From: Stefano Stabellini Date: Mon, 13 Aug 2018 16:25:51 +0000 (+0100) Subject: ARM: disable grant table v2 X-Git-Tag: archive/raspbian/4.11.1-1+rpi1~1^2~66^2~15 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=fa79f9e762be390b56218437ed317a695a03a5e7;p=xen.git ARM: disable grant table v2 It was never expected to work, the implementation is incomplete. As a side effect, it also prevents guests from triggering a "BUG_ON(page_get_owner(pg) != d)" in gnttab_unpopulate_status_frames(). This is XSA-268. Signed-off-by: Stefano Stabellini Acked-by: Jan Beulich (cherry picked from commit 9a5c16a3e75778c8a094ca87784d93b74676f46c) --- diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown index 3b710b71fb..e5e7fdc405 100644 --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown @@ -936,6 +936,8 @@ version are 1 and 2. use of grant table v2 without transitive grants is an ABI breakage from the guests point of view. +The usage of gnttab v2 is not security supported on ARM platforms. + ### gnttab\_max\_frames > `= ` diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index c757b7f6f5..231ecf509a 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -97,7 +97,11 @@ static unsigned int __read_mostly max_maptrack_frames = DEFAULT_MAX_MAPTRACK_FRAMES; integer_runtime_param("gnttab_max_maptrack_frames", max_maptrack_frames); -static unsigned int __read_mostly opt_gnttab_max_version = 2; +#ifndef GNTTAB_MAX_VERSION +#define GNTTAB_MAX_VERSION 2 +#endif + +static unsigned int __read_mostly opt_gnttab_max_version = GNTTAB_MAX_VERSION; static bool __read_mostly opt_transitive_grants = true; static int __init parse_gnttab(const char *s) diff --git a/xen/include/asm-arm/grant_table.h b/xen/include/asm-arm/grant_table.h index e52936c79f..24958e4670 100644 --- a/xen/include/asm-arm/grant_table.h +++ b/xen/include/asm-arm/grant_table.h @@ -7,6 +7,7 @@ #include #define INITIAL_NR_GRANT_FRAMES 1U +#define GNTTAB_MAX_VERSION 1 struct grant_table_arch { gfn_t *shared_gfn;