system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-10-03 18:00:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/drivers
History
Juergen Gross 42baefac63 xen/gnttab: fix gnttab_end_foreign_access() without page specified 
gnttab_end_foreign_access() is used to free a grant reference and
optionally to free the associated page. In case the grant is still in
use by the other side processing is being deferred. This leads to a
problem in case no page to be freed is specified by the caller: the
caller doesn't know that the page is still mapped by the other side
and thus should not be used for other purposes.

The correct way to handle this situation is to take an additional
reference to the granted page in case handling is being deferred and
to drop that reference when the grant reference could be freed
finally.

This requires that there are no users of gnttab_end_foreign_access()
left directly repurposing the granted page after the call, as this
might result in clobbered data or information leaks via the not yet
freed grant reference.

This is part of CVE-2022-23041 / XSA-396.

Reported-by: Simon Gaiser <simon@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
V4:
- expand comment in header
V5:
- get page ref in case of kmalloc() failure, too
2022-03-07 09:48:55 +01:00
..
accessibility speakup-dectlk: Restore pitch setting 2022-02-08 12:15:04 +01:00
acpi Merge branch 'acpi-processor' 2022-02-18 19:36:36 +01:00
amba ARM: 9163/1: amba: Move of_amba_device_decode_irq() into amba_probe() 2021-12-17 11:34:35 +00:00
android Merge 5.16-rc8 into char-misc-next 2022-01-03 13:44:38 +01:00
ata ata: pata_hpt37x: disable primary channel on HPT371 2022-02-23 09:39:37 +09:00
atm atm: firestream: check the return value of ioremap() in fs_init() 2022-02-28 11:36:01 +00:00
auxdisplay auxdisplay: lcd2s: Use proper API to free the instance of charlcd object 2022-03-03 00:30:31 +01:00
base regmap: Fix for v5.17 2022-02-25 12:30:01 -08:00
bcma
block xen/blkfront: don't use gnttab_query_foreign_access() for mapped status 2022-03-07 09:48:54 +01:00
bluetooth virtio,vdpa,qemu_fw_cfg: features, cleanups, fixes 2022-01-18 10:05:48 +02:00
bus bus: mhi: pci_generic: Add mru_default for Cinterion MV31-W 2022-02-06 13:19:46 +01:00
cdrom cdrom: simplify subdirectory registration with register_sysctl() 2022-01-22 08:33:35 +02:00
char random: only call crng_finalize_init() for primary_crng 2022-02-04 19:22:32 +01:00
clk clk: jz4725b: fix mmc0 clock gating 2022-02-17 17:05:07 -08:00
clocksource ARM: dts: Use 32KiHz oscillator on devkit8000 2022-02-18 10:08:45 +02:00
comedi
connector connector/cn_proc: Use task_is_in_init_pid_ns() 2022-01-26 18:57:09 -08:00
counter counter: fix an IS_ERR() vs NULL bug 2022-01-26 19:40:33 +01:00
cpufreq cpufreq: qcom-hw: Delay enabling throttle_irq 2022-02-09 13:18:49 +05:30
cpuidle cpuidle: use default_groups in kobj_type 2022-01-05 18:31:17 +01:00
crypto crypto: octeontx2 - Avoid stack variable overflow 2022-01-31 11:22:53 +11:00
cxl cxl/core: Remove cxld_const_init in cxl_decoder_alloc() 2022-01-04 17:29:31 -08:00
dax Merge branch 'akpm' (patches from Andrew) 2022-01-15 20:37:06 +02:00
dca
devfreq
dio
dma dmaengine: shdma: Fix runtime PM imbalance on error 2022-02-15 11:04:16 +05:30
dma-buf dma-buf: heaps: Fix potential spectre v1 gadget 2022-02-01 13:18:09 +05:30
edac EDAC: Fix calculation of returned address and next offset in edac_align_ptr() 2022-02-15 15:54:46 +01:00
eisa
extcon extcon: Deduplicate code in extcon_set_state_sync() 2021-12-24 15:27:52 +09:00
firewire
firmware ARM: SoC fixes for v5.17, part 2 2022-02-28 12:51:14 -08:00
fpga
fsi
gnss gnss: usb: add support for Sierra Wireless XM1210 2021-12-22 15:38:12 +01:00
gpio Pin control fixes for the v5.17 series: 2022-02-27 12:30:54 -08:00
gpu * drm/arm: Select DRM_GEM_CMEA_HELPER for HDLCD 2022-03-04 13:04:11 +10:00
greybus greybus: es2: fix typo in a comment 2021-12-21 10:13:26 +01:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2022-03-05 15:49:45 -08:00
hsi
hv Drivers: hv: utils: Make use of the helper macro LIST_HEAD() 2022-02-09 14:33:21 +00:00
hwmon hwmon: (pmbus) Clear pmbus fault/warning bits after read 2022-02-22 08:15:39 -08:00
hwspinlock
hwtracing
i2c i2c: brcmstb: fix support for DSL and CM variants 2022-02-18 10:37:33 +01:00
i3c i3c: master: dw: check return of dw_i3c_master_get_free_pos() 2022-01-13 02:05:50 +01:00
idle
iio 1st set of IIO fixes for the 5.17 cycle. 2022-02-21 17:58:09 +01:00
infiniband RDMA/cma: Do not change route.addr.src_addr outside state checks 2022-02-25 16:46:51 -04:00
input Input: elan_i2c - fix regulator enable count imbalance after suspend/resume 2022-03-01 20:41:22 -08:00
interconnect
iommu iommu/tegra-smmu: Fix missing put_device() call in tegra_smmu_find 2022-02-28 14:01:57 +01:00
ipack
irqchip irqchip/sifive-plic: Add missing thead,c900-plic match string 2022-02-02 10:49:29 +00:00
isdn Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-12-30 12:12:12 -08:00
leds LED updates for 5.17. Nothing major is happening here. 2022-01-12 16:59:22 -08:00
macintosh macintosh/mac_hid.c: simplify subdirectory registration with register_sysctl() 2022-01-22 08:33:35 +02:00
mailbox - qcom: misc updates to qcom-ipcc driver 2022-01-13 11:19:07 -08:00
mcb
md block: fix surprise removal for drivers calling blk_set_queue_dying 2022-02-17 07:54:03 -07:00
media bitmap patches for 5.17-rc1 2022-01-23 06:20:44 +02:00
memory MTD core changes: 2022-01-11 11:35:28 -08:00
memstick
message scsi: message: fusion: mptctl: Use dma_alloc_coherent() 2022-01-10 10:33:52 -05:00
mfd driver core changes for 5.17-rc1 2022-01-12 11:11:34 -08:00
misc eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX 2022-02-04 16:27:44 +01:00
mmc mmc: block: fix read single on recovery logic 2022-02-08 16:04:49 +01:00
most
mtd Char/Misc driver fixes for 5.17-rc6 2022-02-25 12:12:06 -08:00
mux
net xen/netfront: don't use gnttab_query_foreign_access() for mapped status 2022-03-07 09:48:54 +01:00
nfc nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION 2022-01-12 14:17:45 +00:00
ntb ntb: intel: fix port config status offset for SPR 2022-01-28 10:19:16 -05:00
nubus proc: remove PDE_DATA() completely 2022-01-22 08:33:37 +02:00
nvdimm virtio,vdpa,qemu_fw_cfg: features, cleanups, fixes 2022-01-18 10:05:48 +02:00
nvme nvme-tcp: send H2CData PDUs based on MAXH2CDATA 2022-02-23 14:43:11 +01:00
nvmem nvmem: core: Fix a conflict between MTD and NVMEM on wp-gpios property 2022-02-21 17:59:25 +01:00
of of/fdt: move elfcorehdr reservation early for crash dump kernel 2022-02-17 17:13:52 -06:00
opp
parisc parisc: Fix sglist access in ccio-dma.c 2022-01-28 10:15:34 +01:00
parport
pci A single fix for a regression caused by the recent PCI/MSI rework which 2022-02-27 13:07:40 -08:00
pcmcia pci-v5.17-changes 2022-01-16 08:08:11 +02:00
perf Rework of the MSI interrupt infrastructure: 2022-01-13 09:05:29 -08:00
phy phy: dphy: Correct clk_pre parameter 2022-02-02 10:33:04 +05:30
pinctrl pinctrl: sunxi: Use unique lockdep classes for IRQs 2022-02-28 23:53:19 +01:00
platform surface: surface3_power: Fix battery readings on batteries without a serial number 2022-02-24 13:48:39 +01:00
pnp proc: remove PDE_DATA() completely 2022-01-22 08:33:37 +02:00
power power: supply: bq256xx: Handle OOM correctly 2022-02-11 21:19:51 +01:00
powercap Merge back earlier power capping changes for v5.17 2021-12-27 16:51:12 +01:00
pps
ps3
ptp ptp: ocp: Add ptp_ocp_adjtime_coarse for large adjustments 2022-03-02 09:51:21 -08:00
pwm pwm: Changes for v5.17-rc1 2022-01-20 13:25:01 +02:00
rapidio rapidio: remove not used code about RIO_VID_TUNDRA 2021-12-21 10:22:19 +01:00
ras
regulator regulator: da9121: Remove surplus DA9141 parameters 2022-02-22 11:56:29 +00:00
remoteproc remoteproc: qcom: q6v5: fix service routines build errors 2022-01-17 16:44:26 -06:00
reset SoC: Add support for StarFive JH7100 RISC-V SoC 2022-01-10 08:32:37 -08:00
rpmsg rpmsg fixes for v5.17-rc1 2022-01-27 11:23:26 +02:00
rtc rtc: sunplus: fix return value in sp_rtc_probe() 2022-01-16 23:50:34 +01:00
s390 s390/cio: verify the driver availability for path_event call 2022-02-09 22:55:01 +01:00
sbus
scsi xen/scsifront: don't use gnttab_query_foreign_access() for mapped status 2022-03-07 09:48:54 +01:00
sh
siox
slimbus
soc ARM: SoC fixes for v5.17, part 2 2022-02-28 12:51:14 -08:00
soundwire Char/Misc and other driver changes for 5.17-rc1 2022-01-14 16:02:28 +01:00
spi spi: Fixes for v5.17 2022-02-25 12:37:41 -08:00
spmi spmi: spmi-pmic-arb: fix irq_set_type race condition 2021-12-17 17:18:18 +01:00
ssb
staging staging: fbtft: fb_st7789v: reset display before initialization 2022-02-15 17:14:22 +01:00
target scsi: target: iscsi: Make sure the np under each tpg is unique 2022-01-24 23:30:24 -05:00
tc
tee OP-TEE fix error return code in probe functions 2022-02-18 17:30:01 +01:00
thermal thermal: core: Fix TZ_GET_TRIP NULL pointer dereference 2022-03-01 16:11:38 +01:00
thunderbolt thunderbolt: Add module parameter for CLx disabling 2021-12-28 10:43:56 +03:00
tty TTY/Serial driver fixes for 5.17-rc6 2022-02-25 11:45:29 -08:00
uio UIO: use default_groups in kobj_type 2021-12-29 10:54:50 +01:00
usb xen/usb: don't use gnttab_end_foreign_access() in xenhcd_gnttab_done() 2022-03-07 09:48:55 +01:00
vdpa virtio,vdpa,qemu_fw_cfg: features, cleanups, fixes 2022-01-18 10:05:48 +02:00
vfio VFIO updates for v5.17-rc1 2022-01-20 13:31:46 +02:00
vhost vhost/vsock: don't check owner in vhost_vsock_stop() while releasing 2022-02-23 12:32:33 +00:00
video * drm/panel: simple: Fix assignments from panel_dpi_probe() 2022-02-11 12:06:15 +10:00
virt bitmap patches for 5.17-rc1 2022-01-23 06:20:44 +02:00
virtio vdpa: Allow to configure max data virtqueues 2022-01-14 18:50:53 -05:00
visorbus
vlynq
vme
w1 w1: w1_therm: use swap() to make code cleaner 2021-12-21 10:38:13 +01:00
watchdog linux-watchdog 5.17-rc1 tag 2022-01-17 08:07:57 +02:00
xen xen/gnttab: fix gnttab_end_foreign_access() without page specified 2022-03-07 09:48:55 +01:00
zorro proc: remove PDE_DATA() completely 2022-01-22 08:33:37 +02:00
Kconfig
Makefile