From: annie li <annie.li@oracle.com>
To: David Vrabel <david.vrabel@citrix.com>
Cc: Wei Liu <wei.liu2@citrix.com>,
ian.campbell@citrix.com, netdev@vger.kernel.org,
xen-devel@lists.xen.org, andrew.bennieston@citrix.com,
davem@davemloft.net
Subject: Re: [Xen-devel] [PATCH net-next v2] xen-netfront: clean up code in xennet_release_rx_bufs
Date: Mon, 20 Jan 2014 10:33:29 +0800 [thread overview]
Message-ID: <52DC8AF9.3040807@oracle.com> (raw)
In-Reply-To: <52D96D73.1030803@citrix.com>
On 2014/1/18 1:50, David Vrabel wrote:
> On 17/01/14 15:43, annie li wrote:
>> No, I am trying to implement 2 patches.
> I don't understand the need for two patches here, particularly when
> the first patch introduces a security issue.
This is basically connected with personal taste. I am thinking that my
original patch is removing unnecessary code for grant transfer and then
keep rx release consistent with tx path, the security issue you
mentioned exist in current tx too. The second one is to change
gnttab_end_foreign_access and netfront tx/rx, blkfront, etc. But if you
like to merge them together, I can do that.
Thanks
Annie
> You can fold the following
> (untested) patch into your v2 patch and give it a try?
>
> Thanks.
>
> David
>
> 8<----------------------
> xen-netfront: prevent unsafe reuse of rx buf pages after uninit
>
> ---
> drivers/net/xen-netfront.c | 21 +++++++++++++++++----
> 1 files changed, 17 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
> index 692589e..47aa599 100644
> --- a/drivers/net/xen-netfront.c
> +++ b/drivers/net/xen-netfront.c
> @@ -1134,19 +1134,32 @@ static void xennet_release_tx_bufs(struct netfront_info *np)
>
> static void xennet_release_rx_bufs(struct netfront_info *np)
> {
> - struct sk_buff *skb;
> int id, ref;
>
> spin_lock_bh(&np->rx_lock);
>
> for (id = 0; id < NET_RX_RING_SIZE; id++) {
> + struct sk_buff *skb;
> + skb_frag_t *frag;
> + const struct page *page;
> +
> + skb = np->rx_skbs[id];
> + if (!skb)
> + continue;
> +
> ref = np->grant_rx_ref[id];
> if (ref == GRANT_INVALID_REF)
> continue;
>
> - skb = np->rx_skbs[id];
> - gnttab_end_foreign_access_ref(ref, 0);
> - gnttab_release_grant_reference(&np->gref_rx_head, ref);
> + frag = &skb_shinfo(skb)->frags[0];
> + page = skb_frag_page(frag);
> +
> + /* gnttab_end_foreign_access() needs a page ref until
> + * foreign access is ended (which may be deferred).
> + */
> + get_page(page);
> +
> + gnttab_end_foreign_access(ref, 0, page);
> np->grant_rx_ref[id] = GRANT_INVALID_REF;
>
> kfree_skb(skb);
next prev parent reply other threads:[~2014-01-20 2:33 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-15 23:57 [Xen-devel][PATCH net-next v2] xen-netfront: clean up code in xennet_release_rx_bufs Annie Li
2014-01-16 11:10 ` David Vrabel
2014-01-16 13:42 ` annie li
2014-01-17 1:25 ` David Miller
2014-01-17 6:25 ` [Xen-devel] [PATCH " annie li
2014-01-17 6:58 ` annie li
2014-01-17 12:08 ` Wei Liu
2014-01-17 12:32 ` annie li
2014-01-17 14:02 ` Wei Liu
2014-01-17 15:43 ` annie li
2014-01-17 17:50 ` David Vrabel
2014-01-20 2:33 ` annie li [this message]
2014-01-17 15:40 ` David Vrabel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52DC8AF9.3040807@oracle.com \
--to=annie.li@oracle.com \
--cc=andrew.bennieston@citrix.com \
--cc=davem@davemloft.net \
--cc=david.vrabel@citrix.com \
--cc=ian.campbell@citrix.com \
--cc=netdev@vger.kernel.org \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).