Hi, At 16:25 +0300 on 02 May (1493742339), Razvan Cojocaru wrote: > hvm_save_cpu_ctxt() does a memset(&ctxt, 0, sizeof(ctxt)), which > can lead to ctxt.cur being 0. This can then crash the hypervisor > (with FATAL PAGE FAULT) in hvm_save_one() via the > "off < (ctxt.cur - sizeof(*desc))" for() test. This has happened > in practice with a Linux VM queried around shutdown:
Good fix, thanks! But I think that memset is innocent -- it's clearing a local "struct hvm_hw_cpu ctxt", not the caller's "hvm_domain_context_t ctxt". AFAICS the underflow happens when the per-type handler returns no data at all (because all VCPUs are offline). With the commit message fixed, Reviewed-by: Tim Deegan <t...@xen.org> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
