xen/gntalloc: don't use gnttab_query_foreign_access()

stable inclusion from stable-v5.10.105 commit 5f36ae75b847e7f87e4144602f418a624ca074b7 bugzilla: 186480 https://gitee.com/src-openeuler/kernel/issues/I50W9S CVE: CVE-2022-23039 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5f36ae75b847e7f87e4144602f418a624ca074b7 -------------------------------- Commit d3b6372c upstream. Using gnttab_query_foreign_access() is unsafe, as it is racy by design. The use case in the gntalloc driver is not needed at all. While at it replace the call of gnttab_end_foreign_access_ref() with a call of gnttab_end_foreign_access(), which is what is really wanted there. In case the grant wasn't used due to an allocation failure, just free the grant via gnttab_free_grant_reference(). This is CVE-2022-23039 / part of XSA-396. Reported-by: N Demi Marie Obenour <demi@invisiblethingslab.com> Signed-off-by: N Juergen Gross <jgross@suse.com> Reviewed-by: N Jan Beulich <jbeulich@suse.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

xen/gntalloc: don't use gnttab_query_foreign_access()
stable inclusion from stable-v5.10.105 commit 5f36ae75b847e7f87e4144602f418a624ca074b7 bugzilla: 186480 https://gitee.com/src-openeuler/kernel/issues/I50W9S CVE: CVE-2022-23039 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5f36ae75b847e7f87e4144602f418a624ca074b7 -------------------------------- Commit d3b6372c upstream. Using gnttab_query_foreign_access() is unsafe, as it is racy by design. The use case in the gntalloc driver is not needed at all. While at it replace the call of gnttab_end_foreign_access_ref() with a call of gnttab_end_foreign_access(), which is what is really wanted there. In case the grant wasn't used due to an allocation failure, just free the grant via gnttab_free_grant_reference(). This is CVE-2022-23039 / part of XSA-396. Reported-by: N Demi Marie Obenour <demi@invisiblethingslab.com> Signed-off-by: N Juergen Gross <jgross@suse.com> Reviewed-by: N Jan Beulich <jbeulich@suse.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
dbaab1ce · Juergen Gross · Zheng Zengkai · dd1d8b79 · dbaab1ce
显示空白变更内容
内联并排

Showing with 7 addition and 18 deletion

drivers/xen/gntalloc.c drivers/xen/gntalloc.c +7 -18

未找到文件。
--- a/drivers/xen/gntalloc.c
+++ b/drivers/xen/gntalloc.c
@@ -169,20 +169,14 @@ static int add_grefs(struct ioctl_gntalloc_alloc_gref *op,
 		__del_gref(gref);
 	}
-	/* It's possible for the target domain to map the just-allocated grant
-	 * references by blindly guessing their IDs; if this is done, then
-	 * __del_gref will leave them in the queue_gref list. They need to be
-	 * added to the global list so that we can free them when they are no
-	 * longer referenced.
-	 */
-	if (unlikely(!list_empty(&queue_gref)))
-		list_splice_tail(&queue_gref, &gref_list);
 	mutex_unlock(&gref_mutex);
 	return rc;
 }
 static void __del_gref(struct gntalloc_gref *gref)
 {
+	unsigned long addr;
 	if (gref->notify.flags & UNMAP_NOTIFY_CLEAR_BYTE) {
 		uint8_t *tmp = kmap(gref->page);
 		tmp[gref->notify.pgoff] = 0;
@@ -196,21 +190,16 @@ static void __del_gref(struct gntalloc_gref *gref)
 	gref->notify.flags = 0;
 	if (gref->gref_id) {
-		if (gnttab_query_foreign_access(gref->gref_id))
+		if (gref->page) {
-			return;
+			addr = (unsigned long)page_to_virt(gref->page);
+			gnttab_end_foreign_access(gref->gref_id, 0, addr);
-		if (!gnttab_end_foreign_access_ref(gref->gref_id, 0))
+		} else
-			return;
 			gnttab_free_grant_reference(gref->gref_id);
 	}
 	gref_size--;
 	list_del(&gref->next_gref);
-	if (gref->page)
-		__free_page(gref->page);
 	kfree(gref);
 }