xen/gntalloc: don't use gnttab_query_foreign_access()
authorJuergen Gross <jgross@suse.com>
Mon, 7 Mar 2022 08:48:54 +0000 (09:48 +0100)
committerJuergen Gross <jgross@suse.com>
Mon, 7 Mar 2022 08:48:54 +0000 (09:48 +0100)
commitd3b6372c5881cb54925212abb62c521df8ba4809
tree64508a5ae14aa53f7e792ff7f42cbfe52c7244a2
parent33172ab50a53578a95691310f49567c9266968b0
xen/gntalloc: don't use gnttab_query_foreign_access()

Using gnttab_query_foreign_access() is unsafe, as it is racy by design.

The use case in the gntalloc driver is not needed at all. While at it
replace the call of gnttab_end_foreign_access_ref() with a call of
gnttab_end_foreign_access(), which is what is really wanted there. In
case the grant wasn't used due to an allocation failure, just free the
grant via gnttab_free_grant_reference().

This is CVE-2022-23039 / part of XSA-396.

Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
V3:
- fix __del_gref() (Jan Beulich)
drivers/xen/gntalloc.c