From owner-dev-commits-src-branches@freebsd.org  Tue Feb 23 00:55:46 2021
Return-Path: <owner-dev-commits-src-branches@freebsd.org>
Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id DBBFE555954;
 Tue, 23 Feb 2021 00:55:46 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4Dl0wL5qH3z3M0v;
 Tue, 23 Feb 2021 00:55:46 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BAC7A7C5E;
 Tue, 23 Feb 2021 00:55:46 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 11N0tkH8089681;
 Tue, 23 Feb 2021 00:55:46 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 11N0tkh6089680;
 Tue, 23 Feb 2021 00:55:46 GMT (envelope-from git)
Date: Tue, 23 Feb 2021 00:55:46 GMT
Message-Id: <202102230055.11N0tkh6089680@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-branches@FreeBSD.org
From: Ed Maste <emaste@FreeBSD.org>
Subject: git: ab3e1bd3c22a - stable/13 - xen-blkback: fix leak of grant maps
 on ring setup failure
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: emaste
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: ab3e1bd3c22a222520c23c2793cc39e3a23c9b46
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-src-branches@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commits to the stable branches of the FreeBSD src repository
 <dev-commits-src-branches.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-branches>, 
 <mailto:dev-commits-src-branches-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-branches/>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Help: <mailto:dev-commits-src-branches-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-branches>, 
 <mailto:dev-commits-src-branches-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2021 00:55:46 -0000

The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=ab3e1bd3c22a222520c23c2793cc39e3a23c9b46

commit ab3e1bd3c22a222520c23c2793cc39e3a23c9b46
Author:     Roger Pau Monné <royger@FreeBSD.org>
AuthorDate: 2021-01-20 18:40:51 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2021-02-23 00:55:14 +0000

    xen-blkback: fix leak of grant maps on ring setup failure
    
    Multi page rings are mapped using a single hypercall that gets passed
    an array of grants to map. One of the grants in the array failing to
    map would lead to the failure of the whole ring setup operation, but
    there was no cleanup of the rest of the grant maps in the array that
    could have likely been created as a result of the hypercall.
    
    Add proper cleanup on the failure path during ring setup to unmap any
    grants that could have been created.
    
    This is part of XSA-361.
    
    Sponsored by:   Citrix Systems R&D
    
    (cherry picked from commit 808d4aad1022a2a33d222663b0c9badde30b9d45)
---
 sys/dev/xen/blkback/blkback.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/sys/dev/xen/blkback/blkback.c b/sys/dev/xen/blkback/blkback.c
index 762f25302c00..678472cc2ab8 100644
--- a/sys/dev/xen/blkback/blkback.c
+++ b/sys/dev/xen/blkback/blkback.c
@@ -2893,10 +2893,31 @@ xbb_connect_ring(struct xbb_softc *xbb)
 	     ring_idx < xbb->ring_config.ring_pages;
 	     ring_idx++, gnt++) {
 		if (gnt->status != 0) {
+			struct gnttab_unmap_grant_ref unmap[XBB_MAX_RING_PAGES];
+			unsigned int i, j;
+
 			xbb->ring_config.va = 0;
 			xenbus_dev_fatal(xbb->dev, EACCES,
 					 "Ring shared page mapping failed. "
 					 "Status %d.", gnt->status);
+
+			/* Unmap everything to avoid leaking grant table maps */
+			for (i = 0, j = 0; i < xbb->ring_config.ring_pages;
+			    i++) {
+				if (gnts[i].status != GNTST_okay)
+					continue;
+
+				unmap[j].host_addr = gnts[i].host_addr;
+				unmap[j].dev_bus_addr = gnts[i].dev_bus_addr;
+				unmap[j++].handle = gnts[i].handle;
+			}
+			if (j != 0) {
+				error = HYPERVISOR_grant_table_op(
+				    GNTTABOP_unmap_grant_ref, unmap, j);
+				if (error != 0)
+					panic("Unable to unmap grants (%d)",
+					    error);
+			}
 			return (EACCES);
 		}
 		xbb->ring_config.handle[ring_idx]   = gnt->handle;