This is a note to let you know that I've just added the patch titled xen/blkfront: fix leaking data in shared pages to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: xen-blkfront-fix-leaking-data-in-shared-pages.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Tue Jul 5 01:07:18 PM CEST 2022 From: Roger Pau Monne <roger.pau@xxxxxxxxxx> Date: Wed, 30 Mar 2022 09:03:48 +0200 Subject: xen/blkfront: fix leaking data in shared pages From: Roger Pau Monne <roger.pau@xxxxxxxxxx> commit 2f446ffe9d737e9a844b97887919c4fda18246e7 upstream. When allocating pages to be used for shared communication with the backend always zero them, this avoids leaking unintended data present on the pages. This is CVE-2022-26365, part of XSA-403. Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> Reviewed-by: Juergen Gross <jgross@xxxxxxxx> Signed-off-by: Juergen Gross <jgross@xxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/block/xen-blkfront.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/drivers/block/xen-blkfront.c +++ b/drivers/block/xen-blkfront.c @@ -297,7 +297,7 @@ static int fill_grant_buffer(struct blkf goto out_of_memory; if (info->feature_persistent) { - granted_page = alloc_page(GFP_NOIO); + granted_page = alloc_page(GFP_NOIO | __GFP_ZERO); if (!granted_page) { kfree(gnt_list_entry); goto out_of_memory; @@ -1729,7 +1729,7 @@ static int setup_blkring(struct xenbus_d for (i = 0; i < info->nr_ring_pages; i++) rinfo->ring_ref[i] = GRANT_INVALID_REF; - sring = alloc_pages_exact(ring_size, GFP_NOIO); + sring = alloc_pages_exact(ring_size, GFP_NOIO | __GFP_ZERO); if (!sring) { xenbus_dev_fatal(dev, -ENOMEM, "allocating shared ring"); return -ENOMEM; @@ -2311,7 +2311,8 @@ static int blkfront_setup_indirect(struc BUG_ON(!list_empty(&rinfo->indirect_pages)); for (i = 0; i < num; i++) { - struct page *indirect_page = alloc_page(GFP_NOIO); + struct page *indirect_page = alloc_page(GFP_NOIO | + __GFP_ZERO); if (!indirect_page) goto out_of_memory; list_add(&indirect_page->lru, &rinfo->indirect_pages); Patches currently in stable-queue which might be from roger.pau@xxxxxxxxxx are queue-4.9/xen-netfront-fix-leaking-data-in-shared-pages.patch queue-4.9/xen-blkfront-force-data-bouncing-when-backend-is-untrusted.patch queue-4.9/xen-blkfront-fix-leaking-data-in-shared-pages.patch queue-4.9/xen-netfront-force-data-bouncing-when-backend-is-untrusted.patch