File xsa316.patch of Package xen.15650

Subject: xen/gnttab: Fix error path in map_grant_ref()
From: Ross Lagerwall ross.lagerwall@citrix.com Tue Apr 14 15:13:24 2020 +0200
Date: Tue Apr 14 15:13:24 2020 +0200:
Git: cbedabf8276f95bb4e93a5df43257790de87daad

Part of XSA-295 (c/s 863e74eb2cffb) inadvertently re-positioned the brackets,
changing the logic.  If the _set_status() call fails, the grant_map hypercall
would fail with a status of 1 (rc != GNTST_okay) instead of the expected
negative GNTST_* error.

This error path can be taken due to bad guest state, and causes net/blk-back
in Linux to crash.

This is XSA-316.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Julien Grall <jgrall@amazon.com>
master commit: da0c66c8f48042a0186799014af69db0303b1da5
master date: 2020-04-14 14:41:02 +0200

diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index da7b644702..0583d56734 100644
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -999,7 +999,7 @@ map_grant_ref(
     {
         if ( (rc = _set_status(shah, status, rd, rgt->gt_version, act,
                                op->flags & GNTMAP_readonly, 1,
-                               ld->domain_id) != GNTST_okay) )
+                               ld->domain_id)) != GNTST_okay )
             goto act_release_out;
 
         if ( !act->pin )