This is a note to let you know that I've just added the patch titled
tty: hvc: replace BUG_ON() with negative return value
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
tty-hvc-replace-bug_on-with-negative-return-value.patch
and it can be found in the queue-5.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From e679004dec37566f658a255157d3aed9d762a2b7 Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@xxxxxxxx>
Date: Wed, 7 Jul 2021 11:10:45 +0200
Subject: tty: hvc: replace BUG_ON() with negative return value
From: Juergen Gross <jgross@xxxxxxxx>
commit e679004dec37566f658a255157d3aed9d762a2b7 upstream.
Xen frontends shouldn't BUG() in case of illegal data received from
their backends. So replace the BUG_ON()s when reading illegal data from
the ring page with negative return values.
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
Link: https://lore.kernel.org/r/20210707091045.460-1-jgross@xxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/tty/hvc/hvc_xen.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
--- a/drivers/tty/hvc/hvc_xen.c
+++ b/drivers/tty/hvc/hvc_xen.c
@@ -86,7 +86,11 @@ static int __write_console(struct xencon
cons = intf->out_cons;
prod = intf->out_prod;
mb(); /* update queue values before going on */
- BUG_ON((prod - cons) > sizeof(intf->out));
+
+ if ((prod - cons) > sizeof(intf->out)) {
+ pr_err_once("xencons: Illegal ring page indices");
+ return -EINVAL;
+ }
while ((sent < len) && ((prod - cons) < sizeof(intf->out)))
intf->out[MASK_XENCONS_IDX(prod++, intf->out)] = data[sent++];
@@ -114,7 +118,10 @@ static int domU_write_console(uint32_t v
*/
while (len) {
int sent = __write_console(cons, data, len);
-
+
+ if (sent < 0)
+ return sent;
+
data += sent;
len -= sent;
@@ -138,7 +145,11 @@ static int domU_read_console(uint32_t vt
cons = intf->in_cons;
prod = intf->in_prod;
mb(); /* get pointers before reading ring */
- BUG_ON((prod - cons) > sizeof(intf->in));
+
+ if ((prod - cons) > sizeof(intf->in)) {
+ pr_err_once("xencons: Illegal ring page indices");
+ return -EINVAL;
+ }
while (cons != prod && recv < len)
buf[recv++] = intf->in[MASK_XENCONS_IDX(cons++, intf->in)];
Patches currently in stable-queue which might be from jgross@xxxxxxxx are
queue-5.10/xen-blkfront-read-response-from-backend-only-once.patch
queue-5.10/tty-hvc-replace-bug_on-with-negative-return-value.patch
queue-5.10/xen-blkfront-don-t-trust-the-backend-response-data-blindly.patch
queue-5.10/xen-sync-include-xen-interface-io-ring.h-with-xen-s-newest-version.patch
queue-5.10/xen-blkfront-don-t-take-local-copy-of-a-request-from-the-ring-page.patch
queue-5.10/xen-detect-uninitialized-xenbus-in-xenbus_init.patch
queue-5.10/xen-netfront-don-t-read-data-from-request-on-the-ring-page.patch
queue-5.10/xen-netfront-disentangle-tx_skb_freelist.patch
queue-5.10/xen-netfront-read-response-from-backend-only-once.patch
queue-5.10/xen-netfront-don-t-trust-the-backend-response-data-blindly.patch
