[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[for-4.22 PATCH] xen/gnttab: Fix TOCTOU race in gnttab_set_version()
- To: <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>
- Date: Fri, 22 May 2026 12:57:06 +0200
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qOh2jpqS2BR1EVriwkYl3p6XELwuMqsRKXo/u+NABBk=; b=GbiS7q4ASnq1eX999s2VRi271FDOYX9qBqwHkKFprEc8p3Jp7D8eGbNKyK53WHvZjuyUI4IT/GVPH3VCOAnwEKzzZqV5QnxDRJ0WQWTBpBoDC6i6MJe8CSwJ7UGhmYxviq4ibFyYeNHURQ5+Y5gSYYrcR4B4Hu+d3wYk/rIpZuiGfGlQExLgXwX8YKjiWpF7MsPCXeYrl946fjXrCsqCWK69FO/GmxxWccB8pwoLzM/sfLlZLBFMj8PS6xGOKxJD5kyx+8KzH0nWXABfccNc/MEdcNZ3t31kE0vw8uH+CgXU1lps7H0EVa0civaYsWVid8Vt5VXmsw/MLHJ1/uiLKw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=heIg3oPrNBkbvrtOIc9FU5NWNI8BRo3MKDmcg0dUgW/hD1Mz4GxcvC897LM24FUQlkvG5xdLt0f+F9739ihKm8Wlw9URcSBR6vIHzJxAOuOkL4xNFRIQbcMIHWVdqm+iWQ5Yod1HF7g20eoIq5AW9ND4X5AW/qFoiXGHO+MV5WDUxPJCwxNrqgiCJn1ANz4IaT8Ki13fusvu9nMhNaN92Is4F24j05XWaSa/0WVuEX22SHIoDGtXKjyd2g9mCPKVbnDxAPCvWYNaXKNDSDVYJRSL6uANNHtvbhoGGV10TgXptw76Vlhnh+fcRP/fOv/hacIPbh/mGrlchikuMg4zHg==
- Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=amd.com header.i="@amd.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"
- Cc: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, "Julien Grall" <julien@xxxxxxx>, Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, "Stefano Stabellini" <sstabellini@xxxxxxxxxx>, Oleksandr Tyshchenko <Oleksandr_Tyshchenko@xxxxxxxx>
- Delivery-date: Fri, 22 May 2026 10:57:43 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
Move first read of gt->gt_version inside the critical region of the
rwlock, otherwise concurrent gnttab operations (silly as they would be)
may get mutually confused as to the actual current version.
Fixes: c1488502c949("grant-tables: do not fail attempts to...")
Reported-by: Oleksandr Tyshchenko <Oleksandr_Tyshchenko@xxxxxxxx>
Signed-off-by: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>
---
This is far from a problem in practice, because kernels invoke this once and
then are done. Still, correctness mandates correctness.
There are a number of lockless reads of gt_version (e.g: right after unlock),
but they aren't very worrying because they are effectively snapshots of the
instantaneous version. I'd feel better if they were all atomic_read(), but all
Xen ports guarantee atomic access on aligned 4 octet fields, so I couldn't be
bothered to go chase them.
---
xen/common/grant_table.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index 2dda1abd3f..ac9fed6001 100644
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -3184,11 +3184,12 @@
gnttab_set_version(XEN_GUEST_HANDLE_PARAM(gnttab_set_version_t) uop)
if ( op.version == 2 && gt->max_version == 1 )
goto out; /* Behave as before set_version was introduced. */
+ grant_write_lock(gt);
+
res = 0;
if ( gt->gt_version == op.version )
- goto out;
+ goto out_unlock;
- grant_write_lock(gt);
/*
* Make sure that the grant table isn't currently in use when we
* change the version number, except for the first 8 entries which
base-commit: aaa34f23ac65b75c94d069e407a2698602f18d56
--
2.43.0
|
