From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Juergen Gross <jgross@suse.com>,
Jan Beulich <jbeulich@suse.com>
Subject: [PATCH 5.10 98/99] xen/netback: fix rx queue stall detection
Date: Mon, 20 Dec 2021 15:35:11 +0100 [thread overview]
Message-ID: <20211220143032.703346263@linuxfoundation.org> (raw)
In-Reply-To: <20211220143029.352940568@linuxfoundation.org>
From: Juergen Gross <jgross@suse.com>
commit 6032046ec4b70176d247a71836186d47b25d1684 upstream.
Commit 1d5d48523900a4b ("xen-netback: require fewer guest Rx slots when
not using GSO") introduced a security problem in netback, as an
interface would only be regarded to be stalled if no slot is available
in the rx queue ring page. In case the SKB at the head of the queued
requests will need more than one rx slot and only one slot is free the
stall detection logic will never trigger, as the test for that is only
looking for at least one slot to be free.
Fix that by testing for the needed number of slots instead of only one
slot being available.
In order to not have to take the rx queue lock that often, store the
number of needed slots in the queue data. As all SKB dequeue operations
happen in the rx queue kernel thread this is safe, as long as the
number of needed slots is accessed via READ/WRITE_ONCE() only and
updates are always done with the rx queue lock held.
Add a small helper for obtaining the number of free slots.
This is part of XSA-392
Fixes: 1d5d48523900a4b ("xen-netback: require fewer guest Rx slots when not using GSO")
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/xen-netback/common.h | 1
drivers/net/xen-netback/rx.c | 65 ++++++++++++++++++++++++---------------
2 files changed, 42 insertions(+), 24 deletions(-)
--- a/drivers/net/xen-netback/common.h
+++ b/drivers/net/xen-netback/common.h
@@ -203,6 +203,7 @@ struct xenvif_queue { /* Per-queue data
unsigned int rx_queue_max;
unsigned int rx_queue_len;
unsigned long last_rx_time;
+ unsigned int rx_slots_needed;
bool stalled;
struct xenvif_copy_state rx_copy;
--- a/drivers/net/xen-netback/rx.c
+++ b/drivers/net/xen-netback/rx.c
@@ -33,28 +33,36 @@
#include <xen/xen.h>
#include <xen/events.h>
-static bool xenvif_rx_ring_slots_available(struct xenvif_queue *queue)
+/*
+ * Update the needed ring page slots for the first SKB queued.
+ * Note that any call sequence outside the RX thread calling this function
+ * needs to wake up the RX thread via a call of xenvif_kick_thread()
+ * afterwards in order to avoid a race with putting the thread to sleep.
+ */
+static void xenvif_update_needed_slots(struct xenvif_queue *queue,
+ const struct sk_buff *skb)
{
- RING_IDX prod, cons;
- struct sk_buff *skb;
- int needed;
- unsigned long flags;
+ unsigned int needed = 0;
- spin_lock_irqsave(&queue->rx_queue.lock, flags);
-
- skb = skb_peek(&queue->rx_queue);
- if (!skb) {
- spin_unlock_irqrestore(&queue->rx_queue.lock, flags);
- return false;
+ if (skb) {
+ needed = DIV_ROUND_UP(skb->len, XEN_PAGE_SIZE);
+ if (skb_is_gso(skb))
+ needed++;
+ if (skb->sw_hash)
+ needed++;
}
- needed = DIV_ROUND_UP(skb->len, XEN_PAGE_SIZE);
- if (skb_is_gso(skb))
- needed++;
- if (skb->sw_hash)
- needed++;
+ WRITE_ONCE(queue->rx_slots_needed, needed);
+}
- spin_unlock_irqrestore(&queue->rx_queue.lock, flags);
+static bool xenvif_rx_ring_slots_available(struct xenvif_queue *queue)
+{
+ RING_IDX prod, cons;
+ unsigned int needed;
+
+ needed = READ_ONCE(queue->rx_slots_needed);
+ if (!needed)
+ return false;
do {
prod = queue->rx.sring->req_prod;
@@ -80,6 +88,9 @@ void xenvif_rx_queue_tail(struct xenvif_
spin_lock_irqsave(&queue->rx_queue.lock, flags);
+ if (skb_queue_empty(&queue->rx_queue))
+ xenvif_update_needed_slots(queue, skb);
+
__skb_queue_tail(&queue->rx_queue, skb);
queue->rx_queue_len += skb->len;
@@ -100,6 +111,8 @@ static struct sk_buff *xenvif_rx_dequeue
skb = __skb_dequeue(&queue->rx_queue);
if (skb) {
+ xenvif_update_needed_slots(queue, skb_peek(&queue->rx_queue));
+
queue->rx_queue_len -= skb->len;
if (queue->rx_queue_len < queue->rx_queue_max) {
struct netdev_queue *txq;
@@ -487,27 +500,31 @@ void xenvif_rx_action(struct xenvif_queu
xenvif_rx_copy_flush(queue);
}
-static bool xenvif_rx_queue_stalled(struct xenvif_queue *queue)
+static RING_IDX xenvif_rx_queue_slots(const struct xenvif_queue *queue)
{
RING_IDX prod, cons;
prod = queue->rx.sring->req_prod;
cons = queue->rx.req_cons;
+ return prod - cons;
+}
+
+static bool xenvif_rx_queue_stalled(const struct xenvif_queue *queue)
+{
+ unsigned int needed = READ_ONCE(queue->rx_slots_needed);
+
return !queue->stalled &&
- prod - cons < 1 &&
+ xenvif_rx_queue_slots(queue) < needed &&
time_after(jiffies,
queue->last_rx_time + queue->vif->stall_timeout);
}
static bool xenvif_rx_queue_ready(struct xenvif_queue *queue)
{
- RING_IDX prod, cons;
-
- prod = queue->rx.sring->req_prod;
- cons = queue->rx.req_cons;
+ unsigned int needed = READ_ONCE(queue->rx_slots_needed);
- return queue->stalled && prod - cons >= 1;
+ return queue->stalled && xenvif_rx_queue_slots(queue) >= needed;
}
bool xenvif_have_rx_work(struct xenvif_queue *queue, bool test_kthread)
next prev parent reply other threads:[~2021-12-20 14:52 UTC|newest]
Thread overview: 107+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-20 14:33 [PATCH 5.10 00/99] 5.10.88-rc1 review Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 01/99] KVM: selftests: Make sure kvm_create_max_vcpus test wont hit RLIMIT_NOFILE Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 02/99] KVM: downgrade two BUG_ONs to WARN_ON_ONCE Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 03/99] mac80211: fix regression in SSN handling of addba tx Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 04/99] mac80211: mark TX-during-stop for TX in in_reconfig Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 05/99] mac80211: send ADDBA requests using the tid/queue of the aggregation session Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 06/99] mac80211: validate extended element ID is present Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 07/99] firmware: arm_scpi: Fix string overflow in SCPI genpd driver Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 08/99] bpf: Fix signed bounds propagation after mov32 Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 09/99] bpf: Make 32->64 bounds propagation slightly more robust Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 10/99] bpf, selftests: Add test case trying to taint map value pointer Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 11/99] virtio_ring: Fix querying of maximum DMA mapping size for virtio device Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 12/99] vdpa: check that offsets are within bounds Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 13/99] recordmcount.pl: look for jgnop instruction as well as bcrl on s390 Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 14/99] dm btree remove: fix use after free in rebalance_children() Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 15/99] audit: improve robustness of the audit queue handling Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 16/99] arm64: dts: imx8m: correct assigned clocks for FEC Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 17/99] arm64: dts: imx8mp-evk: Improve the Ethernet PHY description Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 18/99] arm64: dts: rockchip: remove mmc-hs400-enhanced-strobe from rk3399-khadas-edge Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 19/99] arm64: dts: rockchip: fix rk3308-roc-cc vcc-sd supply Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 20/99] arm64: dts: rockchip: fix rk3399-leez-p710 vcc3v3-lan supply Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 21/99] arm64: dts: rockchip: fix audio-supply for Rock Pi 4 Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 22/99] mac80211: track only QoS data frames for admission control Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 23/99] hv: utils: add PTP_1588_CLOCK to Kconfig to fix build Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 24/99] tee: amdtee: fix an IS_ERR() vs NULL bug Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 25/99] ceph: fix duplicate increment of opened_inodes metric Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.10 26/99] ceph: initialize pathlen variable in reconnect_caps_cb Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 27/99] ARM: socfpga: dts: fix qspi node compatible Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 28/99] clk: Dont parent clks until the parent is fully registered Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 29/99] soc: imx: Register SoC device only on i.MX boards Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 30/99] virtio/vsock: fix the transport to work with VMADDR_CID_ANY Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 31/99] selftests: net: Correct ping6 expected rc from 2 to 1 Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 32/99] s390/kexec_file: fix error handling when applying relocations Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 33/99] sch_cake: do not call cake_destroy() from cake_init() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 34/99] inet_diag: fix kernel-infoleak for UDP sockets Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 35/99] net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 36/99] selftests: Add duplicate config only for MD5 VRF tests Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 37/99] selftests: Fix raw socket bind tests with VRF Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 38/99] selftests: Fix IPv6 address bind tests Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 39/99] dmaengine: st_fdma: fix MODULE_ALIAS Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 40/99] net/sched: sch_ets: dont remove idle classes from the round-robin list Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 41/99] selftest/net/forwarding: declare NETIFS p9 p10 Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 42/99] drm/ast: potential dereference of null pointer Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 43/99] mac80211: agg-tx: dont schedule_and_wake_txq() under sta->lock Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 44/99] mac80211: fix lookup when adding AddBA extension element Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 45/99] flow_offload: return EOPNOTSUPP for the unsupported mpls action type Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 46/99] rds: memory leak in __rds_conn_create() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 47/99] drm/amd/pm: fix a potential gpu_metrics_table memory leak Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 48/99] mptcp: clear kern flag from fallback sockets Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 49/99] soc/tegra: fuse: Fix bitwise vs. logical OR warning Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 50/99] igb: Fix removal of unicast MAC filters of VFs Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 51/99] igbvf: fix double free in `igbvf_probe` Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 52/99] igc: Fix typo in i225 LTR functions Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 53/99] ixgbe: Document how to enable NBASE-T support Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 54/99] ixgbe: set X550 MDIO speed before talking to PHY Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 55/99] netdevsim: Zero-initialize memory for new maps value in function nsim_bpf_map_alloc Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 56/99] net/packet: rx_owner_map depends on pg_vec Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 57/99] sfc_ef100: potential dereference of null pointer Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 58/99] net: Fix double 0x prefix print in SKB dump Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 59/99] net/smc: Prevent smc_release() from long blocking Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 60/99] net: systemport: Add global locking for descriptor lifecycle Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 61/99] sit: do not call ipip6_dev_free() from sit_init_net() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 62/99] bpf, selftests: Fix racing issue in btf_skc_cls_ingress test Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 63/99] powerpc/85xx: Fix oops when CONFIG_FSL_PMC=n Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 64/99] USB: gadget: bRequestType is a bitfield, not a enum Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 65/99] Revert "usb: early: convert to readl_poll_timeout_atomic()" Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 66/99] KVM: x86: Drop guest CPUID check for host initiated writes to MSR_IA32_PERF_CAPABILITIES Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 67/99] tty: n_hdlc: make n_hdlc_tty_wakeup() asynchronous Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 68/99] USB: NO_LPM quirk Lenovo USB-C to Ethernet Adapher(RTL8153-04) Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 69/99] usb: dwc2: fix STM ID/VBUS detection startup delay in dwc2_driver_probe Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 70/99] PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 71/99] PCI/MSI: Mask MSI-X vectors only on success Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 72/99] usb: xhci: Extend support for runtime power management for AMDs Yellow carp Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 73/99] USB: serial: cp210x: fix CP2105 GPIO registration Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 74/99] USB: serial: option: add Telit FN990 compositions Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 75/99] btrfs: fix memory leak in __add_inode_ref() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 76/99] btrfs: fix double free of anon_dev after failure to create subvolume Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 77/99] zonefs: add MODULE_ALIAS_FS Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 78/99] iocost: Fix divide-by-zero on donation from low hweight cgroup Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 79/99] serial: 8250_fintek: Fix garbled text for console Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 80/99] timekeeping: Really make sure wall_to_monotonic isnt positive Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 81/99] libata: if T_LENGTH is zero, dma direction should be DMA_NONE Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 82/99] drm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTORE Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 83/99] Input: touchscreen - avoid bitwise vs logical OR warning Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 84/99] ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 85/99] xsk: Do not sleep in poll() when need_wakeup set Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.10 86/99] media: mxl111sf: change mutex_init() location Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.10 87/99] fuse: annotate lock in fuse_reverse_inval_entry() Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.10 88/99] ovl: fix warning in ovl_create_real() Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.10 89/99] scsi: scsi_debug: Dont call kcalloc() if size arg is zero Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.10 90/99] scsi: scsi_debug: Fix type in min_t to avoid stack OOB Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.10 91/99] scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.10 92/99] rcu: Mark accesses to rcu_state.n_force_qs Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.10 93/99] bus: ti-sysc: Fix variable set but not used warning for reinit_modules Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.10 94/99] Revert "xsk: Do not sleep in poll() when need_wakeup set" Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.10 95/99] xen/blkfront: harden blkfront against event channel storms Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.10 96/99] xen/netfront: harden netfront " Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.10 97/99] xen/console: harden hvc_xen " Greg Kroah-Hartman
2021-12-20 14:35 ` Greg Kroah-Hartman [this message]
2021-12-20 14:35 ` [PATCH 5.10 99/99] xen/netback: dont queue unlimited number of packages Greg Kroah-Hartman
2021-12-20 18:25 ` [PATCH 5.10 00/99] 5.10.88-rc1 review Jon Hunter
2021-12-20 19:06 ` Florian Fainelli
2021-12-20 23:17 ` Shuah Khan
2021-12-21 1:32 ` Samuel Zou
2021-12-21 11:19 ` Sudip Mukherjee
2021-12-21 11:34 ` Naresh Kamboju
2021-12-21 23:13 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211220143032.703346263@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jbeulich@suse.com \
--cc=jgross@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).