From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Juergen Gross <jgross@suse.com>,
Jan Beulich <jbeulich@suse.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.4 89/92] xen/netfront: dont read data from request on the ring page
Date: Mon, 29 Nov 2021 19:18:58 +0100 [thread overview]
Message-ID: <20211129181710.361267274@linuxfoundation.org> (raw)
In-Reply-To: <20211129181707.392764191@linuxfoundation.org>
From: Juergen Gross <jgross@suse.com>
commit 162081ec33c2686afa29d91bf8d302824aa846c7 upstream.
In order to avoid a malicious backend being able to influence the local
processing of a request build the request locally first and then copy
it to the ring page. Any reading from the request influencing the
processing in the frontend needs to be done on the local instance.
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/xen-netfront.c | 78 ++++++++++++++++++++-------------------------
1 file changed, 36 insertions(+), 42 deletions(-)
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -423,7 +423,8 @@ struct xennet_gnttab_make_txreq {
struct netfront_queue *queue;
struct sk_buff *skb;
struct page *page;
- struct xen_netif_tx_request *tx; /* Last request */
+ struct xen_netif_tx_request *tx; /* Last request on ring page */
+ struct xen_netif_tx_request tx_local; /* Last request local copy*/
unsigned int size;
};
@@ -451,30 +452,27 @@ static void xennet_tx_setup_grant(unsign
queue->grant_tx_page[id] = page;
queue->grant_tx_ref[id] = ref;
- tx->id = id;
- tx->gref = ref;
- tx->offset = offset;
- tx->size = len;
- tx->flags = 0;
+ info->tx_local.id = id;
+ info->tx_local.gref = ref;
+ info->tx_local.offset = offset;
+ info->tx_local.size = len;
+ info->tx_local.flags = 0;
+
+ *tx = info->tx_local;
info->tx = tx;
- info->size += tx->size;
+ info->size += info->tx_local.size;
}
static struct xen_netif_tx_request *xennet_make_first_txreq(
- struct netfront_queue *queue, struct sk_buff *skb,
- struct page *page, unsigned int offset, unsigned int len)
+ struct xennet_gnttab_make_txreq *info,
+ unsigned int offset, unsigned int len)
{
- struct xennet_gnttab_make_txreq info = {
- .queue = queue,
- .skb = skb,
- .page = page,
- .size = 0,
- };
+ info->size = 0;
- gnttab_for_one_grant(page, offset, len, xennet_tx_setup_grant, &info);
+ gnttab_for_one_grant(info->page, offset, len, xennet_tx_setup_grant, info);
- return info.tx;
+ return info->tx;
}
static void xennet_make_one_txreq(unsigned long gfn, unsigned int offset,
@@ -487,35 +485,27 @@ static void xennet_make_one_txreq(unsign
xennet_tx_setup_grant(gfn, offset, len, data);
}
-static struct xen_netif_tx_request *xennet_make_txreqs(
- struct netfront_queue *queue, struct xen_netif_tx_request *tx,
- struct sk_buff *skb, struct page *page,
+static void xennet_make_txreqs(
+ struct xennet_gnttab_make_txreq *info,
+ struct page *page,
unsigned int offset, unsigned int len)
{
- struct xennet_gnttab_make_txreq info = {
- .queue = queue,
- .skb = skb,
- .tx = tx,
- };
-
/* Skip unused frames from start of page */
page += offset >> PAGE_SHIFT;
offset &= ~PAGE_MASK;
while (len) {
- info.page = page;
- info.size = 0;
+ info->page = page;
+ info->size = 0;
gnttab_foreach_grant_in_range(page, offset, len,
xennet_make_one_txreq,
- &info);
+ info);
page++;
offset = 0;
- len -= info.size;
+ len -= info->size;
}
-
- return info.tx;
}
/*
@@ -568,7 +558,7 @@ static netdev_tx_t xennet_start_xmit(str
{
struct netfront_info *np = netdev_priv(dev);
struct netfront_stats *tx_stats = this_cpu_ptr(np->tx_stats);
- struct xen_netif_tx_request *tx, *first_tx;
+ struct xen_netif_tx_request *first_tx;
unsigned int i;
int notify;
int slots;
@@ -577,6 +567,7 @@ static netdev_tx_t xennet_start_xmit(str
unsigned int len;
unsigned long flags;
struct netfront_queue *queue = NULL;
+ struct xennet_gnttab_make_txreq info = { };
unsigned int num_queues = dev->real_num_tx_queues;
u16 queue_index;
struct sk_buff *nskb;
@@ -634,21 +625,24 @@ static netdev_tx_t xennet_start_xmit(str
}
/* First request for the linear area. */
- first_tx = tx = xennet_make_first_txreq(queue, skb,
- page, offset, len);
- offset += tx->size;
+ info.queue = queue;
+ info.skb = skb;
+ info.page = page;
+ first_tx = xennet_make_first_txreq(&info, offset, len);
+ offset += info.tx_local.size;
if (offset == PAGE_SIZE) {
page++;
offset = 0;
}
- len -= tx->size;
+ len -= info.tx_local.size;
if (skb->ip_summed == CHECKSUM_PARTIAL)
/* local packet? */
- tx->flags |= XEN_NETTXF_csum_blank | XEN_NETTXF_data_validated;
+ first_tx->flags |= XEN_NETTXF_csum_blank |
+ XEN_NETTXF_data_validated;
else if (skb->ip_summed == CHECKSUM_UNNECESSARY)
/* remote but checksummed. */
- tx->flags |= XEN_NETTXF_data_validated;
+ first_tx->flags |= XEN_NETTXF_data_validated;
/* Optional extra info after the first request. */
if (skb_shinfo(skb)->gso_size) {
@@ -657,7 +651,7 @@ static netdev_tx_t xennet_start_xmit(str
gso = (struct xen_netif_extra_info *)
RING_GET_REQUEST(&queue->tx, queue->tx.req_prod_pvt++);
- tx->flags |= XEN_NETTXF_extra_info;
+ first_tx->flags |= XEN_NETTXF_extra_info;
gso->u.gso.size = skb_shinfo(skb)->gso_size;
gso->u.gso.type = (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6) ?
@@ -671,12 +665,12 @@ static netdev_tx_t xennet_start_xmit(str
}
/* Requests for the rest of the linear area. */
- tx = xennet_make_txreqs(queue, tx, skb, page, offset, len);
+ xennet_make_txreqs(&info, page, offset, len);
/* Requests for all the frags. */
for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
- tx = xennet_make_txreqs(queue, tx, skb, skb_frag_page(frag),
+ xennet_make_txreqs(&info, skb_frag_page(frag),
skb_frag_off(frag),
skb_frag_size(frag));
}
next prev parent reply other threads:[~2021-11-29 22:43 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-29 18:17 [PATCH 5.4 00/92] 5.4.163-rc1 review Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 01/92] USB: serial: option: add Telit LE910S1 0x9200 composition Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 02/92] USB: serial: option: add Fibocom FM101-GL variants Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 03/92] usb: dwc2: gadget: Fix ISOC flow for elapsed frames Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 04/92] usb: dwc2: hcd_queue: Fix use of floating point literal Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 05/92] net: nexthop: fix null pointer dereference when IPv6 is not enabled Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 06/92] usb: typec: fusb302: Fix masking of comparator and bc_lvl interrupts Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 07/92] usb: hub: Fix usb enumeration issue due to address0 race Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 08/92] usb: hub: Fix locking issues with address0_mutex Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 09/92] binder: fix test regression due to sender_euid change Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 10/92] ALSA: ctxfi: Fix out-of-range access Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 11/92] media: cec: copy sequence field for the reply Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 12/92] Revert "parisc: Fix backtrace to always include init funtion names" Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 13/92] HID: wacom: Use "Confidence" flag to prevent reporting invalid contacts Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 14/92] staging/fbtft: Fix backlight Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 15/92] staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 16/92] xen: dont continue xenstore initialization in case of errors Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 17/92] xen: detect uninitialized xenbus in xenbus_init Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 18/92] KVM: PPC: Book3S HV: Prevent POWER7/8 TLB flush flushing SLB Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 19/92] tracing/uprobe: Fix uprobe_perf_open probes iteration Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 20/92] tracing: Fix pid filtering when triggers are attached Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 21/92] mmc: sdhci: Fix ADMA for PAGE_SIZE >= 64KiB Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 22/92] mdio: aspeed: Fix "Link is Down" issue Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 23/92] PCI: aardvark: Deduplicate code in advk_pcie_rd_conf() Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 24/92] PCI: aardvark: Wait for endpoint to be ready before training link Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 25/92] PCI: aardvark: Fix big endian support Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 26/92] PCI: aardvark: Train link immediately after enabling training Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 27/92] PCI: aardvark: Improve link training Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 28/92] PCI: aardvark: Issue PERST via GPIO Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 29/92] PCI: aardvark: Replace custom macros by standard linux/pci_regs.h macros Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 30/92] PCI: aardvark: Dont touch PCIe registers if no card connected Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 31/92] PCI: aardvark: Fix compilation on s390 Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 32/92] PCI: aardvark: Move PCIe reset card code to advk_pcie_train_link() Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 33/92] PCI: aardvark: Update comment about disabling link training Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 34/92] PCI: pci-bridge-emul: Fix array overruns, improve safety Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 35/92] PCI: aardvark: Configure PCIe resources from ranges DT property Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 36/92] PCI: aardvark: Fix PCIe Max Payload Size setting Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 37/92] PCI: aardvark: Implement re-issuing config requests on CRS response Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 38/92] PCI: aardvark: Simplify initialization of rootcap on virtual bridge Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 39/92] PCI: aardvark: Fix link training Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 40/92] PCI: aardvark: Fix support for bus mastering and PCI_COMMAND on emulated bridge Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 41/92] PCI: aardvark: Set PCI Bridge Class Code to PCI Bridge Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 42/92] PCI: aardvark: Fix support for PCI_BRIDGE_CTL_BUS_RESET on emulated bridge Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 43/92] pinctrl: armada-37xx: Correct PWM pins definitions Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 44/92] arm64: dts: marvell: armada-37xx: Set pcie_reset_pin to gpio function Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 45/92] proc/vmcore: fix clearing user buffer by properly using clear_user() Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 46/92] netfilter: ipvs: Fix reuse connection if RS weight is 0 Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 47/92] ARM: dts: BCM5301X: Fix I2C controller interrupt Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 48/92] ARM: dts: BCM5301X: Add interrupt properties to GPIO node Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 49/92] ASoC: qdsp6: q6routing: Conditionally reset FrontEnd Mixer Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 50/92] ASoC: topology: Add missing rwsem around snd_ctl_remove() calls Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 51/92] net: ieee802154: handle iftypes as u32 Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 52/92] firmware: arm_scmi: pm: Propagate return value to caller Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 53/92] NFSv42: Dont fail clone() unless the OP_CLONE operation failed Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 54/92] ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 55/92] scsi: mpt3sas: Fix kernel panic during drive powercycle test Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 56/92] drm/vc4: fix error code in vc4_create_object() Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 57/92] iavf: Prevent changing static ITR values if adaptive moderation is on Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 58/92] ipv6: fix typos in __ip6_finish_output() Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 59/92] nfp: checking parameter process for rx-usecs/tx-usecs is invalid Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 60/92] net: ipv6: add fib6_nh_release_dsts stub Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 61/92] net: nexthop: release IPv6 per-cpu dsts when replacing a nexthop group Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 62/92] scsi: core: sysfs: Fix setting device state to SDEV_RUNNING Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 63/92] net/smc: Ensure the active closing peer first closes clcsock Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 64/92] nvmet-tcp: fix incomplete data digest send Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 65/92] net/ncsi : Add payload to be 32-bit aligned to fix dropped packets Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 66/92] PM: hibernate: use correct mode for swsusp_close() Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 67/92] tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 68/92] nvmet: use IOCB_NOWAIT only if the filesystem supports it Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 69/92] igb: fix netpoll exit with traffic Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 70/92] MIPS: use 3-level pgtable for 64KB page size on MIPS_VA_BITS_48 Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 71/92] net: vlan: fix underflow for the real_dev refcnt Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 72/92] net/smc: Dont call clcsock shutdown twice when smc shutdown Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 73/92] net: hns3: fix VF RSS failed problem after PF enable multi-TCs Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 74/92] net: mscc: ocelot: dont downgrade timestamping RX filters in SIOCSHWTSTAMP Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 75/92] net: mscc: ocelot: correctly report the timestamping RX filters in ethtool Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 76/92] f2fs: set SBI_NEED_FSCK flag when inconsistent node block found Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 77/92] smb3: do not error on fsync when readonly Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 78/92] vhost/vsock: fix incorrect used length reported to the guest Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 79/92] tracing: Check pid filtering when creating events Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 80/92] s390/mm: validate VMA in PGSTE manipulation functions Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 81/92] shm: extend forced shm destroy to support objects from several IPC nses Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 82/92] NFC: add NCI_UNREG flag to eliminate the race Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 83/92] fuse: release pipe buf after last use Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 84/92] xen: sync include/xen/interface/io/ring.h with Xens newest version Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 85/92] xen/blkfront: read response from backend only once Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 86/92] xen/blkfront: dont take local copy of a request from the ring page Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 87/92] xen/blkfront: dont trust the backend response data blindly Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 88/92] xen/netfront: read response from backend only once Greg Kroah-Hartman
2021-11-29 18:18 ` Greg Kroah-Hartman [this message]
2021-11-29 18:18 ` [PATCH 5.4 90/92] xen/netfront: disentangle tx_skb_freelist Greg Kroah-Hartman
2021-11-29 18:19 ` [PATCH 5.4 91/92] xen/netfront: dont trust the backend response data blindly Greg Kroah-Hartman
2021-11-29 18:19 ` [PATCH 5.4 92/92] tty: hvc: replace BUG_ON() with negative return value Greg Kroah-Hartman
2021-11-30 1:03 ` [PATCH 5.4 00/92] 5.4.163-rc1 review Shuah Khan
2021-11-30 1:23 ` Samuel Zou
2021-11-30 3:44 ` Florian Fainelli
2021-11-30 8:42 ` Jon Hunter
2021-11-30 9:22 ` Naresh Kamboju
2021-11-30 13:37 ` Sudip Mukherjee
2021-11-30 17:41 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211129181710.361267274@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=jbeulich@suse.com \
--cc=jgross@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).