This is a note to let you know that I've just added the patch titled tty: hvc: replace BUG_ON() with negative return value to the 5.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: tty-hvc-replace-bug_on-with-negative-return-value.patch and it can be found in the queue-5.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From e679004dec37566f658a255157d3aed9d762a2b7 Mon Sep 17 00:00:00 2001 From: Juergen Gross <jgross@xxxxxxxx> Date: Wed, 7 Jul 2021 11:10:45 +0200 Subject: tty: hvc: replace BUG_ON() with negative return value From: Juergen Gross <jgross@xxxxxxxx> commit e679004dec37566f658a255157d3aed9d762a2b7 upstream. Xen frontends shouldn't BUG() in case of illegal data received from their backends. So replace the BUG_ON()s when reading illegal data from the ring page with negative return values. Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> Signed-off-by: Juergen Gross <jgross@xxxxxxxx> Link: https://lore.kernel.org/r/20210707091045.460-1-jgross@xxxxxxxx Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/tty/hvc/hvc_xen.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) --- a/drivers/tty/hvc/hvc_xen.c +++ b/drivers/tty/hvc/hvc_xen.c @@ -86,7 +86,11 @@ static int __write_console(struct xencon cons = intf->out_cons; prod = intf->out_prod; mb(); /* update queue values before going on */ - BUG_ON((prod - cons) > sizeof(intf->out)); + + if ((prod - cons) > sizeof(intf->out)) { + pr_err_once("xencons: Illegal ring page indices"); + return -EINVAL; + } while ((sent < len) && ((prod - cons) < sizeof(intf->out))) intf->out[MASK_XENCONS_IDX(prod++, intf->out)] = data[sent++]; @@ -114,7 +118,10 @@ static int domU_write_console(uint32_t v */ while (len) { int sent = __write_console(cons, data, len); - + + if (sent < 0) + return sent; + data += sent; len -= sent; @@ -138,7 +145,11 @@ static int domU_read_console(uint32_t vt cons = intf->in_cons; prod = intf->in_prod; mb(); /* get pointers before reading ring */ - BUG_ON((prod - cons) > sizeof(intf->in)); + + if ((prod - cons) > sizeof(intf->in)) { + pr_err_once("xencons: Illegal ring page indices"); + return -EINVAL; + } while (cons != prod && recv < len) buf[recv++] = intf->in[MASK_XENCONS_IDX(cons++, intf->in)]; Patches currently in stable-queue which might be from jgross@xxxxxxxx are queue-5.10/xen-blkfront-read-response-from-backend-only-once.patch queue-5.10/tty-hvc-replace-bug_on-with-negative-return-value.patch queue-5.10/xen-blkfront-don-t-trust-the-backend-response-data-blindly.patch queue-5.10/xen-sync-include-xen-interface-io-ring.h-with-xen-s-newest-version.patch queue-5.10/xen-blkfront-don-t-take-local-copy-of-a-request-from-the-ring-page.patch queue-5.10/xen-detect-uninitialized-xenbus-in-xenbus_init.patch queue-5.10/xen-netfront-don-t-read-data-from-request-on-the-ring-page.patch queue-5.10/xen-netfront-disentangle-tx_skb_freelist.patch queue-5.10/xen-netfront-read-response-from-backend-only-once.patch queue-5.10/xen-netfront-don-t-trust-the-backend-response-data-blindly.patch