| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251218154814.28938-1-jgross@suse.com>
Date: Thu, 18 Dec 2025 16:48:14 +0100
From: Juergen Gross <jgross@...e.com>
To: linux-kernel@...r.kernel.org,
v9fs@...ts.linux.dev
Cc: ariadne@...adne.space,
Juergen Gross <jgross@...e.com>,
Eric Van Hensbergen <ericvh@...nel.org>,
Latchesar Ionkov <lucho@...kov.net>,
Dominique Martinet <asmadeus@...ewreck.org>,
Christian Schoenebeck <linux_oss@...debyte.com>
Subject: [PATCH] xen/9pfs: Fix data ring granting
xen_9pfs_front_alloc_dataring() is granting the backend access to the
data ring by using gnttab_grant_foreign_access() for each memory page
of the ring.
Unfortunately the pages passed to gnttab_grant_foreign_access() are
not referenced by the consecutive PFNs, but by GFNs, which might be
not consecutive if the system is running as a PV guest.
Fix that by not using "virt_to_gfn(bytes) + i" as parameter, but
"pfn_to_gfn(virt_to_pfn(bytes) + i)" instead.
Fixes: 71ebd71921e4 ("xen/9pfs: connect to the backend")
Signed-off-by: Juergen Gross <jgross@...e.com>
---
net/9p/trans_xen.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
index 12f752a92332..a2ab633e78be 100644
--- a/net/9p/trans_xen.c
+++ b/net/9p/trans_xen.c
@@ -347,7 +347,8 @@ static int xen_9pfs_front_alloc_dataring(struct xenbus_device *dev,
}
for (; i < (1 << order); i++) {
ret = gnttab_grant_foreign_access(
- dev->otherend_id, virt_to_gfn(bytes) + i, 0);
+ dev->otherend_id,
+ pfn_to_gfn(virt_to_pfn(bytes) + i), 0);
if (ret < 0)
goto out;
ring->intf->ref[i] = ret;
--
2.51.0
Powered by blists - more mailing lists