|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen stable-4.21] xen/gnttab: Fix TOCTOU race in gnttab_set_version()
commit 04db4dc2a2ce05063b872eb3cf95c2401c44a9f0
Author: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>
AuthorDate: Wed Jun 3 11:37:15 2026 +0200
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Wed Jun 3 11:37:15 2026 +0200
xen/gnttab: Fix TOCTOU race in gnttab_set_version()
Move first read of gt->gt_version inside the critical region of the
rwlock, otherwise concurrent gnttab operations (silly as they would be)
may get mutually confused as to the actual current version.
Fixes: c1488502c949("grant-tables: do not fail attempts to...")
Reported-by: Oleksandr Tyshchenko <Oleksandr_Tyshchenko@xxxxxxxx>
Signed-off-by: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
master commit: c0e548d9206b3a281f9d30a2670be543fb383223
master date: 2026-05-22 13:32:44 +0200
---
xen/common/grant_table.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index f9e4bffdb1..5e09027821 100644
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -3185,11 +3185,12 @@
gnttab_set_version(XEN_GUEST_HANDLE_PARAM(gnttab_set_version_t) uop)
if ( op.version == 2 && gt->max_version == 1 )
goto out; /* Behave as before set_version was introduced. */
+ grant_write_lock(gt);
+
res = 0;
if ( gt->gt_version == op.version )
- goto out;
+ goto out_unlock;
- grant_write_lock(gt);
/*
* Make sure that the grant table isn't currently in use when we
* change the version number, except for the first 8 entries which
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.21
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |