79439b65c2b5bccd38ef0 Mon Sep 17 00:00:00 2001 From: Michael Young Date: May 19 2020 18:10:34 +0000 Subject: update to xen-4.13.1 --- diff --git a/.gitignore b/.gitignore index 65b3a89..c542b51 100644 --- a/.gitignore +++ b/.gitignore @@ -6,4 +6,4 @@ lwip-1.3.0.tar.gz pciutils-2.2.9.tar.bz2 zlib-1.2.3.tar.gz polarssl-1.1.4-gpl.tgz -/xen-4.13.0.tar.gz +/xen-4.13.1.tar.gz diff --git a/sources b/sources index 5f3458b..0fe92bd 100644 --- a/sources +++ b/sources @@ -4,4 +4,4 @@ SHA512 (newlib-1.16.0.tar.gz) = 40eb96bbc6736a16b6399e0cdb73e853d0d90b685c967e77 SHA512 (zlib-1.2.3.tar.gz) = 021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e SHA512 (polarssl-1.1.4-gpl.tgz) = 88da614e4d3f4409c4fd3bb3e44c7587ba051e3fed4e33d526069a67e8180212e1ea22da984656f50e290049f60ddca65383e5983c0f8884f648d71f698303ad SHA512 (pciutils-2.2.9.tar.bz2) = 2b3d98d027e46d8c08037366dde6f0781ca03c610ef2b380984639e4ef39899ed8d8b8e4cd9c9dc54df101279b95879bd66bfd4d04ad07fef41e847ea7ae32b5 -SHA512 (xen-4.13.0.tar.gz) = 5b2ded9a2fe3f7ddf40eed1fa9858baead06233a01eb6099cc45b3c78b6c3823acfe7b731910733e87125dfa49d08c53f74c215fb1b320a92b44b87a0a105225 +SHA512 (xen-4.13.1.tar.gz) = b56d20704155d98d803496cba83eb928e0f986a750831cd5600fc88d0ae772fe1456571654375054043d2da8daca255cc98385ebf08b1b1a75ecf7f4b7a0ee90 diff --git a/xen.pygrubfix.patch b/xen.pygrubfix.patch deleted file mode 100644 index ffcd74e..0000000 --- a/xen.pygrubfix.patch +++ /dev/null @@ -1,72 +0,0 @@ ---- xen-4.13.0/tools/python/xen/lowlevel/xc/xc.c.orig 2019-12-17 14:23:09.000000000 +0000 -+++ xen-4.13.0/tools/python/xen/lowlevel/xc/xc.c 2020-03-15 21:58:58.073272499 +0000 -@@ -2106,7 +2106,7 @@ - - { "gnttab_hvm_seed", - (PyCFunction)pyxc_gnttab_hvm_seed, -- METH_KEYWORDS, "\n" -+ METH_VARARGS | METH_KEYWORDS, "\n" - "Initialise HVM guest grant table.\n" - " dom [int]: Identifier of domain to build into.\n" - " console_gmfn [int]: \n" -@@ -2175,7 +2175,7 @@ - - { "sched_credit_domain_set", - (PyCFunction)pyxc_sched_credit_domain_set, -- METH_KEYWORDS, "\n" -+ METH_VARARGS | METH_KEYWORDS, "\n" - "Set the scheduling parameters for a domain when running with the\n" - "SMP credit scheduler.\n" - " domid [int]: domain id to set\n" -@@ -2193,7 +2193,7 @@ - - { "sched_credit2_domain_set", - (PyCFunction)pyxc_sched_credit2_domain_set, -- METH_KEYWORDS, "\n" -+ METH_VARARGS | METH_KEYWORDS, "\n" - "Set the scheduling parameters for a domain when running with the\n" - "SMP credit2 scheduler.\n" - " domid [int]: domain id to set\n" -@@ -2491,14 +2491,14 @@ - - { "flask_context_to_sid", - (PyCFunction)pyflask_context_to_sid, -- METH_KEYWORDS, "\n" -+ METH_VARARGS | METH_KEYWORDS, "\n" - "Convert a context string to a dynamic SID.\n" - " context [str]: String specifying context to be converted\n" - "Returns: [int]: Numeric SID on success; -1 on error.\n" }, - - { "flask_sid_to_context", - (PyCFunction)pyflask_sid_to_context, -- METH_KEYWORDS, "\n" -+ METH_VARARGS | METH_KEYWORDS, "\n" - "Convert a dynamic SID to context string.\n" - " context [int]: SID to be converted\n" - "Returns: [str]: Numeric SID on success; -1 on error.\n" }, -@@ -2505,7 +2505,7 @@ - - { "flask_load", - (PyCFunction)pyflask_load, -- METH_KEYWORDS, "\n" -+ METH_VARARGS | METH_KEYWORDS, "\n" - "Loads a policy into the hypervisor.\n" - " policy [str]: policy to be load\n" - "Returns: [int]: 0 on success; -1 on failure.\n" }, -@@ -2518,14 +2518,14 @@ - - { "flask_setenforce", - (PyCFunction)pyflask_setenforce, -- METH_KEYWORDS, "\n" -+ METH_VARARGS | METH_KEYWORDS, "\n" - "Modifies the current mode for the Flask XSM module.\n" - " mode [int]: mode to change to\n" - "Returns: [int]: 0 on success; -1 on failure.\n" }, - - { "flask_access", - (PyCFunction)pyflask_access, -- METH_KEYWORDS, "\n" -+ METH_VARARGS | METH_KEYWORDS, "\n" - "Returns whether a source context has access to target context based on \ - class and permissions requested.\n" - " scon [str]: source context\n" diff --git a/xen.spec b/xen.spec index 5e25c78..6cb93b6 100644 --- a/xen.spec +++ b/xen.spec @@ -57,8 +57,8 @@ Summary: Xen is a virtual machine monitor Name: xen -Version: 4.13.0 -Release: 8%{?dist} +Version: 4.13.1 +Release: 1%{?dist} License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ Source0: https://downloads.xenproject.org/release/xen/%{version}/xen-%{version}.tar.gz @@ -112,15 +112,8 @@ Patch39: qemu.trad.CVE-2017-9330.patch Patch40: xen.drop.brctl.patch Patch41: xen.python.env.patch Patch42: xen.gcc9.fixes.patch -Patch43: xsa312.patch Patch44: xen.ocaml.4.10.patch Patch45: xen.gcc10.fixes.patch -Patch46: xen.pygrubfix.patch -Patch47: xsa313-1.patch -Patch48: xsa313-2.patch -Patch49: xsa314-4.13.patch -Patch50: xsa316-xen.patch -Patch51: xsa318.patch %if %build_qemutrad @@ -325,15 +318,8 @@ manage Xen virtual machines. %patch40 -p1 %patch41 -p1 %patch42 -p1 -%patch43 -p1 %patch44 -p1 %patch45 -p1 -%patch46 -p1 -%patch47 -p1 -%patch48 -p1 -%patch49 -p1 -%patch50 -p1 -%patch51 -p1 # qemu-xen-traditional patches pushd tools/qemu-xen-traditional @@ -921,6 +907,10 @@ fi %endif %changelog +* Tue May 19 2020 Michael Young - 4.13.1-1 +- update to 4.13.1 + remove patches now included or superceded upstream + * Tue May 05 2020 Michael Young - 4.13.0-8 - build aarch64 hypervisor with -mno-outline-atomics to fix gcc 10 build diff --git a/xsa312.patch b/xsa312.patch deleted file mode 100644 index ae3fa40..0000000 --- a/xsa312.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 9f807cf84a9a7a011cf1df7895c54d6031a7596d Mon Sep 17 00:00:00 2001 -From: Julien Grall -Date: Thu, 19 Dec 2019 08:12:21 +0000 -Subject: [PATCH] xen/arm: Place a speculation barrier sequence following an - eret instruction - -Some CPUs can speculate past an ERET instruction and potentially perform -speculative accesses to memory before processing the exception return. -Since the register state is often controlled by lower privilege level -at the point of an ERET, this could potentially be used as part of a -side-channel attack. - -Newer CPUs may implement a new SB barrier instruction which acts -as an architected speculation barrier. For current CPUs, the sequence -DSB; ISB is known to prevent speculation. - -The latter sequence is heavier than SB but it would never be executed -(this is speculation after all!). - -Introduce a new macro 'sb' that could be used when a speculation barrier -is required. For now it is using dsb; isb but this could easily be -updated to cater SB in the future. - -This is XSA-312. - -Signed-off-by: Julien Grall ---- - xen/arch/arm/arm32/entry.S | 1 + - xen/arch/arm/arm64/entry.S | 3 +++ - xen/include/asm-arm/macros.h | 9 +++++++++ - 3 files changed, 13 insertions(+) - -diff --git a/xen/arch/arm/arm32/entry.S b/xen/arch/arm/arm32/entry.S -index 31ccfb2631..b228d44b19 100644 ---- a/xen/arch/arm/arm32/entry.S -+++ b/xen/arch/arm/arm32/entry.S -@@ -426,6 +426,7 @@ return_to_hypervisor: - add sp, #(UREGS_SP_usr - UREGS_sp); /* SP, LR, SPSR, PC */ - clrex - eret -+ sb - - /* - * struct vcpu *__context_switch(struct vcpu *prev, struct vcpu *next) -diff --git a/xen/arch/arm/arm64/entry.S b/xen/arch/arm/arm64/entry.S -index d35855af96..175ea2981e 100644 ---- a/xen/arch/arm/arm64/entry.S -+++ b/xen/arch/arm/arm64/entry.S -@@ -354,6 +354,7 @@ guest_sync: - */ - mov x1, xzr - eret -+ sb - - check_wa2: - /* ARM_SMCCC_ARCH_WORKAROUND_2 handling */ -@@ -393,6 +394,7 @@ wa2_end: - #endif /* !CONFIG_ARM_SSBD */ - mov x0, xzr - eret -+ sb - guest_sync_slowpath: - /* - * x0/x1 may have been scratch by the fast path above, so avoid -@@ -457,6 +459,7 @@ return_from_trap: - ldr lr, [sp], #(UREGS_SPSR_el1 - UREGS_LR) /* CPSR, PC, SP, LR */ - - eret -+ sb - - /* - * Consume pending SError generated by the guest if any. -diff --git a/xen/include/asm-arm/macros.h b/xen/include/asm-arm/macros.h -index 91ea3505e4..4833671f4c 100644 ---- a/xen/include/asm-arm/macros.h -+++ b/xen/include/asm-arm/macros.h -@@ -20,4 +20,13 @@ - .endr - .endm - -+ /* -+ * Speculative barrier -+ * XXX: Add support for the 'sb' instruction -+ */ -+ .macro sb -+ dsb nsh -+ isb -+ .endm -+ - #endif /* __ASM_ARM_MACROS_H */ --- -2.17.1 - diff --git a/xsa313-1.patch b/xsa313-1.patch deleted file mode 100644 index 95fde7e..0000000 --- a/xsa313-1.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Jan Beulich -Subject: xenoprof: clear buffer intended to be shared with guests - -alloc_xenheap_pages() making use of MEMF_no_scrub is fine for Xen -internally used allocations, but buffers allocated to be shared with -(unpriviliged) guests need to be zapped of their prior content. - -This is part of XSA-313. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper -Reviewed-by: Wei Liu - ---- a/xen/common/xenoprof.c -+++ b/xen/common/xenoprof.c -@@ -253,6 +253,9 @@ static int alloc_xenoprof_struct( - return -ENOMEM; - } - -+ for ( i = 0; i < npages; ++i ) -+ clear_page(d->xenoprof->rawbuf + i * PAGE_SIZE); -+ - d->xenoprof->npages = npages; - d->xenoprof->nbuf = nvcpu; - d->xenoprof->bufsize = bufsize; diff --git a/xsa313-2.patch b/xsa313-2.patch deleted file mode 100644 index d81b823..0000000 --- a/xsa313-2.patch +++ /dev/null @@ -1,132 +0,0 @@ -From: Jan Beulich -Subject: xenoprof: limit consumption of shared buffer data - -Since a shared buffer can be written to by the guest, we may only read -the head and tail pointers from there (all other fields should only ever -be written to). Furthermore, for any particular operation the two values -must be read exactly once, with both checks and consumption happening -with the thus read values. (The backtrace related xenoprof_buf_space() -use in xenoprof_log_event() is an exception: The values used there get -re-checked by every subsequent xenoprof_add_sample().) - -Since that code needed touching, also fix the double increment of the -lost samples count in case the backtrace related xenoprof_add_sample() -invocation in xenoprof_log_event() fails. - -Where code is being touched anyway, add const as appropriate, but take -the opportunity to entirely drop the now unused domain parameter of -xenoprof_buf_space(). - -This is part of XSA-313. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Jan Beulich -Reviewed-by: George Dunlap -Reviewed-by: Wei Liu - ---- a/xen/common/xenoprof.c -+++ b/xen/common/xenoprof.c -@@ -479,25 +479,22 @@ static int add_passive_list(XEN_GUEST_HA - - - /* Get space in the buffer */ --static int xenoprof_buf_space(struct domain *d, xenoprof_buf_t * buf, int size) -+static int xenoprof_buf_space(int head, int tail, int size) - { -- int head, tail; -- -- head = xenoprof_buf(d, buf, event_head); -- tail = xenoprof_buf(d, buf, event_tail); -- - return ((tail > head) ? 0 : size) + tail - head - 1; - } - - /* Check for space and add a sample. Return 1 if successful, 0 otherwise. */ --static int xenoprof_add_sample(struct domain *d, xenoprof_buf_t *buf, -+static int xenoprof_add_sample(const struct domain *d, -+ const struct xenoprof_vcpu *v, - uint64_t eip, int mode, int event) - { -+ xenoprof_buf_t *buf = v->buffer; - int head, tail, size; - - head = xenoprof_buf(d, buf, event_head); - tail = xenoprof_buf(d, buf, event_tail); -- size = xenoprof_buf(d, buf, event_size); -+ size = v->event_size; - - /* make sure indexes in shared buffer are sane */ - if ( (head < 0) || (head >= size) || (tail < 0) || (tail >= size) ) -@@ -506,7 +503,7 @@ static int xenoprof_add_sample(struct do - return 0; - } - -- if ( xenoprof_buf_space(d, buf, size) > 0 ) -+ if ( xenoprof_buf_space(head, tail, size) > 0 ) - { - xenoprof_buf(d, buf, event_log[head].eip) = eip; - xenoprof_buf(d, buf, event_log[head].mode) = mode; -@@ -530,7 +527,6 @@ static int xenoprof_add_sample(struct do - int xenoprof_add_trace(struct vcpu *vcpu, uint64_t pc, int mode) - { - struct domain *d = vcpu->domain; -- xenoprof_buf_t *buf = d->xenoprof->vcpu[vcpu->vcpu_id].buffer; - - /* Do not accidentally write an escape code due to a broken frame. */ - if ( pc == XENOPROF_ESCAPE_CODE ) -@@ -539,7 +535,8 @@ int xenoprof_add_trace(struct vcpu *vcpu - return 0; - } - -- return xenoprof_add_sample(d, buf, pc, mode, 0); -+ return xenoprof_add_sample(d, &d->xenoprof->vcpu[vcpu->vcpu_id], -+ pc, mode, 0); - } - - void xenoprof_log_event(struct vcpu *vcpu, const struct cpu_user_regs *regs, -@@ -570,17 +567,22 @@ void xenoprof_log_event(struct vcpu *vcp - /* Provide backtrace if requested. */ - if ( backtrace_depth > 0 ) - { -- if ( (xenoprof_buf_space(d, buf, v->event_size) < 2) || -- !xenoprof_add_sample(d, buf, XENOPROF_ESCAPE_CODE, mode, -- XENOPROF_TRACE_BEGIN) ) -+ if ( xenoprof_buf_space(xenoprof_buf(d, buf, event_head), -+ xenoprof_buf(d, buf, event_tail), -+ v->event_size) < 2 ) - { - xenoprof_buf(d, buf, lost_samples)++; - lost_samples++; - return; - } -+ -+ /* xenoprof_add_sample() will increment lost_samples on failure */ -+ if ( !xenoprof_add_sample(d, v, XENOPROF_ESCAPE_CODE, mode, -+ XENOPROF_TRACE_BEGIN) ) -+ return; - } - -- if ( xenoprof_add_sample(d, buf, pc, mode, event) ) -+ if ( xenoprof_add_sample(d, v, pc, mode, event) ) - { - if ( is_active(vcpu->domain) ) - active_samples++; ---- a/xen/include/xen/xenoprof.h -+++ b/xen/include/xen/xenoprof.h -@@ -61,12 +61,12 @@ struct xenoprof { - - #ifndef CONFIG_COMPAT - #define XENOPROF_COMPAT(x) 0 --#define xenoprof_buf(d, b, field) ((b)->field) -+#define xenoprof_buf(d, b, field) ACCESS_ONCE((b)->field) - #else - #define XENOPROF_COMPAT(x) ((x)->is_compat) --#define xenoprof_buf(d, b, field) (*(!(d)->xenoprof->is_compat ? \ -- &(b)->native.field : \ -- &(b)->compat.field)) -+#define xenoprof_buf(d, b, field) ACCESS_ONCE(*(!(d)->xenoprof->is_compat \ -+ ? &(b)->native.field \ -+ : &(b)->compat.field)) - #endif - - struct domain; diff --git a/xsa314-4.13.patch b/xsa314-4.13.patch deleted file mode 100644 index 67e0066..0000000 --- a/xsa314-4.13.patch +++ /dev/null @@ -1,121 +0,0 @@ -From ab49f005f7d01d4004d76f2e295d31aca7d4f93a Mon Sep 17 00:00:00 2001 -From: Julien Grall -Date: Thu, 20 Feb 2020 20:54:40 +0000 -Subject: [PATCH] xen/rwlock: Add missing memory barrier in the unlock path of - rwlock - -The rwlock unlock paths are using atomic_sub() to release the lock. -However the implementation of atomic_sub() rightfully doesn't contain a -memory barrier. On Arm, this means a processor is allowed to re-order -the memory access with the preceeding access. - -In other words, the unlock may be seen by another processor before all -the memory accesses within the "critical" section. - -The rwlock paths already contains barrier indirectly, but they are not -very useful without the counterpart in the unlock paths. - -The memory barriers are not necessary on x86 because loads/stores are -not re-ordered with lock instructions. - -So add arch_lock_release_barrier() in the unlock paths that will only -add memory barrier on Arm. - -Take the opportunity to document each lock paths explaining why a -barrier is not necessary. - -This is XSA-314. - -Signed-off-by: Julien Grall -Reviewed-by: Jan Beulich -Reviewed-by: Stefano Stabellini - ---- - xen/include/xen/rwlock.h | 29 ++++++++++++++++++++++++++++- - 1 file changed, 28 insertions(+), 1 deletion(-) - -diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h -index 3dfea1ac2a..516486306f 100644 ---- a/xen/include/xen/rwlock.h -+++ b/xen/include/xen/rwlock.h -@@ -48,6 +48,10 @@ static inline int _read_trylock(rwlock_t *lock) - if ( likely(!(cnts & _QW_WMASK)) ) - { - cnts = (u32)atomic_add_return(_QR_BIAS, &lock->cnts); -+ /* -+ * atomic_add_return() is a full barrier so no need for an -+ * arch_lock_acquire_barrier(). -+ */ - if ( likely(!(cnts & _QW_WMASK)) ) - return 1; - atomic_sub(_QR_BIAS, &lock->cnts); -@@ -64,11 +68,19 @@ static inline void _read_lock(rwlock_t *lock) - u32 cnts; - - cnts = atomic_add_return(_QR_BIAS, &lock->cnts); -+ /* -+ * atomic_add_return() is a full barrier so no need for an -+ * arch_lock_acquire_barrier(). -+ */ - if ( likely(!(cnts & _QW_WMASK)) ) - return; - - /* The slowpath will decrement the reader count, if necessary. */ - queue_read_lock_slowpath(lock); -+ /* -+ * queue_read_lock_slowpath() is using spinlock and therefore is a -+ * full barrier. So no need for an arch_lock_acquire_barrier(). -+ */ - } - - static inline void _read_lock_irq(rwlock_t *lock) -@@ -92,6 +104,7 @@ static inline unsigned long _read_lock_irqsave(rwlock_t *lock) - */ - static inline void _read_unlock(rwlock_t *lock) - { -+ arch_lock_release_barrier(); - /* - * Atomically decrement the reader count - */ -@@ -121,11 +134,20 @@ static inline int _rw_is_locked(rwlock_t *lock) - */ - static inline void _write_lock(rwlock_t *lock) - { -- /* Optimize for the unfair lock case where the fair flag is 0. */ -+ /* -+ * Optimize for the unfair lock case where the fair flag is 0. -+ * -+ * atomic_cmpxchg() is a full barrier so no need for an -+ * arch_lock_acquire_barrier(). -+ */ - if ( atomic_cmpxchg(&lock->cnts, 0, _QW_LOCKED) == 0 ) - return; - - queue_write_lock_slowpath(lock); -+ /* -+ * queue_write_lock_slowpath() is using spinlock and therefore is a -+ * full barrier. So no need for an arch_lock_acquire_barrier(). -+ */ - } - - static inline void _write_lock_irq(rwlock_t *lock) -@@ -157,11 +179,16 @@ static inline int _write_trylock(rwlock_t *lock) - if ( unlikely(cnts) ) - return 0; - -+ /* -+ * atomic_cmpxchg() is a full barrier so no need for an -+ * arch_lock_acquire_barrier(). -+ */ - return likely(atomic_cmpxchg(&lock->cnts, 0, _QW_LOCKED) == 0); - } - - static inline void _write_unlock(rwlock_t *lock) - { -+ arch_lock_release_barrier(); - /* - * If the writer field is atomic, it can be cleared directly. - * Otherwise, an atomic subtraction will be used to clear it. --- -2.17.1 - diff --git a/xsa316-xen.patch b/xsa316-xen.patch deleted file mode 100644 index 4962b4e..0000000 --- a/xsa316-xen.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Ross Lagerwall -Subject: xen/gnttab: Fix error path in map_grant_ref() - -Part of XSA-295 (c/s 863e74eb2cffb) inadvertently re-positioned the brackets, -changing the logic. If the _set_status() call fails, the grant_map hypercall -would fail with a status of 1 (rc != GNTST_okay) instead of the expected -negative GNTST_* error. - -This error path can be taken due to bad guest state, and causes net/blk-back -in Linux to crash. - -This is XSA-316. - -Signed-off-by: Ross Lagerwall -Reviewed-by: Andrew Cooper -Reviewed-by: Julien Grall - -diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c -index 9fd6e60416..4b5344dc21 100644 ---- a/xen/common/grant_table.c -+++ b/xen/common/grant_table.c -@@ -1031,7 +1031,7 @@ map_grant_ref( - { - if ( (rc = _set_status(shah, status, rd, rgt->gt_version, act, - op->flags & GNTMAP_readonly, 1, -- ld->domain_id) != GNTST_okay) ) -+ ld->domain_id)) != GNTST_okay ) - goto act_release_out; - - if ( !act->pin ) diff --git a/xsa318.patch b/xsa318.patch deleted file mode 100644 index f4becdf..0000000 --- a/xsa318.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Jan Beulich -Subject: gnttab: fix GNTTABOP_copy continuation handling - -The XSA-226 fix was flawed - the backwards transformation on rc was done -too early, causing a continuation to not get invoked when the need for -preemption was determined at the very first iteration of the request. -This in particular means that all of the status fields of the individual -operations would be left untouched, i.e. set to whatever the caller may -or may not have initialized them to. - -This is part of XSA-318. - -Reported-by: Pawel Wieczorkiewicz -Tested-by: Pawel Wieczorkiewicz -Signed-off-by: Jan Beulich -Reviewed-by: Juergen Gross - ---- a/xen/common/grant_table.c -+++ b/xen/common/grant_table.c -@@ -3576,8 +3576,7 @@ do_grant_table_op( - rc = gnttab_copy(copy, count); - if ( rc > 0 ) - { -- rc = count - rc; -- guest_handle_add_offset(copy, rc); -+ guest_handle_add_offset(copy, count - rc); - uop = guest_handle_cast(copy, void); - } - break; -@@ -3644,6 +3643,9 @@ do_grant_table_op( - out: - if ( rc > 0 || opaque_out != 0 ) - { -+ /* Adjust rc, see gnttab_copy() for why this is needed. */ -+ if ( cmd == GNTTABOP_copy ) -+ rc = count - rc; - ASSERT(rc < count); - ASSERT((opaque_out & GNTTABOP_CMD_MASK) == 0); - rc = hypercall_create_continuation(__HYPERVISOR_grant_table_op, "ihi",