android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
63702cf97e
android_kernel_xiaomi_sm8450/drivers/xen
History
Juergen Gross 39c00d0928 xen/gnttab: fix gnttab_end_foreign_access() without page specified 
Commit 42baefac638f06314298087394b982ead9ec444b upstream.

gnttab_end_foreign_access() is used to free a grant reference and
optionally to free the associated page. In case the grant is still in
use by the other side processing is being deferred. This leads to a
problem in case no page to be freed is specified by the caller: the
caller doesn't know that the page is still mapped by the other side
and thus should not be used for other purposes.

The correct way to handle this situation is to take an additional
reference to the granted page in case handling is being deferred and
to drop that reference when the grant reference could be freed
finally.

This requires that there are no users of gnttab_end_foreign_access()
left directly repurposing the granted page after the call, as this
might result in clobbered data or information leaks via the not yet
freed grant reference.

This is part of CVE-2022-23041 / XSA-396.

Reported-by: Simon Gaiser <simon@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-03-11 12:11:54 +01:00
..
events xen/events: Fix race in set_evtchn_to_irq 2021-08-18 08:59:14 +02:00
xen-pciback xen-pciback: Fix return in pm_ctrl_init() 2021-11-18 14:04:25 +01:00
xenbus xen/xenbus: don't let xenbus_grant_ring() remove grants in error case 2022-03-11 12:11:54 +01:00
xenfs
acpi.c
arm-device.c
balloon.c xen/balloon: add late_initcall_sync() for initial ballooning done 2021-11-18 14:03:49 +01:00
biomerge.c
cpu_hotplug.c
dbgp.c
efi.c
evtchn.c xen/events: switch user event channels to lateeoi model 2020-10-20 10:22:11 +02:00
features.c
gntalloc.c xen/gntalloc: don't use gnttab_query_foreign_access() 2022-03-11 12:11:54 +01:00
gntdev-common.h
gntdev-dmabuf.c xen: gntdev: fix common struct sg_table related issues 2020-09-10 08:18:35 +02:00
gntdev-dmabuf.h
gntdev.c xen/gntdev: fix unmap notification order 2022-01-27 10:54:24 +01:00
grant-table.c xen/gnttab: fix gnttab_end_foreign_access() without page specified 2022-03-11 12:11:54 +01:00
Kconfig xen/x86: make XEN_BALLOON_MEMORY_HOTPLUG_LIMIT depend on MEMORY_HOTPLUG 2021-03-30 14:32:04 +02:00
Makefile xen: branch for v5.9-rc4 2020-09-06 09:59:27 -07:00
manage.c
mcelog.c
mem-reservation.c
pci.c
pcpu.c
platform-pci.c xen: Fix event channel callback via INTX/GSI 2021-01-27 11:55:00 +01:00
privcmd-buf.c
privcmd.c xen/privcmd: fix error handling in mmap-resource processing 2021-10-13 10:04:23 +02:00
privcmd.h
pvcalls-back.c xen/pvcallsback: use lateeoi irq binding 2020-10-20 10:22:07 +02:00
pvcalls-front.c xen/pvcalls: use alloc/free_pages_exact() 2022-03-11 12:11:54 +01:00
pvcalls-front.h
swiotlb-xen.c swiotlb: remove the tbl_dma_addr argument to swiotlb_tbl_map_single 2020-11-02 10:10:39 -05:00
sys-hypervisor.c
time.c
unpopulated-alloc.c xen/unpopulated-alloc: fix error return code in fill_list() 2021-05-19 10:13:12 +02:00
xen-acpi-cpuhotplug.c
xen-acpi-memhotplug.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
xen-acpi-pad.c
xen-acpi-processor.c
xen-balloon.c
xen-front-pgdir-shbuf.c
xen-scsiback.c xen-scsiback: don't "handle" error by BUG() 2021-02-23 15:53:24 +01:00
xen-stub.c
xlate_mmu.c xen: add helpers to allocate unpopulated memory 2020-09-04 10:00:01 +02:00