Received: by 2002:a05:6622:f08:0:0:0:0 with SMTP id l8csp4479133ivc;
        Tue, 3 Nov 2020 13:06:20 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwMwJ0C29RV63iAObhfYrqYfTwuPZmVmnqNVWePF59KYGTkkOfSI49XaVaFP/cqkROenxph
X-Received: by 2002:a17:906:c18c:: with SMTP id g12mr8013557ejz.334.1604437580552;
        Tue, 03 Nov 2020 13:06:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1604437580; cv=none;
        d=google.com; s=arc-20160816;
        b=hE7Vdaf1RJbcMz1+EAi48Y7D3Me7x6IBEwUs+ZWyy+9KadpWk+e4dleXzYEE9xwlp+
         VTlNPMgbU1SJxYHwZHUjRhGywe5iUvmmcyNE/D7eQYXZgBdsAmCCD4K6rToq8S/5GKXi
         k27Mn7opS4a1t0dlnqoKOm6d2aMmnAmbXWonoiYe28gTVepKy0gPAvUWR+71rbovYnCt
         O/cXCX2VQxs/VeprCodygrhGg8QAADZ0EZFHC5Zf+JzTpEZ7MDH4Eh6cyF0ncoCI0jlP
         8zn5NzLBUORonpF6M6QtM+zMJXLtoztwDGS9KNGRbrf+7r5LEh+Y9mcaUI62AtWpo2bU
         eP6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=WXl252d1HDeQcqYztG7gq7yB7IvSnL6hy+ZjDKBxEgM=;
        b=wGfbs5em3N30OYHvTGC+9n6Griv/PDiJ+UM+kNt6BbcXUjq0tAgeoNVlg2F3mYSslk
         J2IrLqOevZ2yUhLuk+MGpmxa4+9aoYD/61WuhWl+0ibsTnWTfSHcdGrgoilqMw7qKmg9
         cD71dMDtF5NaqqvAem0rF7xSw8v5MEpef3xCem4Htb6lPuj4HGtsB3MKTmUI5G+v7iSK
         OHhCX7xBMkP9c8GmXiKx8gXfqGkAnrCQAzZGf0hmcAZNeE5iN50IszHSm/oUeahBi+Ie
         9OotXk4kezlYGE1cVro8jWmVEYMfCSt5ncsQa9rQA6+lLTV0p8yDpinvIEUl64ljncAi
         q26Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=amO4lUsx;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id lr3si11384ejb.40.2020.11.03.13.05.56;
        Tue, 03 Nov 2020 13:06:20 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=amO4lUsx;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2387987AbgKCVEd (ORCPT <rfc822;rajatbajpailinux@gmail.com>
        + 99 others); Tue, 3 Nov 2020 16:04:33 -0500
Received: from mail.kernel.org ([198.145.29.99]:42448 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1729845AbgKCVEY (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Nov 2020 16:04:24 -0500
Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id DC61D205ED;
        Tue,  3 Nov 2020 21:04:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1604437463;
        bh=vakU0Rkwl4idcdJbvwYnTinuh5AD+3dtgLgF/5nENLY=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=amO4lUsxtMiIoYBDP7MmlX0pnFlUuCqLNISOi3aarD2ac6cY8ZgHK4oN57TPZ0aVF
         II2D0LzZGV9h7k0/wY4JelLCCzyTnDOs9RJs2912RJEzsJoUhXi3WDn0mSW1t+F0GL
         gvIxz1lNvbZj6aFhk/RcK97B7soiy2yZ5+BFfGLY=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Juergen Gross <jgross@suse.com>,
        Jan Beulich <jbeulich@suse.com>,
        Stefano Stabellini <sstabellini@kernel.org>,
        Wei Liu <wl@xen.org>
Subject: [PATCH 4.19 049/191] xen/events: block rogue events for some time
Date:   Tue,  3 Nov 2020 21:35:41 +0100
Message-Id: <20201103203239.026010296@linuxfoundation.org>
X-Mailer: git-send-email 2.29.2
In-Reply-To: <20201103203232.656475008@linuxfoundation.org>
References: <20201103203232.656475008@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Juergen Gross <jgross@suse.com>

commit 5f7f77400ab5b357b5fdb7122c3442239672186c upstream.

In order to avoid high dom0 load due to rogue guests sending events at
high frequency, block those events in case there was no action needed
in dom0 to handle the events.

This is done by adding a per-event counter, which set to zero in case
an EOI without the XEN_EOI_FLAG_SPURIOUS is received from a backend
driver, and incremented when this flag has been set. In case the
counter is 2 or higher delay the EOI by 1 << (cnt - 2) jiffies, but
not more than 1 second.

In order not to waste memory shorten the per-event refcnt to two bytes
(it should normally never exceed a value of 2). Add an overflow check
to evtchn_get() to make sure the 2 bytes really won't overflow.

This is part of XSA-332.

Cc: stable@vger.kernel.org
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Wei Liu <wl@xen.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/xen/events/events_base.c     |   27 ++++++++++++++++++++++-----
 drivers/xen/events/events_internal.h |    3 ++-
 2 files changed, 24 insertions(+), 6 deletions(-)

--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -459,17 +459,34 @@ static void lateeoi_list_add(struct irq_
 	spin_unlock_irqrestore(&eoi->eoi_list_lock, flags);
 }
 
-static void xen_irq_lateeoi_locked(struct irq_info *info)
+static void xen_irq_lateeoi_locked(struct irq_info *info, bool spurious)
 {
 	evtchn_port_t evtchn;
 	unsigned int cpu;
+	unsigned int delay = 0;
 
 	evtchn = info->evtchn;
 	if (!VALID_EVTCHN(evtchn) || !list_empty(&info->eoi_list))
 		return;
 
+	if (spurious) {
+		if ((1 << info->spurious_cnt) < (HZ << 2))
+			info->spurious_cnt++;
+		if (info->spurious_cnt > 1) {
+			delay = 1 << (info->spurious_cnt - 2);
+			if (delay > HZ)
+				delay = HZ;
+			if (!info->eoi_time)
+				info->eoi_cpu = smp_processor_id();
+			info->eoi_time = get_jiffies_64() + delay;
+		}
+	} else {
+		info->spurious_cnt = 0;
+	}
+
 	cpu = info->eoi_cpu;
-	if (info->eoi_time && info->irq_epoch == per_cpu(irq_epoch, cpu)) {
+	if (info->eoi_time &&
+	    (info->irq_epoch == per_cpu(irq_epoch, cpu) || delay)) {
 		lateeoi_list_add(info);
 		return;
 	}
@@ -506,7 +523,7 @@ static void xen_irq_lateeoi_worker(struc
 
 		info->eoi_time = 0;
 
-		xen_irq_lateeoi_locked(info);
+		xen_irq_lateeoi_locked(info, false);
 	}
 
 	if (info)
@@ -535,7 +552,7 @@ void xen_irq_lateeoi(unsigned int irq, u
 	info = info_for_irq(irq);
 
 	if (info)
-		xen_irq_lateeoi_locked(info);
+		xen_irq_lateeoi_locked(info, eoi_flags & XEN_EOI_FLAG_SPURIOUS);
 
 	read_unlock_irqrestore(&evtchn_rwlock, flags);
 }
@@ -1438,7 +1455,7 @@ int evtchn_get(unsigned int evtchn)
 		goto done;
 
 	err = -EINVAL;
-	if (info->refcnt <= 0)
+	if (info->refcnt <= 0 || info->refcnt == SHRT_MAX)
 		goto done;
 
 	info->refcnt++;
--- a/drivers/xen/events/events_internal.h
+++ b/drivers/xen/events/events_internal.h
@@ -33,7 +33,8 @@ enum xen_irq_type {
 struct irq_info {
 	struct list_head list;
 	struct list_head eoi_list;
-	int refcnt;
+	short refcnt;
+	short spurious_cnt;
 	enum xen_irq_type type;	/* type */
 	unsigned irq;
 	unsigned int evtchn;	/* event channel */