-
-
Notifications
You must be signed in to change notification settings - Fork 63
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
12 changed files
with
1,015 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| From 36b82ead34796debea82a0045dbcf6af0039a9fe Mon Sep 17 00:00:00 2001 | ||
| From: Juergen Gross <[email protected]> | ||
| Date: Fri, 25 Feb 2022 16:05:40 +0100 | ||
| Subject: [PATCH 01/12] xen/xenbus: don't let xenbus_grant_ring() remove | ||
| grants in error case | ||
|
|
||
| Letting xenbus_grant_ring() tear down grants in the error case is | ||
| problematic, as the other side could already have used these grants. | ||
| Calling gnttab_end_foreign_access_ref() without checking success is | ||
| resulting in an unclear situation for any caller of xenbus_grant_ring() | ||
| as in the error case the memory pages of the ring page might be | ||
| partially mapped. Freeing them would risk unwanted foreign access to | ||
| them, while not freeing them would leak memory. | ||
|
|
||
| In order to remove the need to undo any gnttab_grant_foreign_access() | ||
| calls, use gnttab_alloc_grant_references() to make sure no further | ||
| error can occur in the loop granting access to the ring pages. | ||
|
|
||
| It should be noted that this way of handling removes leaking of | ||
| grant entries in the error case, too. | ||
|
|
||
| This is CVE-2022-23040 / part of XSA-396. | ||
|
|
||
| Signed-off-by: Juergen Gross <[email protected]> | ||
| Reviewed-by: Jan Beulich <[email protected]> | ||
| --- | ||
| drivers/xen/xenbus/xenbus_client.c | 24 +++++++++++------------- | ||
| 1 file changed, 11 insertions(+), 13 deletions(-) | ||
|
|
||
| diff --git a/drivers/xen/xenbus/xenbus_client.c b/drivers/xen/xenbus/xenbus_client.c | ||
| index e8bed1cb76ba..df6890681231 100644 | ||
| --- a/drivers/xen/xenbus/xenbus_client.c | ||
| +++ b/drivers/xen/xenbus/xenbus_client.c | ||
| @@ -379,7 +379,14 @@ int xenbus_grant_ring(struct xenbus_device *dev, void *vaddr, | ||
| unsigned int nr_pages, grant_ref_t *grefs) | ||
| { | ||
| int err; | ||
| - int i, j; | ||
| + unsigned int i; | ||
| + grant_ref_t gref_head; | ||
| + | ||
| + err = gnttab_alloc_grant_references(nr_pages, &gref_head); | ||
| + if (err) { | ||
| + xenbus_dev_fatal(dev, err, "granting access to ring page"); | ||
| + return err; | ||
| + } | ||
|
|
||
| for (i = 0; i < nr_pages; i++) { | ||
| unsigned long gfn; | ||
| @@ -389,23 +396,14 @@ int xenbus_grant_ring(struct xenbus_device *dev, void *vaddr, | ||
| else | ||
| gfn = virt_to_gfn(vaddr); | ||
|
|
||
| - err = gnttab_grant_foreign_access(dev->otherend_id, gfn, 0); | ||
| - if (err < 0) { | ||
| - xenbus_dev_fatal(dev, err, | ||
| - "granting access to ring page"); | ||
| - goto fail; | ||
| - } | ||
| - grefs[i] = err; | ||
| + grefs[i] = gnttab_claim_grant_reference(&gref_head); | ||
| + gnttab_grant_foreign_access_ref(grefs[i], dev->otherend_id, | ||
| + gfn, 0); | ||
|
|
||
| vaddr = vaddr + XEN_PAGE_SIZE; | ||
| } | ||
|
|
||
| return 0; | ||
| - | ||
| -fail: | ||
| - for (j = 0; j < i; j++) | ||
| - gnttab_end_foreign_access_ref(grefs[j], 0); | ||
| - return err; | ||
| } | ||
| EXPORT_SYMBOL_GPL(xenbus_grant_ring); | ||
|
|
||
| -- | ||
| 2.34.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| From 174781c056cbf8e3ff1bb1cd56a2017ec8a14ee3 Mon Sep 17 00:00:00 2001 | ||
| From: Juergen Gross <[email protected]> | ||
| Date: Fri, 25 Feb 2022 16:05:41 +0100 | ||
| Subject: [PATCH 02/12] xen/grant-table: add gnttab_try_end_foreign_access() | ||
|
|
||
| Add a new grant table function gnttab_try_end_foreign_access(), which | ||
| will remove and free a grant if it is not in use. | ||
|
|
||
| Its main use case is to either free a grant if it is no longer in use, | ||
| or to take some other action if it is still in use. This other action | ||
| can be an error exit, or (e.g. in the case of blkfront persistent grant | ||
| feature) some special handling. | ||
|
|
||
| This is CVE-2022-23036, CVE-2022-23038 / part of XSA-396. | ||
|
|
||
| Signed-off-by: Juergen Gross <[email protected]> | ||
| Reviewed-by: Jan Beulich <[email protected]> | ||
| --- | ||
| drivers/xen/grant-table.c | 14 ++++++++++++-- | ||
| include/xen/grant_table.h | 12 ++++++++++++ | ||
| 2 files changed, 24 insertions(+), 2 deletions(-) | ||
|
|
||
| diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c | ||
| index 3729bea0c989..1b82e7a3722a 100644 | ||
| --- a/drivers/xen/grant-table.c | ||
| +++ b/drivers/xen/grant-table.c | ||
| @@ -435,11 +435,21 @@ static void gnttab_add_deferred(grant_ref_t ref, bool readonly, | ||
| what, ref, page ? page_to_pfn(page) : -1); | ||
| } | ||
|
|
||
| +int gnttab_try_end_foreign_access(grant_ref_t ref) | ||
| +{ | ||
| + int ret = _gnttab_end_foreign_access_ref(ref, 0); | ||
| + | ||
| + if (ret) | ||
| + put_free_entry(ref); | ||
| + | ||
| + return ret; | ||
| +} | ||
| +EXPORT_SYMBOL_GPL(gnttab_try_end_foreign_access); | ||
| + | ||
| void gnttab_end_foreign_access(grant_ref_t ref, int readonly, | ||
| unsigned long page) | ||
| { | ||
| - if (gnttab_end_foreign_access_ref(ref, readonly)) { | ||
| - put_free_entry(ref); | ||
| + if (gnttab_try_end_foreign_access(ref)) { | ||
| if (page != 0) | ||
| put_page(virt_to_page(page)); | ||
| } else | ||
| diff --git a/include/xen/grant_table.h b/include/xen/grant_table.h | ||
| index cb854df031ce..358d2817741b 100644 | ||
| --- a/include/xen/grant_table.h | ||
| +++ b/include/xen/grant_table.h | ||
| @@ -104,10 +104,22 @@ int gnttab_end_foreign_access_ref(grant_ref_t ref, int readonly); | ||
| * access has been ended, free the given page too. Access will be ended | ||
| * immediately iff the grant entry is not in use, otherwise it will happen | ||
| * some time later. page may be 0, in which case no freeing will occur. | ||
| + * Note that the granted page might still be accessed (read or write) by the | ||
| + * other side after gnttab_end_foreign_access() returns, so even if page was | ||
| + * specified as 0 it is not allowed to just reuse the page for other | ||
| + * purposes immediately. | ||
| */ | ||
| void gnttab_end_foreign_access(grant_ref_t ref, int readonly, | ||
| unsigned long page); | ||
|
|
||
| +/* | ||
| + * End access through the given grant reference, iff the grant entry is | ||
| + * no longer in use. In case of success ending foreign access, the | ||
| + * grant reference is deallocated. | ||
| + * Return 1 if the grant entry was freed, 0 if it is still in use. | ||
| + */ | ||
| +int gnttab_try_end_foreign_access(grant_ref_t ref); | ||
| + | ||
| int gnttab_grant_foreign_transfer(domid_t domid, unsigned long pfn); | ||
|
|
||
| unsigned long gnttab_end_foreign_transfer_ref(grant_ref_t ref); | ||
| -- | ||
| 2.34.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,193 @@ | ||
| From 17458afb183c95bbbb10fc5c29d9d8efa0a8de21 Mon Sep 17 00:00:00 2001 | ||
| From: Juergen Gross <[email protected]> | ||
| Date: Fri, 25 Feb 2022 16:05:41 +0100 | ||
| Subject: [PATCH 03/12] xen/blkfront: don't use gnttab_query_foreign_access() for mapped status | ||
| MIME-Version: 1.0 | ||
| Content-Type: text/plain; charset=UTF-8 | ||
| Content-Transfer-Encoding: 8bit | ||
|
|
||
| It isn't enough to check whether a grant is still being in use by | ||
| calling gnttab_query_foreign_access(), as a mapping could be realized | ||
| by the other side just after having called that function. | ||
|
|
||
| In case the call was done in preparation of revoking a grant it is | ||
| better to do so via gnttab_end_foreign_access_ref() and check the | ||
| success of that operation instead. | ||
|
|
||
| For the ring allocation use alloc_pages_exact() in order to avoid | ||
| high order pages in case of a multi-page ring. | ||
|
|
||
| If a grant wasn't unmapped by the backend without persistent grants | ||
| being used, set the device state to "error". | ||
|
|
||
| This is CVE-2022-23036 / part of XSA-396. | ||
|
|
||
| Signed-off-by: Juergen Gross <[email protected]> | ||
| Reviewed-by: Roger Pau Monné <[email protected]> | ||
| --- | ||
| drivers/block/xen-blkfront.c | 63 +++++++++++++++++++++--------------- | ||
| 1 file changed, 37 insertions(+), 26 deletions(-) | ||
|
|
||
| diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c | ||
| index ca71a0585333..03b5fb341e58 100644 | ||
| --- a/drivers/block/xen-blkfront.c | ||
| +++ b/drivers/block/xen-blkfront.c | ||
| @@ -1288,7 +1288,8 @@ static void blkif_free_ring(struct blkfront_ring_info *rinfo) | ||
| rinfo->ring_ref[i] = GRANT_INVALID_REF; | ||
| } | ||
| } | ||
| - free_pages((unsigned long)rinfo->ring.sring, get_order(info->nr_ring_pages * XEN_PAGE_SIZE)); | ||
| + free_pages_exact(rinfo->ring.sring, | ||
| + info->nr_ring_pages * XEN_PAGE_SIZE); | ||
| rinfo->ring.sring = NULL; | ||
|
|
||
| if (rinfo->irq) | ||
| @@ -1372,9 +1373,15 @@ static int blkif_get_final_status(enum blk_req_status s1, | ||
| return BLKIF_RSP_OKAY; | ||
| } | ||
|
|
||
| -static bool blkif_completion(unsigned long *id, | ||
| - struct blkfront_ring_info *rinfo, | ||
| - struct blkif_response *bret) | ||
| +/* | ||
| + * Return values: | ||
| + * 1 response processed. | ||
| + * 0 missing further responses. | ||
| + * -1 error while processing. | ||
| + */ | ||
| +static int blkif_completion(unsigned long *id, | ||
| + struct blkfront_ring_info *rinfo, | ||
| + struct blkif_response *bret) | ||
| { | ||
| int i = 0; | ||
| struct scatterlist *sg; | ||
| @@ -1397,7 +1404,7 @@ static bool blkif_completion(unsigned long *id, | ||
|
|
||
| /* Wait the second response if not yet here. */ | ||
| if (s2->status < REQ_DONE) | ||
| - return false; | ||
| + return 0; | ||
|
|
||
| bret->status = blkif_get_final_status(s->status, | ||
| s2->status); | ||
| @@ -1448,42 +1455,43 @@ static bool blkif_completion(unsigned long *id, | ||
| } | ||
| /* Add the persistent grant into the list of free grants */ | ||
| for (i = 0; i < num_grant; i++) { | ||
| - if (gnttab_query_foreign_access(s->grants_used[i]->gref)) { | ||
| + if (!gnttab_try_end_foreign_access(s->grants_used[i]->gref)) { | ||
| /* | ||
| * If the grant is still mapped by the backend (the | ||
| * backend has chosen to make this grant persistent) | ||
| * we add it at the head of the list, so it will be | ||
| * reused first. | ||
| */ | ||
| - if (!info->feature_persistent) | ||
| - pr_alert_ratelimited("backed has not unmapped grant: %u\n", | ||
| - s->grants_used[i]->gref); | ||
| + if (!info->feature_persistent) { | ||
| + pr_alert("backed has not unmapped grant: %u\n", | ||
| + s->grants_used[i]->gref); | ||
| + return -1; | ||
| + } | ||
| list_add(&s->grants_used[i]->node, &rinfo->grants); | ||
| rinfo->persistent_gnts_c++; | ||
| } else { | ||
| /* | ||
| - * If the grant is not mapped by the backend we end the | ||
| - * foreign access and add it to the tail of the list, | ||
| - * so it will not be picked again unless we run out of | ||
| - * persistent grants. | ||
| + * If the grant is not mapped by the backend we add it | ||
| + * to the tail of the list, so it will not be picked | ||
| + * again unless we run out of persistent grants. | ||
| */ | ||
| - gnttab_end_foreign_access(s->grants_used[i]->gref, 0, 0UL); | ||
| s->grants_used[i]->gref = GRANT_INVALID_REF; | ||
| list_add_tail(&s->grants_used[i]->node, &rinfo->grants); | ||
| } | ||
| } | ||
| if (s->req.operation == BLKIF_OP_INDIRECT) { | ||
| for (i = 0; i < INDIRECT_GREFS(num_grant); i++) { | ||
| - if (gnttab_query_foreign_access(s->indirect_grants[i]->gref)) { | ||
| - if (!info->feature_persistent) | ||
| - pr_alert_ratelimited("backed has not unmapped grant: %u\n", | ||
| - s->indirect_grants[i]->gref); | ||
| + if (!gnttab_try_end_foreign_access(s->indirect_grants[i]->gref)) { | ||
| + if (!info->feature_persistent) { | ||
| + pr_alert("backed has not unmapped grant: %u\n", | ||
| + s->indirect_grants[i]->gref); | ||
| + return -1; | ||
| + } | ||
| list_add(&s->indirect_grants[i]->node, &rinfo->grants); | ||
| rinfo->persistent_gnts_c++; | ||
| } else { | ||
| struct page *indirect_page; | ||
|
|
||
| - gnttab_end_foreign_access(s->indirect_grants[i]->gref, 0, 0UL); | ||
| /* | ||
| * Add the used indirect page back to the list of | ||
| * available pages for indirect grefs. | ||
| @@ -1498,7 +1506,7 @@ static bool blkif_completion(unsigned long *id, | ||
| } | ||
| } | ||
|
|
||
| - return true; | ||
| + return 1; | ||
| } | ||
|
|
||
| static irqreturn_t blkif_interrupt(int irq, void *dev_id) | ||
| @@ -1564,12 +1572,17 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id) | ||
| } | ||
|
|
||
| if (bret.operation != BLKIF_OP_DISCARD) { | ||
| + int ret; | ||
| + | ||
| /* | ||
| * We may need to wait for an extra response if the | ||
| * I/O request is split in 2 | ||
| */ | ||
| - if (!blkif_completion(&id, rinfo, &bret)) | ||
| + ret = blkif_completion(&id, rinfo, &bret); | ||
| + if (!ret) | ||
| continue; | ||
| + if (unlikely(ret < 0)) | ||
| + goto err; | ||
| } | ||
|
|
||
| if (add_id_to_freelist(rinfo, id)) { | ||
| @@ -1676,8 +1689,7 @@ static int setup_blkring(struct xenbus_device *dev, | ||
| for (i = 0; i < info->nr_ring_pages; i++) | ||
| rinfo->ring_ref[i] = GRANT_INVALID_REF; | ||
|
|
||
| - sring = (struct blkif_sring *)__get_free_pages(GFP_NOIO | __GFP_HIGH, | ||
| - get_order(ring_size)); | ||
| + sring = alloc_pages_exact(ring_size, GFP_NOIO); | ||
| if (!sring) { | ||
| xenbus_dev_fatal(dev, -ENOMEM, "allocating shared ring"); | ||
| return -ENOMEM; | ||
| @@ -1687,7 +1699,7 @@ static int setup_blkring(struct xenbus_device *dev, | ||
|
|
||
| err = xenbus_grant_ring(dev, rinfo->ring.sring, info->nr_ring_pages, gref); | ||
| if (err < 0) { | ||
| - free_pages((unsigned long)sring, get_order(ring_size)); | ||
| + free_pages_exact(sring, ring_size); | ||
| rinfo->ring.sring = NULL; | ||
| goto fail; | ||
| } | ||
| @@ -2532,11 +2544,10 @@ static void purge_persistent_grants(struct blkfront_info *info) | ||
| list_for_each_entry_safe(gnt_list_entry, tmp, &rinfo->grants, | ||
| node) { | ||
| if (gnt_list_entry->gref == GRANT_INVALID_REF || | ||
| - gnttab_query_foreign_access(gnt_list_entry->gref)) | ||
| + !gnttab_try_end_foreign_access(gnt_list_entry->gref)) | ||
| continue; | ||
|
|
||
| list_del(&gnt_list_entry->node); | ||
| - gnttab_end_foreign_access(gnt_list_entry->gref, 0, 0UL); | ||
| rinfo->persistent_gnts_c--; | ||
| gnt_list_entry->gref = GRANT_INVALID_REF; | ||
| list_add_tail(&gnt_list_entry->node, &rinfo->grants); | ||
| -- | ||
| 2.34.1 | ||
|
|
Oops, something went wrong.