stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Demi Marie Obenour <demi@invisiblethingslab.com>,
	Juergen Gross <jgross@suse.com>, Jan Beulich <jbeulich@suse.com>
Subject: [PATCH 5.4 23/33] xen/grant-table: add gnttab_try_end_foreign_access()
Date: Thu, 10 Mar 2022 15:19:24 +0100	[thread overview]
Message-ID: <20220310140809.420824002@linuxfoundation.org> (raw)
In-Reply-To: <20220310140808.741682643@linuxfoundation.org>

From: Juergen Gross <jgross@suse.com>

Commit 6b1775f26a2da2b05a6dc8ec2b5d14e9a4701a1a upstream.

Add a new grant table function gnttab_try_end_foreign_access(), which
will remove and free a grant if it is not in use.

Its main use case is to either free a grant if it is no longer in use,
or to take some other action if it is still in use. This other action
can be an error exit, or (e.g. in the case of blkfront persistent grant
feature) some special handling.

This is CVE-2022-23036, CVE-2022-23038 / part of XSA-396.

Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/xen/grant-table.c |   14 ++++++++++++--
 include/xen/grant_table.h |   12 ++++++++++++
 2 files changed, 24 insertions(+), 2 deletions(-)

--- a/drivers/xen/grant-table.c
+++ b/drivers/xen/grant-table.c
@@ -436,11 +436,21 @@ static void gnttab_add_deferred(grant_re
 	       what, ref, page ? page_to_pfn(page) : -1);
 }
 
+int gnttab_try_end_foreign_access(grant_ref_t ref)
+{
+	int ret = _gnttab_end_foreign_access_ref(ref, 0);
+
+	if (ret)
+		put_free_entry(ref);
+
+	return ret;
+}
+EXPORT_SYMBOL_GPL(gnttab_try_end_foreign_access);
+
 void gnttab_end_foreign_access(grant_ref_t ref, int readonly,
 			       unsigned long page)
 {
-	if (gnttab_end_foreign_access_ref(ref, readonly)) {
-		put_free_entry(ref);
+	if (gnttab_try_end_foreign_access(ref)) {
 		if (page != 0)
 			put_page(virt_to_page(page));
 	} else
--- a/include/xen/grant_table.h
+++ b/include/xen/grant_table.h
@@ -97,10 +97,22 @@ int gnttab_end_foreign_access_ref(grant_
  * access has been ended, free the given page too.  Access will be ended
  * immediately iff the grant entry is not in use, otherwise it will happen
  * some time later.  page may be 0, in which case no freeing will occur.
+ * Note that the granted page might still be accessed (read or write) by the
+ * other side after gnttab_end_foreign_access() returns, so even if page was
+ * specified as 0 it is not allowed to just reuse the page for other
+ * purposes immediately.
  */
 void gnttab_end_foreign_access(grant_ref_t ref, int readonly,
 			       unsigned long page);
 
+/*
+ * End access through the given grant reference, iff the grant entry is
+ * no longer in use.  In case of success ending foreign access, the
+ * grant reference is deallocated.
+ * Return 1 if the grant entry was freed, 0 if it is still in use.
+ */
+int gnttab_try_end_foreign_access(grant_ref_t ref);
+
 int gnttab_grant_foreign_transfer(domid_t domid, unsigned long pfn);
 
 unsigned long gnttab_end_foreign_transfer_ref(grant_ref_t ref);



  parent reply	other threads:[~2022-03-10 14:33 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-10 14:19 [PATCH 5.4 00/33] 5.4.184-rc2 review Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 01/33] x86/speculation: Merge one test in spectre_v2_user_select_mitigation() Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 02/33] x86,bugs: Unconditionally allow spectre_v2=retpoline,amd Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 03/33] x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 04/33] x86/speculation: Add eIBRS + Retpoline options Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 05/33] Documentation/hw-vuln: Update spectre doc Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 06/33] x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 07/33] x86/speculation: Use generic retpoline by default on AMD Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 08/33] x86/speculation: Update link to AMD speculation whitepaper Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 09/33] x86/speculation: Warn about Spectre v2 LFENCE mitigation Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 10/33] x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 11/33] arm/arm64: Provide a wrapper for SMCCC 1.1 calls Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 12/33] arm/arm64: smccc/psci: add arm_smccc_1_1_get_conduit() Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 13/33] ARM: report Spectre v2 status through sysfs Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 14/33] ARM: early traps initialisation Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 15/33] ARM: use LOADADDR() to get load address of sections Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 16/33] ARM: Spectre-BHB workaround Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 17/33] ARM: include unprivileged BPF status in Spectre V2 reporting Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 18/33] ARM: fix build error when BPF_SYSCALL is disabled Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 19/33] ARM: fix co-processor register typo Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 20/33] ARM: Do not use NOCROSSREFS directive with ld.lld Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 21/33] ARM: fix build warning in proc-v7-bugs.c Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 22/33] xen/xenbus: dont let xenbus_grant_ring() remove grants in error case Greg Kroah-Hartman
2022-03-10 14:19 ` Greg Kroah-Hartman [this message]
2022-03-10 14:19 ` [PATCH 5.4 24/33] xen/blkfront: dont use gnttab_query_foreign_access() for mapped status Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 25/33] xen/netfront: " Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 26/33] xen/scsifront: " Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 27/33] xen/gntalloc: dont use gnttab_query_foreign_access() Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 28/33] xen: remove gnttab_query_foreign_access() Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 29/33] xen/9p: use alloc/free_pages_exact() Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 30/33] xen/pvcalls: " Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 31/33] xen/gnttab: fix gnttab_end_foreign_access() without page specified Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 32/33] xen/netfront: react properly to failing gnttab_end_foreign_access_ref() Greg Kroah-Hartman
2022-03-10 14:19 ` [PATCH 5.4 33/33] Revert "ACPI: PM: s2idle: Cancel wakeup before dispatching EC GPE" Greg Kroah-Hartman
2022-03-10 18:48 ` [PATCH 5.4 00/33] 5.4.184-rc2 review Jon Hunter
2022-03-10 19:33 ` Shuah Khan
2022-03-10 22:11 ` Florian Fainelli
2022-03-11  1:02 ` Guenter Roeck
2022-03-11  9:58 ` Sudip Mukherjee
2022-03-11 12:14 ` Naresh Kamboju

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220310140809.420824002@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=demi@invisiblethingslab.com \
    --cc=jbeulich@suse.com \
    --cc=jgross@suse.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --subject='Re: [PATCH 5.4 23/33] xen/grant-table: add gnttab_try_end_foreign_access()' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).