Received: by 10.192.165.148 with SMTP id m20csp4219158imm; Mon, 30 Apr 2018 14:06:41 -0700 (PDT) X-Google-Smtp-Source: AB8JxZp2Af9OK15iYUxKH4a3z5Xc2wxOwREy0P9XIYcJ/r+QXDODdnWQoEM63H0Kz2Vm4MzT/ivG X-Received: by 2002:a63:7052:: with SMTP id a18-v6mr11087915pgn.148.1525122400990; Mon, 30 Apr 2018 14:06:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525122400; cv=none; d=google.com; s=arc-20160816; b=iThLFCnzjziqzXWWg5qIXbfADydvmJTcvGXLNLywwXLIqNgIUw3KS77Ds/NCEEMNLt CGcd1nsEZCr8Q7gX4Qz447lfw4Q41umAZOISX3jk/YXyVfcnypr3pvDoaMGJE7p+cqnb gk2eEeSRgLgMtIMPoq46HmyIylzKEutKPAITZiflpNOL7i5GmPc8hvCnjJOq2wlRdos8 eDvBoVPJazyxpmpxcQX39UJvJ1rmpgOnGzoHcoHO6gd+/3vV3FCkuWkQymZtdB3Bu8/8 RbHbkO/skDyM9hMkrLLLiM3REeIzL7LEYCPT5pZDwpxeta3XhxRxpOQQFKGVszQhviXL TBiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:references :in-reply-to:mime-version:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=h46RxqpI5+c5mJo9Jt6cch3Esm3jV5x0Xalzd0+s9Iw=; b=YFHWqbjwgOWFuX8JujuU5Kq7Ym5hTLzAbv7REAp6pp1VMGrl2fMu53mUY7hfTOACo7 GOql3LK8P83BRPFJczGnKvqA+j3pV/LLpFWzPPAcwFAjmjQRoWBq123BCbvKNlcJqvIw /PQH8thv8xfQSymt/Km57FDpZF0ohbsrS626T53e7rgyTXYYcXK8eYGUXlXgcKIu3ZXt U297ZYbKpFo5xdavkQiw8dbyvXzvKNtR4jwnkTSaBght/Sac1wkAeq8QLiJ5xWP/9iiq GjRivIt6fcLvs1pqEnAJw/yIqEPcrd+0U8WSRlXdJ1oGKDcsSsyd9QadNJiVG9I8quNa TBmw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=nkPNCZwN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z15-v6si6797824pgs.308.2018.04.30.14.06.26; Mon, 30 Apr 2018 14:06:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=nkPNCZwN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755566AbeD3VFc (ORCPT + 99 others); Mon, 30 Apr 2018 17:05:32 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:48497 "EHLO out2-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755115AbeD3VDA (ORCPT ); Mon, 30 Apr 2018 17:03:00 -0400 Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 3B03522794; Mon, 30 Apr 2018 17:03:00 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute7.internal (MEProxy); Mon, 30 Apr 2018 17:03:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:in-reply-to:message-id:mime-version :references:references:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=h46RxqpI5+c5mJo9Jt6cch3Esm3jV5x0Xalzd0+s9 Iw=; b=nkPNCZwN72/k2TCkBY2BW00IvyGk4wfvD/LVPSMb2O27ni4608t6qeYzq BOasSpNd1ww/nYGKNLmCHXRHjw/Pu/5sUUO8LlN+hDcPltIhzs1FX7BSbuxbzZqt jId+j3ygK7Za0o12cCMa9TtpEAHOh1ShZbKiurLb5uBMj0WxzKJqIwjgQlItWrfD euwn6QXaHevqZZJ3AN5MMS/NxceGukIq6cZ4ZqcGZu7hpPL9oieD3Pq0t1pGrZPz eZG5dgVhx0fQUqgFgBFpbJyKZI2742mc89X55XKujP572u5A6lOJGTsmZ/sDo2/h DzVDZM9ytv3g/iWgTAaAnfwwtOqfw== X-ME-Sender: Received: from localhost.localdomain (ip5b40bfaa.dynamic.kabel-deutschland.de [91.64.191.170]) by mail.messagingengine.com (Postfix) with ESMTPA id 10F17E4EAC; Mon, 30 Apr 2018 17:02:58 -0400 (EDT) From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= To: xen-devel@lists.xenproject.org Cc: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , stable@vger.kernel.org, Boris Ostrovsky , Juergen Gross , netdev@vger.kernel.org (open list:NETWORKING DRIVERS), linux-kernel@vger.kernel.org (open list) Subject: [PATCH 2/6] xen-netfront: copy response out of shared buffer before accessing it Date: Mon, 30 Apr 2018 23:01:46 +0200 Message-Id: <98a855dceb47dbebd9c87e024084f14a5cb127f7.1525122026.git-series.marmarek@invisiblethingslab.com> X-Mailer: git-send-email 2.13.6 In-Reply-To: References: MIME-Version: 1.0 In-Reply-To: References: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Make local copy of the response, otherwise backend might modify it while frontend is already processing it - leading to time of check / time of use issue. This is complementary to XSA155. Cc: stable@vger.kernel.org Signed-off-by: Marek Marczykowski-Górecki --- drivers/net/xen-netfront.c | 51 +++++++++++++++++++-------------------- 1 file changed, 25 insertions(+), 26 deletions(-) diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c index 4dd0668..dc99763 100644 --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -387,13 +387,13 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue) rmb(); /* Ensure we see responses up to 'rp'. */ for (cons = queue->tx.rsp_cons; cons != prod; cons++) { - struct xen_netif_tx_response *txrsp; + struct xen_netif_tx_response txrsp; - txrsp = RING_GET_RESPONSE(&queue->tx, cons); - if (txrsp->status == XEN_NETIF_RSP_NULL) + RING_COPY_RESPONSE(&queue->tx, cons, &txrsp); + if (txrsp.status == XEN_NETIF_RSP_NULL) continue; - id = txrsp->id; + id = txrsp.id; skb = queue->tx_skbs[id].skb; if (unlikely(gnttab_query_foreign_access( queue->grant_tx_ref[id]) != 0)) { @@ -741,7 +741,7 @@ static int xennet_get_extras(struct netfront_queue *queue, RING_IDX rp) { - struct xen_netif_extra_info *extra; + struct xen_netif_extra_info extra; struct device *dev = &queue->info->netdev->dev; RING_IDX cons = queue->rx.rsp_cons; int err = 0; @@ -757,24 +757,23 @@ static int xennet_get_extras(struct netfront_queue *queue, break; } - extra = (struct xen_netif_extra_info *) - RING_GET_RESPONSE(&queue->rx, ++cons); + RING_COPY_RESPONSE(&queue->rx, ++cons, &extra); - if (unlikely(!extra->type || - extra->type >= XEN_NETIF_EXTRA_TYPE_MAX)) { + if (unlikely(!extra.type || + extra.type >= XEN_NETIF_EXTRA_TYPE_MAX)) { if (net_ratelimit()) dev_warn(dev, "Invalid extra type: %d\n", - extra->type); + extra.type); err = -EINVAL; } else { - memcpy(&extras[extra->type - 1], extra, - sizeof(*extra)); + memcpy(&extras[extra.type - 1], &extra, + sizeof(extra)); } skb = xennet_get_rx_skb(queue, cons); ref = xennet_get_rx_ref(queue, cons); xennet_move_rx_slot(queue, skb, ref); - } while (extra->flags & XEN_NETIF_EXTRA_FLAG_MORE); + } while (extra.flags & XEN_NETIF_EXTRA_FLAG_MORE); queue->rx.rsp_cons = cons; return err; @@ -784,28 +783,28 @@ static int xennet_get_responses(struct netfront_queue *queue, struct netfront_rx_info *rinfo, RING_IDX rp, struct sk_buff_head *list) { - struct xen_netif_rx_response *rx = &rinfo->rx; + struct xen_netif_rx_response rx = rinfo->rx; struct xen_netif_extra_info *extras = rinfo->extras; struct device *dev = &queue->info->netdev->dev; RING_IDX cons = queue->rx.rsp_cons; struct sk_buff *skb = xennet_get_rx_skb(queue, cons); grant_ref_t ref = xennet_get_rx_ref(queue, cons); - int max = MAX_SKB_FRAGS + (rx->status <= RX_COPY_THRESHOLD); + int max = MAX_SKB_FRAGS + (rx.status <= RX_COPY_THRESHOLD); int slots = 1; int err = 0; unsigned long ret; - if (rx->flags & XEN_NETRXF_extra_info) { + if (rx.flags & XEN_NETRXF_extra_info) { err = xennet_get_extras(queue, extras, rp); cons = queue->rx.rsp_cons; } for (;;) { - if (unlikely(rx->status < 0 || - rx->offset + rx->status > XEN_PAGE_SIZE)) { + if (unlikely(rx.status < 0 || + rx.offset + rx.status > XEN_PAGE_SIZE)) { if (net_ratelimit()) dev_warn(dev, "rx->offset: %u, size: %d\n", - rx->offset, rx->status); + rx.offset, rx.status); xennet_move_rx_slot(queue, skb, ref); err = -EINVAL; goto next; @@ -819,7 +818,7 @@ static int xennet_get_responses(struct netfront_queue *queue, if (ref == GRANT_INVALID_REF) { if (net_ratelimit()) dev_warn(dev, "Bad rx response id %d.\n", - rx->id); + rx.id); err = -EINVAL; goto next; } @@ -832,7 +831,7 @@ static int xennet_get_responses(struct netfront_queue *queue, __skb_queue_tail(list, skb); next: - if (!(rx->flags & XEN_NETRXF_more_data)) + if (!(rx.flags & XEN_NETRXF_more_data)) break; if (cons + slots == rp) { @@ -842,7 +841,7 @@ static int xennet_get_responses(struct netfront_queue *queue, break; } - rx = RING_GET_RESPONSE(&queue->rx, cons + slots); + RING_COPY_RESPONSE(&queue->rx, cons + slots, &rx); skb = xennet_get_rx_skb(queue, cons + slots); ref = xennet_get_rx_ref(queue, cons + slots); slots++; @@ -898,9 +897,9 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue, struct sk_buff *nskb; while ((nskb = __skb_dequeue(list))) { - struct xen_netif_rx_response *rx = - RING_GET_RESPONSE(&queue->rx, ++cons); + struct xen_netif_rx_response rx; skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0]; + RING_COPY_RESPONSE(&queue->rx, ++cons, &rx); if (shinfo->nr_frags == MAX_SKB_FRAGS) { unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to; @@ -911,7 +910,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue, BUG_ON(shinfo->nr_frags >= MAX_SKB_FRAGS); skb_add_rx_frag(skb, shinfo->nr_frags, skb_frag_page(nfrag), - rx->offset, rx->status, PAGE_SIZE); + rx.offset, rx.status, PAGE_SIZE); skb_shinfo(nskb)->nr_frags = 0; kfree_skb(nskb); @@ -1007,7 +1006,7 @@ static int xennet_poll(struct napi_struct *napi, int budget) i = queue->rx.rsp_cons; work_done = 0; while ((i != rp) && (work_done < budget)) { - memcpy(rx, RING_GET_RESPONSE(&queue->rx, i), sizeof(*rx)); + RING_COPY_RESPONSE(&queue->rx, i, rx); memset(extras, 0, sizeof(rinfo.extras)); err = xennet_get_responses(queue, &rinfo, rp, &tmpq); -- git-series 0.9.1