git.proxmox.com Git - mirror_ubuntu-focal-kernel.git/commit

author	Juergen Gross <jgross@suse.com>
	Fri, 25 Feb 2022 15:05:42 +0000 (16:05 +0100)
committer	Stefan Bader <stefan.bader@canonical.com>
	Fri, 20 May 2022 13:17:39 +0000 (15:17 +0200)
commit	5f225a97ab9ba48054ad2f74099733ab4fc9d89b
tree	3379ce1446dd38d03401dcff4e35f81c7eac5679	tree
parent	788cf0a706ebd5f1999ddaad4fc28f0fdab9cbd5	commit \| diff

xen/9p: use alloc/free_pages_exact()

BugLink: https://bugs.launchpad.net/bugs/1969242
Commit 5cadd4bb1d7fc9ab201ac14620d1a478357e4ebd upstream.

Instead of __get_free_pages() and free_pages() use alloc_pages_exact()
and free_pages_exact(). This is in preparation of a change of
gnttab_end_foreign_access() which will prohibit use of high-order
pages.

By using the local variable "order" instead of ring->intf->ring_order
in the error path of xen_9pfs_front_alloc_dataring() another bug is
fixed, as the error path can be entered before ring->intf->ring_order
is being set.

By using alloc_pages_exact() the size in bytes is specified for the
allocation, which fixes another bug for the case of
order < (PAGE_SHIFT - XEN_PAGE_SHIFT).

This is part of CVE-2022-23041 / XSA-396.

Reported-by: Simon Gaiser <simon@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>