[PATCH][H/G/F/X] xen-blkback: don't leak persistent grants from xen_blkbk_map()
Tim Gardner
tim.gardner at canonical.com
Thu Apr 1 16:08:44 UTC 2021
From: Jan Beulich <jbeulich at suse.com>
CVE-2021-28688
The fix for XSA-365 zapped too many of the ->persistent_gnt[] entries.
Ones successfully obtained should not be overwritten, but instead left
for xen_blkbk_unmap_prepare() to pick up and put.
This is XSA-371.
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Cc: stable at vger.kernel.org
Reviewed-by: Juergen Gross <jgross at suse.com>
Reviewed-by: Wei Liu <wl at xen.org>
Signed-off-by: Juergen Gross <jgross at suse.com>
(cherry picked from commit a846738f8c3788d846ed1f587270d2f2e3d32432)
Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
---
drivers/block/xen-blkback/blkback.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
index da16121140ca..3874233f7194 100644
--- a/drivers/block/xen-blkback/blkback.c
+++ b/drivers/block/xen-blkback/blkback.c
@@ -891,7 +891,7 @@ static int xen_blkbk_map(struct xen_blkif_ring *ring,
out:
for (i = last_map; i < num; i++) {
/* Don't zap current batch's valid persistent grants. */
- if(i >= last_map + segs_to_map)
+ if(i >= map_until)
pages[i]->persistent_gnt = NULL;
pages[i]->handle = BLKBACK_INVALID_HANDLE;
}
--
2.17.1
More information about the kernel-team
mailing list