Received: by 10.192.165.148 with SMTP id m20csp4673978imm; Tue, 1 May 2018 01:23:12 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqiqYcQ0W/BYm8ncNOC6j0dF51UmLA4tc9VwE/fXngJY+z1MQ0reGnd2ppFT+z1fh/sL/bp X-Received: by 2002:a17:902:585e:: with SMTP id f30-v6mr15264349plj.50.1525162992867; Tue, 01 May 2018 01:23:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525162992; cv=none; d=google.com; s=arc-20160816; b=BFtdPLNTzNHqXfp4/AXL0b74xbzVmVCqqG2Za0pTZxgxM9yX4BKF6S3oF7xA0v5sTr z1QPoUUQAMz2u13bje2lRY39UPh/yo4zUHigUCU3nRyyfWabvBNzrkmkbJ+Yqb6VYrur 4OifXLj6SOuek9lbcOlI2OiFqVkWkjExBiBBVeiMY5IH/eBEqp5s6BGvIFyCuMW1n83U zbwWUvMVNA06UFpG9DHn5YAuU48Tb6QpQJVDfLZnwtmV9Uj8R+UJtsyatpfSBwM9EvgW WHt6UiRSttjoQ/a6tB3sFE83dcOkma608OQS6Ue2rLtro7I6qz2xWm6kklnEFSvaw1sI glHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date :arc-authentication-results; bh=UCBbzDwMNELCEEhaFXGAmwR7h8boAJuhP7pd8aeL2JE=; b=GmzT149ts+YgB1DsQNPy19OEgOYf5rJVtmJDM4OMjPrskB9JMPKozFHc7E/V3zFLNj rg162wx55EJiBRK2qiuOdyQ5jLQ7eJ8kdoK80boK048PG4tOOf99Nb17SGIUc7Z5AVuK mmFYBshLGZBFFIHWh5XTho+Dv3S9RifALuRAFSTfmzKtY/8J5ztwWqf/l6MTzkaGpS6J sB23+vAJXsSrjyUN4m6GK/KpgCZlRf9+bKOsyFNuRNyhNBV95zKIdSwETjgy7YRVvx6K 1UPMY23M4PnPmF9AANShIgCC779ymrGzuBbnHq0lyU+uwoIwkkuG5gSI24wcM46XXAaG hXgQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z80si7413610pfi.7.2018.05.01.01.22.58; Tue, 01 May 2018 01:23:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753406AbeEAIWl (ORCPT + 99 others); Tue, 1 May 2018 04:22:41 -0400 Received: from smtp.ctxuk.citrix.com ([185.25.65.24]:10593 "EHLO SMTP.EU.CITRIX.COM" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751081AbeEAIWi (ORCPT ); Tue, 1 May 2018 04:22:38 -0400 X-IronPort-AV: E=Sophos;i="5.49,350,1520899200"; d="scan'208";a="72418771" Date: Tue, 1 May 2018 09:22:31 +0100 From: Roger Pau =?utf-8?B?TW9ubsOp?= To: Marek =?utf-8?Q?Marczykowski-G=C3=B3recki?= CC: , , Konrad Rzeszutek Wilk , Boris Ostrovsky , Juergen Gross , Jens Axboe , "open list:BLOCK LAYER" , open list Subject: Re: [PATCH 6/6] xen-blkfront: prepare request locally, only then put it on the shared ring Message-ID: <20180501082231.dzdbcghtwvlbkoys@MacBook-Pro-de-Roger.local> References: <951a221b0e655b3077d1f96ac365194320bc8809.1525122026.git-series.marmarek@invisiblethingslab.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <951a221b0e655b3077d1f96ac365194320bc8809.1525122026.git-series.marmarek@invisiblethingslab.com> User-Agent: NeoMutt/20180323 X-ClientProxiedBy: AMSPEX02CAS01.citrite.net (10.69.22.112) To AMSPEX02CL02.citrite.net (10.69.22.126) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 30, 2018 at 11:01:50PM +0200, Marek Marczykowski-G?recki wrote: > Do not reuse data which theoretically might be already modified by the > backend. This is mostly about private copy of the request > (info->shadow[id].req) - make sure the request saved there is really the > one just filled. > > This is complementary to XSA155. > > CC: stable@vger.kernel.org > Signed-off-by: Marek Marczykowski-G?recki > --- > drivers/block/xen-blkfront.c | 76 +++++++++++++++++++++---------------- > 1 file changed, 44 insertions(+), 32 deletions(-) > > diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c > index 3926811..b100b55 100644 > --- a/drivers/block/xen-blkfront.c > +++ b/drivers/block/xen-blkfront.c > @@ -525,19 +525,16 @@ static int blkif_ioctl(struct block_device *bdev, fmode_t mode, > > static unsigned long blkif_ring_get_request(struct blkfront_ring_info *rinfo, The name of this function should be changed IMO, since you are no longer getting a request from the ring, but just initializing a request struct. > struct request *req, > - struct blkif_request **ring_req) > + struct blkif_request *ring_req) > { > unsigned long id; > > - *ring_req = RING_GET_REQUEST(&rinfo->ring, rinfo->ring.req_prod_pvt); > - rinfo->ring.req_prod_pvt++; > - > id = get_id_from_freelist(rinfo); > rinfo->shadow[id].request = req; > rinfo->shadow[id].status = REQ_WAITING; > rinfo->shadow[id].associated_id = NO_ASSOCIATED_ID; > > - (*ring_req)->u.rw.id = id; > + ring_req->u.rw.id = id; > > return id; > } > @@ -545,23 +542,28 @@ static unsigned long blkif_ring_get_request(struct blkfront_ring_info *rinfo, > static int blkif_queue_discard_req(struct request *req, struct blkfront_ring_info *rinfo) > { > struct blkfront_info *info = rinfo->dev_info; > - struct blkif_request *ring_req; > + struct blkif_request ring_req = { 0 }; > unsigned long id; > > /* Fill out a communications ring structure. */ > id = blkif_ring_get_request(rinfo, req, &ring_req); Maybe I'm missing something obvious here, but you are adding a struct allocated on the stack to the shadow ring copy, isn't this dangerous? The pointer stored in the shadow ring copy is going to be invalid after returning from this function. The same comment applies to the other calls to blkif_ring_get_request below that pass a ring_reg allocated on the stack. Thanks, Roger.