From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Demi Marie Obenour <demi@invisiblethingslab.com>,
Juergen Gross <jgross@suse.com>, Jan Beulich <jbeulich@suse.com>
Subject: [PATCH 4.14 31/31] xen/netfront: react properly to failing gnttab_end_foreign_access_ref()
Date: Thu, 10 Mar 2022 15:18:44 +0100 [thread overview]
Message-ID: <20220310140808.447773285@linuxfoundation.org> (raw)
In-Reply-To: <20220310140807.524313448@linuxfoundation.org>
From: Juergen Gross <jgross@suse.com>
Commit 66e3531b33ee51dad17c463b4d9c9f52e341503d upstream.
When calling gnttab_end_foreign_access_ref() the returned value must
be tested and the reaction to that value should be appropriate.
In case of failure in xennet_get_responses() the reaction should not be
to crash the system, but to disable the network device.
The calls in setup_netfront() can be replaced by calls of
gnttab_end_foreign_access(). While at it avoid double free of ring
pages and grant references via xennet_disconnect_backend() in this case.
This is CVE-2022-23042 / part of XSA-396.
Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/xen-netfront.c | 48 +++++++++++++++++++++++++++++----------------
1 file changed, 31 insertions(+), 17 deletions(-)
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -839,7 +839,6 @@ static int xennet_get_responses(struct n
int max = XEN_NETIF_NR_SLOTS_MIN + (rx->status <= RX_COPY_THRESHOLD);
int slots = 1;
int err = 0;
- unsigned long ret;
if (rx->flags & XEN_NETRXF_extra_info) {
err = xennet_get_extras(queue, extras, rp);
@@ -870,8 +869,13 @@ static int xennet_get_responses(struct n
goto next;
}
- ret = gnttab_end_foreign_access_ref(ref, 0);
- BUG_ON(!ret);
+ if (!gnttab_end_foreign_access_ref(ref, 0)) {
+ dev_alert(dev,
+ "Grant still in use by backend domain\n");
+ queue->info->broken = true;
+ dev_alert(dev, "Disabled for further use\n");
+ return -EINVAL;
+ }
gnttab_release_grant_reference(&queue->gref_rx_head, ref);
@@ -1075,6 +1079,10 @@ static int xennet_poll(struct napi_struc
err = xennet_get_responses(queue, &rinfo, rp, &tmpq);
if (unlikely(err)) {
+ if (queue->info->broken) {
+ spin_unlock(&queue->rx_lock);
+ return 0;
+ }
err:
while ((skb = __skb_dequeue(&tmpq)))
__skb_queue_tail(&errq, skb);
@@ -1652,7 +1660,7 @@ static int setup_netfront(struct xenbus_
struct netfront_queue *queue, unsigned int feature_split_evtchn)
{
struct xen_netif_tx_sring *txs;
- struct xen_netif_rx_sring *rxs;
+ struct xen_netif_rx_sring *rxs = NULL;
grant_ref_t gref;
int err;
@@ -1672,21 +1680,21 @@ static int setup_netfront(struct xenbus_
err = xenbus_grant_ring(dev, txs, 1, &gref);
if (err < 0)
- goto grant_tx_ring_fail;
+ goto fail;
queue->tx_ring_ref = gref;
rxs = (struct xen_netif_rx_sring *)get_zeroed_page(GFP_NOIO | __GFP_HIGH);
if (!rxs) {
err = -ENOMEM;
xenbus_dev_fatal(dev, err, "allocating rx ring page");
- goto alloc_rx_ring_fail;
+ goto fail;
}
SHARED_RING_INIT(rxs);
FRONT_RING_INIT(&queue->rx, rxs, XEN_PAGE_SIZE);
err = xenbus_grant_ring(dev, rxs, 1, &gref);
if (err < 0)
- goto grant_rx_ring_fail;
+ goto fail;
queue->rx_ring_ref = gref;
if (feature_split_evtchn)
@@ -1699,22 +1707,28 @@ static int setup_netfront(struct xenbus_
err = setup_netfront_single(queue);
if (err)
- goto alloc_evtchn_fail;
+ goto fail;
return 0;
/* If we fail to setup netfront, it is safe to just revoke access to
* granted pages because backend is not accessing it at this point.
*/
-alloc_evtchn_fail:
- gnttab_end_foreign_access_ref(queue->rx_ring_ref, 0);
-grant_rx_ring_fail:
- free_page((unsigned long)rxs);
-alloc_rx_ring_fail:
- gnttab_end_foreign_access_ref(queue->tx_ring_ref, 0);
-grant_tx_ring_fail:
- free_page((unsigned long)txs);
-fail:
+ fail:
+ if (queue->rx_ring_ref != GRANT_INVALID_REF) {
+ gnttab_end_foreign_access(queue->rx_ring_ref, 0,
+ (unsigned long)rxs);
+ queue->rx_ring_ref = GRANT_INVALID_REF;
+ } else {
+ free_page((unsigned long)rxs);
+ }
+ if (queue->tx_ring_ref != GRANT_INVALID_REF) {
+ gnttab_end_foreign_access(queue->tx_ring_ref, 0,
+ (unsigned long)txs);
+ queue->tx_ring_ref = GRANT_INVALID_REF;
+ } else {
+ free_page((unsigned long)txs);
+ }
return err;
}
next prev parent reply other threads:[~2022-03-10 14:26 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-10 14:18 [PATCH 4.14 00/31] 4.14.271-rc2 review Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 01/31] x86/speculation: Merge one test in spectre_v2_user_select_mitigation() Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 02/31] x86,bugs: Unconditionally allow spectre_v2=retpoline,amd Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 03/31] x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 04/31] x86/speculation: Add eIBRS + Retpoline options Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 05/31] Documentation/hw-vuln: Update spectre doc Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 06/31] x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 07/31] x86/speculation: Use generic retpoline by default on AMD Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 08/31] x86/speculation: Update link to AMD speculation whitepaper Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 09/31] x86/speculation: Warn about Spectre v2 LFENCE mitigation Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 10/31] x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 11/31] arm/arm64: Provide a wrapper for SMCCC 1.1 calls Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 12/31] arm/arm64: smccc/psci: add arm_smccc_1_1_get_conduit() Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 13/31] ARM: report Spectre v2 status through sysfs Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 14/31] ARM: early traps initialisation Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 15/31] ARM: use LOADADDR() to get load address of sections Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 16/31] ARM: Spectre-BHB workaround Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 17/31] ARM: include unprivileged BPF status in Spectre V2 reporting Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 18/31] ARM: fix build error when BPF_SYSCALL is disabled Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 19/31] ARM: fix co-processor register typo Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 20/31] ARM: Do not use NOCROSSREFS directive with ld.lld Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 21/31] ARM: fix build warning in proc-v7-bugs.c Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 22/31] xen/xenbus: dont let xenbus_grant_ring() remove grants in error case Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 23/31] xen/grant-table: add gnttab_try_end_foreign_access() Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 24/31] xen/blkfront: dont use gnttab_query_foreign_access() for mapped status Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 25/31] xen/netfront: " Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 26/31] xen/scsifront: " Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 27/31] xen/gntalloc: dont use gnttab_query_foreign_access() Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 28/31] xen: remove gnttab_query_foreign_access() Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 29/31] xen/9p: use alloc/free_pages_exact() Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 30/31] xen/gnttab: fix gnttab_end_foreign_access() without page specified Greg Kroah-Hartman
2022-03-10 14:18 ` Greg Kroah-Hartman [this message]
2022-03-10 18:48 ` [PATCH 4.14 00/31] 4.14.271-rc2 review Jon Hunter
2022-03-11 1:01 ` Guenter Roeck
2022-03-11 13:18 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220310140808.447773285@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=demi@invisiblethingslab.com \
--cc=jbeulich@suse.com \
--cc=jgross@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.