|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen staging-4.12] passthrough/x86: stop pirq iteration immediately in case of error
commit 71e9d0c94dd710bf26adf115ee0a2dbee30bb8c1
Author: Julien Grall <jgrall@xxxxxxxxxx>
AuthorDate: Tue Jan 25 14:47:33 2022 +0100
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Jan 25 14:47:33 2022 +0100
passthrough/x86: stop pirq iteration immediately in case of error
pt_pirq_iterate() will iterate in batch over all the PIRQs. The outer
loop will bail out if 'rc' is non-zero but the inner loop will continue.
This means 'rc' will get clobbered and we may miss any errors (such as
-ERESTART in the case of the callback pci_clean_dpci_irq()).
This is CVE-2022-23035 / XSA-395.
Fixes: c24536b636f2 ("replace d->nr_pirqs sized arrays with radix tree")
Fixes: f6dd295381f4 ("dpci: replace tasklet with softirq")
Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx>
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
master commit: 9480a1a519cf016623f657dc544cb372a82b5708
master date: 2022-01-25 13:27:02 +0100
---
xen/drivers/passthrough/io.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/xen/drivers/passthrough/io.c b/xen/drivers/passthrough/io.c
index 4290c7c710..d613d1e049 100644
--- a/xen/drivers/passthrough/io.c
+++ b/xen/drivers/passthrough/io.c
@@ -803,7 +803,11 @@ int pt_pirq_iterate(struct domain *d,
pirq = pirqs[i]->pirq;
if ( (pirq_dpci->flags & HVM_IRQ_DPCI_MAPPED) )
+ {
rc = cb(d, pirq_dpci, arg);
+ if ( rc )
+ break;
+ }
}
} while ( !rc && ++pirq < d->nr_pirqs && n == ARRAY_SIZE(pirqs) );
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.12
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |