Xen/gntdev: correct error checking in gntdev_map_grant_pages()

stable inclusion from linux-4.19.177 commit e07f06f6bbeed5bf47fed79ac6a57ec62b33304a CVE: CVE-2021-26932 -------------------------------- commit ebee0eab upstream. Failure of the kernel part of the mapping operation should also be indicated as an error to the caller, or else it may assume the respective kernel VA is okay to access. Furthermore gnttab_map_refs() failing still requires recording successfully mapped handles, so they can be unmapped subsequently. This in turn requires there to be a way to tell full hypercall failure from partial success - preset map_op status fields such that they won't "happen" to look as if the operation succeeded. Also again use GNTST_okay instead of implying its value (zero). This is part of XSA-361. Signed-off-by: N Jan Beulich <jbeulich@suse.com> Cc: stable@vger.kernel.org Reviewed-by: N Juergen Gross <jgross@suse.com> Signed-off-by: N Juergen Gross <jgross@suse.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com> Signed-off-by: N Cheng Jian <cj.chengjian@huawei.com>

Xen/gntdev: correct error checking in gntdev_map_grant_pages()
stable inclusion from linux-4.19.177 commit e07f06f6bbeed5bf47fed79ac6a57ec62b33304a CVE: CVE-2021-26932 -------------------------------- commit ebee0eab upstream. Failure of the kernel part of the mapping operation should also be indicated as an error to the caller, or else it may assume the respective kernel VA is okay to access. Furthermore gnttab_map_refs() failing still requires recording successfully mapped handles, so they can be unmapped subsequently. This in turn requires there to be a way to tell full hypercall failure from partial success - preset map_op status fields such that they won't "happen" to look as if the operation succeeded. Also again use GNTST_okay instead of implying its value (zero). This is part of XSA-361. Signed-off-by: N Jan Beulich <jbeulich@suse.com> Cc: stable@vger.kernel.org Reviewed-by: N Juergen Gross <jgross@suse.com> Signed-off-by: N Juergen Gross <jgross@suse.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com> Signed-off-by: N Cheng Jian <cj.chengjian@huawei.com>
651e794e · Jan Beulich · Cheng Jian · e1527921 · 651e794e · 651e794e
显示空白变更内容
内联并排

Showing with 10 addition and 8 deletion

drivers/xen/gntdev.c drivers/xen/gntdev.c +9 -8

include/xen/grant_table.h include/xen/grant_table.h +1 -0

未找到文件。
--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -348,21 +348,22 @@ int gntdev_map_grant_pages(struct gntdev_grant_map *map)
 	pr_debug("map %d+%d\n", map->index, map->count);
 	err = gnttab_map_refs(map->map_ops, use_ptemod ? map->kmap_ops : NULL,
 			map->pages, map->count);
-	if (err)
-		return err;

 	for (i = 0; i < map->count; i++) {
-		if (map->map_ops[i].status) {
+		if (map->map_ops[i].status == GNTST_okay)
+			map->unmap_ops[i].handle = map->map_ops[i].handle;
+		else if (!err)
 			err = -EINVAL;
-			continue;
-		}

 		if (map->flags & GNTMAP_device_map)
 			map->unmap_ops[i].dev_bus_addr = map->map_ops[i].dev_bus_addr;

-		map->unmap_ops[i].handle = map->map_ops[i].handle;
-		if (use_ptemod)
+		if (use_ptemod) {
+			if (map->kmap_ops[i].status == GNTST_okay)
 				map->kunmap_ops[i].handle = map->kmap_ops[i].handle;
+			else if (!err)
+				err = -EINVAL;
+		}
 	}
 	return err;
 }

--- a/include/xen/grant_table.h
+++ b/include/xen/grant_table.h
@@ -157,6 +157,7 @@ gnttab_set_map_op(struct gnttab_map_grant_ref *map, phys_addr_t addr,
 	map->flags = flags;
 	map->ref = ref;
 	map->dom = domid;
+	map->status = 1; /* arbitrary positive value */
 }

 static inline void