|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen master] evtchn/FIFO: add 2nd smp_rmb() to evtchn_fifo_word_from_port()
commit dc8b01affd7f6f36d34c3854f51df0847df3ec0e
Author: Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Dec 15 13:42:51 2020 +0100
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Dec 15 13:42:51 2020 +0100
evtchn/FIFO: add 2nd smp_rmb() to evtchn_fifo_word_from_port()
Besides with add_page_to_event_array() the function also needs to
synchronize with evtchn_fifo_init_control() setting both d->evtchn_fifo
and (subsequently) d->evtchn_port_ops.
This is XSA-359 / CVE-2020-29571.
Reported-by: Julien Grall <jgrall@xxxxxxxxxx>
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Reviewed-by: Julien Grall <jgrall@xxxxxxxxxx>
---
xen/common/event_fifo.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/xen/common/event_fifo.c b/xen/common/event_fifo.c
index d508d57219..3310dc00d7 100644
--- a/xen/common/event_fifo.c
+++ b/xen/common/event_fifo.c
@@ -55,6 +55,13 @@ static inline event_word_t *evtchn_fifo_word_from_port(const
struct domain *d,
{
unsigned int p, w;
+ /*
+ * Callers aren't required to hold d->event_lock, so we need to synchronize
+ * with evtchn_fifo_init_control() setting d->evtchn_port_ops /after/
+ * d->evtchn_fifo.
+ */
+ smp_rmb();
+
if ( unlikely(port >= d->evtchn_fifo->num_evtchns) )
return NULL;
@@ -605,6 +612,10 @@ int evtchn_fifo_init_control(struct evtchn_init_control
*init_control)
if ( rc < 0 )
goto error;
+ /*
+ * This call, as a side effect, synchronizes with
+ * evtchn_fifo_word_from_port().
+ */
rc = map_control_block(v, gfn, offset);
if ( rc < 0 )
goto error;
--
generated by git-patchbot for /home/xen/git/xen.git#master
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |