Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp762537pxp; Fri, 11 Mar 2022 14:27:43 -0800 (PST) X-Google-Smtp-Source: ABdhPJyT7qx4gQJTL7kHJBphXzgZfq0yxN9gQF93Ry/4q2vPYCNoC3EWUusMGZS4pQspwvav12PE X-Received: by 2002:a63:6c49:0:b0:380:a069:c537 with SMTP id h70-20020a636c49000000b00380a069c537mr10099822pgc.393.1647037663670; Fri, 11 Mar 2022 14:27:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1647037663; cv=none; d=google.com; s=arc-20160816; b=P9ttmQ6uxWwleKD2IY1aZ29GAlbKVa16lZwHjoWhptF/ji7Bv/WrqNqgET6i8EyPeH of4kQn5w3gvIusG96Evq3kX4XCqrBM7fFkteJs8/72qxXAzRNjcpjsBL8E6aA2ztfEhi Cqp5Twy807cHMdTeyE3AkQ9TiqIWgMveKef6Tmw89INWsKIuGXFZq8xpzPBOsEP/rdy0 HdjGPXQDdHi7PL9O1IHnEpythvLAsas93GM78KhBuIv0A6uLwVSmiOX5zx8+8zCTaUCr VFF6jaRp2QH5nwovD8paneC6/sC5z97g+3WlzW9zqdSOdXbiTs/tNOnjdGia/N3ZTf87 cIyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=g69juC3meH0iKG6MPz0jmnz+C3lwSmk7+OiGOA2HHeQ=; b=lcYnh4exvJg7KTPFXzY2Ur9z1dqb1G3br9vDpbaWHRrVtxuw905OHwzkX8JmOPDLcA TcsWycYkhezYVA3EDCadhL0O6zd8rqNP5nlABZ2/8qsZHmmDdvScAdDKoH/pPiwBsP8m xI3ssOswQGqMIIjxabcGhXxQ2BMrEafEyF1ByFStKFMDF4GDdCABBlkCtiMjKnbTNH2U NzeiE2bKCsuF+WC3zyOM75mk6WzGhMLG590djpGv/+ID+tzWr16/snGYCAWVnBrPaz2I Nuj1TUeQ1IV0AAInXrCrsPQwSBz7hBAX6znlGYOhG8jKd8S/xslIlDgUTF0cC3r2IJ/D +OLg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vErCtK6l; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id s5-20020a056a00194500b004f797e2b926si2037536pfk.219.2022.03.11.14.27.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Mar 2022 14:27:43 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vErCtK6l; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 73CCC1B84EB; Fri, 11 Mar 2022 13:35:51 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343529AbiCJOj5 (ORCPT + 99 others); Thu, 10 Mar 2022 09:39:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49796 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343925AbiCJOb3 (ORCPT ); Thu, 10 Mar 2022 09:31:29 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1ABF0DBD36; Thu, 10 Mar 2022 06:28:33 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id AC99D61C0A; Thu, 10 Mar 2022 14:28:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 95EECC340E8; Thu, 10 Mar 2022 14:28:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1646922512; bh=oVZchNMBYQehnyKeJxmujUSCkykKcKMWao8G0T/Rvsw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vErCtK6lGa7kWbr3BVHCSPaSKJuClzg4GXFZqMvmvI/uJ5uj+65w5FjgNhMwTgbMW UAY6MWxguACgEwEWpu+6QF2XR8b9xWiVj6r/vkUmvO3eJ79Hc8/r6ucFWRJ2++eybd +x6+Gc5w5XE1s4wlby7rtNlZMfDvpkwzEz9qUDmM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Demi Marie Obenour , Juergen Gross , Jan Beulich Subject: [PATCH 5.4 23/33] xen/grant-table: add gnttab_try_end_foreign_access() Date: Thu, 10 Mar 2022 15:19:24 +0100 Message-Id: <20220310140809.420824002@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220310140808.741682643@linuxfoundation.org> References: <20220310140808.741682643@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Juergen Gross Commit 6b1775f26a2da2b05a6dc8ec2b5d14e9a4701a1a upstream. Add a new grant table function gnttab_try_end_foreign_access(), which will remove and free a grant if it is not in use. Its main use case is to either free a grant if it is no longer in use, or to take some other action if it is still in use. This other action can be an error exit, or (e.g. in the case of blkfront persistent grant feature) some special handling. This is CVE-2022-23036, CVE-2022-23038 / part of XSA-396. Reported-by: Demi Marie Obenour Signed-off-by: Juergen Gross Reviewed-by: Jan Beulich Signed-off-by: Greg Kroah-Hartman --- drivers/xen/grant-table.c | 14 ++++++++++++-- include/xen/grant_table.h | 12 ++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) --- a/drivers/xen/grant-table.c +++ b/drivers/xen/grant-table.c @@ -436,11 +436,21 @@ static void gnttab_add_deferred(grant_re what, ref, page ? page_to_pfn(page) : -1); } +int gnttab_try_end_foreign_access(grant_ref_t ref) +{ + int ret = _gnttab_end_foreign_access_ref(ref, 0); + + if (ret) + put_free_entry(ref); + + return ret; +} +EXPORT_SYMBOL_GPL(gnttab_try_end_foreign_access); + void gnttab_end_foreign_access(grant_ref_t ref, int readonly, unsigned long page) { - if (gnttab_end_foreign_access_ref(ref, readonly)) { - put_free_entry(ref); + if (gnttab_try_end_foreign_access(ref)) { if (page != 0) put_page(virt_to_page(page)); } else --- a/include/xen/grant_table.h +++ b/include/xen/grant_table.h @@ -97,10 +97,22 @@ int gnttab_end_foreign_access_ref(grant_ * access has been ended, free the given page too. Access will be ended * immediately iff the grant entry is not in use, otherwise it will happen * some time later. page may be 0, in which case no freeing will occur. + * Note that the granted page might still be accessed (read or write) by the + * other side after gnttab_end_foreign_access() returns, so even if page was + * specified as 0 it is not allowed to just reuse the page for other + * purposes immediately. */ void gnttab_end_foreign_access(grant_ref_t ref, int readonly, unsigned long page); +/* + * End access through the given grant reference, iff the grant entry is + * no longer in use. In case of success ending foreign access, the + * grant reference is deallocated. + * Return 1 if the grant entry was freed, 0 if it is still in use. + */ +int gnttab_try_end_foreign_access(grant_ref_t ref); + int gnttab_grant_foreign_transfer(domid_t domid, unsigned long pfn); unsigned long gnttab_end_foreign_transfer_ref(grant_ref_t ref);