diff options
| author | Juergen Gross <jgross@suse.com> | 2022-02-25 16:05:42 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-03-11 10:03:32 +0100 |
| commit | 98bdfdf89e987406f4afdc7694cbdbb715383d8e (patch) | |
| tree | 437a371ce3098312e676be49b422d0c2848e2fbd /drivers | |
| parent | 1112bb311ec13e7e6e7045ae4a0b7091bedc6b7a (diff) | |
xen/scsifront: don't use gnttab_query_foreign_access() for mapped status
Commit 33172ab50a53578a95691310f49567c9266968b0 upstream.
It isn't enough to check whether a grant is still being in use by
calling gnttab_query_foreign_access(), as a mapping could be realized
by the other side just after having called that function.
In case the call was done in preparation of revoking a grant it is
better to do so via gnttab_try_end_foreign_access() and check the
success of that operation instead.
This is CVE-2022-23038 / part of XSA-396.
Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/scsi/xen-scsifront.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/drivers/scsi/xen-scsifront.c b/drivers/scsi/xen-scsifront.c index e1b32ed0aa20..bdfe94c023dc 100644 --- a/drivers/scsi/xen-scsifront.c +++ b/drivers/scsi/xen-scsifront.c @@ -210,12 +210,11 @@ static void scsifront_gnttab_done(struct vscsifrnt_info *info, uint32_t id) return; for (i = 0; i < s->nr_grants; i++) { - if (unlikely(gnttab_query_foreign_access(s->gref[i]) != 0)) { + if (unlikely(!gnttab_try_end_foreign_access(s->gref[i]))) { shost_printk(KERN_ALERT, info->host, KBUILD_MODNAME "grant still in use by backend\n"); BUG(); } - gnttab_end_foreign_access(s->gref[i], 0, 0UL); } kfree(s->sg); |