提交 b0e5fec4 编写于 作者: J Juergen Gross 提交者: Laibin Qiu

xen/9p: use alloc/free_pages_exact()

stable inclusion
from linux-4.19.234
commit 2466bed361f3274e3e0ca9d8e539532481c06fea

--------------------------------

Commit 5cadd4bb upstream.

Instead of __get_free_pages() and free_pages() use alloc_pages_exact()
and free_pages_exact(). This is in preparation of a change of
gnttab_end_foreign_access() which will prohibit use of high-order
pages.

By using the local variable "order" instead of ring->intf->ring_order
in the error path of xen_9pfs_front_alloc_dataring() another bug is
fixed, as the error path can be entered before ring->intf->ring_order
is being set.

By using alloc_pages_exact() the size in bytes is specified for the
allocation, which fixes another bug for the case of
order < (PAGE_SHIFT - XEN_PAGE_SHIFT).

This is part of CVE-2022-23041 / XSA-396.
Reported-by: NSimon Gaiser <simon@invisiblethingslab.com>
Signed-off-by: NJuergen Gross <jgross@suse.com>
Reviewed-by: NJan Beulich <jbeulich@suse.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: NJason Yan <yanaijie@huawei.com>
Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
上级 c16dd2ae
...@@ -301,9 +301,9 @@ static void xen_9pfs_front_free(struct xen_9pfs_front_priv *priv) ...@@ -301,9 +301,9 @@ static void xen_9pfs_front_free(struct xen_9pfs_front_priv *priv)
ref = priv->rings[i].intf->ref[j]; ref = priv->rings[i].intf->ref[j];
gnttab_end_foreign_access(ref, 0, 0); gnttab_end_foreign_access(ref, 0, 0);
} }
free_pages((unsigned long)priv->rings[i].data.in, free_pages_exact(priv->rings[i].data.in,
XEN_9PFS_RING_ORDER - 1UL << (XEN_9PFS_RING_ORDER +
(PAGE_SHIFT - XEN_PAGE_SHIFT)); XEN_PAGE_SHIFT));
} }
gnttab_end_foreign_access(priv->rings[i].ref, 0, 0); gnttab_end_foreign_access(priv->rings[i].ref, 0, 0);
free_page((unsigned long)priv->rings[i].intf); free_page((unsigned long)priv->rings[i].intf);
...@@ -341,8 +341,8 @@ static int xen_9pfs_front_alloc_dataring(struct xenbus_device *dev, ...@@ -341,8 +341,8 @@ static int xen_9pfs_front_alloc_dataring(struct xenbus_device *dev,
if (ret < 0) if (ret < 0)
goto out; goto out;
ring->ref = ret; ring->ref = ret;
bytes = (void *)__get_free_pages(GFP_KERNEL | __GFP_ZERO, bytes = alloc_pages_exact(1UL << (XEN_9PFS_RING_ORDER + XEN_PAGE_SHIFT),
XEN_9PFS_RING_ORDER - (PAGE_SHIFT - XEN_PAGE_SHIFT)); GFP_KERNEL | __GFP_ZERO);
if (!bytes) { if (!bytes) {
ret = -ENOMEM; ret = -ENOMEM;
goto out; goto out;
...@@ -373,9 +373,7 @@ static int xen_9pfs_front_alloc_dataring(struct xenbus_device *dev, ...@@ -373,9 +373,7 @@ static int xen_9pfs_front_alloc_dataring(struct xenbus_device *dev,
if (bytes) { if (bytes) {
for (i--; i >= 0; i--) for (i--; i >= 0; i--)
gnttab_end_foreign_access(ring->intf->ref[i], 0, 0); gnttab_end_foreign_access(ring->intf->ref[i], 0, 0);
free_pages((unsigned long)bytes, free_pages_exact(bytes, 1UL << (XEN_9PFS_RING_ORDER + XEN_PAGE_SHIFT));
XEN_9PFS_RING_ORDER -
(PAGE_SHIFT - XEN_PAGE_SHIFT));
} }
gnttab_end_foreign_access(ring->ref, 0, 0); gnttab_end_foreign_access(ring->ref, 0, 0);
free_page((unsigned long)ring->intf); free_page((unsigned long)ring->intf);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册