diff --git a/patches.xen/xsa229.patch b/patches.xen/xsa229.patch deleted file mode 100644 index 4fa8962..0000000 --- a/patches.xen/xsa229.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 84882133e793299f685991e20a9631acfd0a5608 Mon Sep 17 00:00:00 2001 -From: Roger Pau Monne -Date: Tue, 18 Jul 2017 15:01:00 +0100 -Subject: xen: fix bio vec merging -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The current test for bio vec merging is not fully accurate and can be -tricked into merging bios when certain grant combinations are used. -The result of these malicious bio merges is a bio that extends past -the memory page used by any of the originating bios. - -Take into account the following scenario, where a guest creates two -grant references that point to the same mfn, ie: grant 1 -> mfn A, -grant 2 -> mfn A. - -These references are then used in a PV block request, and mapped by -the backend domain, thus obtaining two different pfns that point to -the same mfn, pfn B -> mfn A, pfn C -> mfn A. - -If those grants happen to be used in two consecutive sectors of a disk -IO operation becoming two different bios in the backend domain, the -checks in xen_biovec_phys_mergeable will succeed, because bfn1 == bfn2 -(they both point to the same mfn). However due to the bio merging, -the backend domain will end up with a bio that expands past mfn A into -mfn A + 1. - -Fix this by making sure the check in xen_biovec_phys_mergeable takes -into account the offset and the length of the bio, this basically -replicates whats done in __BIOVEC_PHYS_MERGEABLE using mfns (bus -addresses). While there also remove the usage of -__BIOVEC_PHYS_MERGEABLE, since that's already checked by the callers -of xen_biovec_phys_mergeable. - -Signed-off-by: Roger Pau Monné -Reviewed-by: Juergen Gross ---- - drivers/xen/biomerge.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/drivers/xen/biomerge.c b/drivers/xen/biomerge.c -index 4da69dbf7dca..1bdd02a6d6ac 100644 ---- a/drivers/xen/biomerge.c -+++ b/drivers/xen/biomerge.c -@@ -10,8 +10,7 @@ bool xen_biovec_phys_mergeable(const struct bio_vec *vec1, - unsigned long bfn1 = pfn_to_bfn(page_to_pfn(vec1->bv_page)); - unsigned long bfn2 = pfn_to_bfn(page_to_pfn(vec2->bv_page)); - -- return __BIOVEC_PHYS_MERGEABLE(vec1, vec2) && -- ((bfn1 == bfn2) || ((bfn1+1) == bfn2)); -+ return bfn1 + PFN_DOWN(vec1->bv_offset + vec1->bv_len) == bfn2; - #else - /* - * XXX: Add support for merging bio_vec when using different page --- -2.11.0 (Apple Git-81) - diff --git a/series.conf b/series.conf index 9e4c1ab..0950b46 100644 --- a/series.conf +++ b/series.conf @@ -19,7 +19,6 @@ patches.xen/xsa155-linux44-0010-xen-netfront-do-not-use-data-already-exposed-to- patches.xen/xsa155-linux-0011-xen-netfront-add-range-check-for-Tx-response-id.patch patches.xen/xsa155-linux312-0012-xen-blkfront-make-local-copy-of-response-before-usin.patch patches.xen/xsa155-linux44-0013-xen-blkfront-prepare-request-locally-only-then-put-i.patch -patches.xen/xsa229.patch # MSI-X enabled device passthrough fix (#1734) patches.xen/pci_op-cleanup.patch