Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp334765pxj;
        Tue, 18 May 2021 04:36:31 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJz7T34grQ50+Nv/ze69JDc2SDe4D7rlC1ME67jcnbokZD3Osm8l5phNzYXhd3pQToWkRJMh
X-Received: by 2002:a92:dcc6:: with SMTP id b6mr3627839ilr.224.1621337791127;
        Tue, 18 May 2021 04:36:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1621337791; cv=none;
        d=google.com; s=arc-20160816;
        b=WSPRE7BMNGN9O/BST1eNiWpldZnDTG5NLzSalcrPcSnlOhbJPP6dunkGKYWpfdwBI9
         c6X/UvOEyX0Yz/tSO0eRBR88NuVE/9yYQPzHR1Cfm5SLmUaLvFaJwPBWCr4WLs28uQjA
         8x1GUaEzmJglBWrQJzdtpin64X++v59dRHuhDyxWht9gMYZj3aUlVcU/K7ZadZrt9EEd
         j+5FZj8AErjvMkkGBAz3+Hgm7LJCkyiPTN7XeLXyaiQdzJThPmmE6BcYNmbl7mSP8tog
         MEQIBR5UNPjs5j9hjpcWxrSJnMLJl1XR+8DrC6VPAF55bgWYtvsfSFMMW5gtpXM/rrcq
         d+uA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :cc:to:subject:dkim-signature;
        bh=PTgCAclxCK80C0ynDaeVVPOUMYjSdOogYauiOm/CJrI=;
        b=TXBrUtojiETP2qrFos43hgAF7+O8WveBu2rFz4SlnVxKlc4mdYloA7rObSNIqQclMK
         K89kvmktKAtBbQqHm6b6d8lxjLS/hpjE85xFUMiOjLUEdFUtcnEr32dkM5QrssBhHiPO
         BZOcwpF5IiWjjCmA3/3JXfgaQA9ubt0IVxNYWe44CI0CBfxiTUu74JHuTBKnn4lo0q2H
         gGRZaAaU/AEmZXJWj/uFy1dairmrFOhxWj7CxxPZwo9iBrArTXcS2prcGmTv1GKB5XbV
         ggggBqhPvhgWUxCeo8mQ66QXKisbmZ7sny7lWLj16TmArXS3zI9u8VqjX89aK8Fchfdj
         +meQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@suse.com header.s=susede1 header.b=MArlY3MJ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=suse.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id w17si4494565ilm.86.2021.05.18.04.36.18;
        Tue, 18 May 2021 04:36:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.com header.s=susede1 header.b=MArlY3MJ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=suse.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S244873AbhEQPWV (ORCPT <rfc822;nirdebian@gmail.com> + 99 others);
        Mon, 17 May 2021 11:22:21 -0400
Received: from mx2.suse.de ([195.135.220.15]:35534 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S243259AbhEQPJc (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 17 May 2021 11:09:32 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
        t=1621264094; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=PTgCAclxCK80C0ynDaeVVPOUMYjSdOogYauiOm/CJrI=;
        b=MArlY3MJXa+52P1t/iSJJeD/qNAhCuTAN0iZOJJ2q9uaYg9bu/wWt0bE9R1mPPeG64q4pu
        h0EqiSrA+2ZJmPbzFGcOWPfk6kIk5ibIXP/l5JbxO8ojYUQfP8wSDwQaVeWVO/GpFVPaug
        h+LDH9s3QLePU+fKgk4qMW3/659oFww=
Received: from relay2.suse.de (unknown [195.135.221.27])
        by mx2.suse.de (Postfix) with ESMTP id A90C7AF2C;
        Mon, 17 May 2021 15:08:14 +0000 (UTC)
Subject: Re: [PATCH 6/8] xen/netfront: don't read data from request on the
 ring page
To:     Juergen Gross <jgross@suse.com>
Cc:     Boris Ostrovsky <boris.ostrovsky@oracle.com>,
        Stefano Stabellini <sstabellini@kernel.org>,
        "David S. Miller" <davem@davemloft.net>,
        Jakub Kicinski <kuba@kernel.org>,
        xen-devel@lists.xenproject.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org
References: <20210513100302.22027-1-jgross@suse.com>
 <20210513100302.22027-7-jgross@suse.com>
From:   Jan Beulich <jbeulich@suse.com>
Message-ID: <72cb5265-aca2-8717-6860-19b66ccf9191@suse.com>
Date:   Mon, 17 May 2021 17:08:13 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.10.1
MIME-Version: 1.0
In-Reply-To: <20210513100302.22027-7-jgross@suse.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 13.05.2021 12:03, Juergen Gross wrote:
> In order to avoid a malicious backend being able to influence the local
> processing of a request build the request locally first and then copy
> it to the ring page. Any reading from the request needs to be done on
> the local instance.

"Any reading" isn't really true - you don't change xennet_make_one_txreq(),
yet that has a read-modify-write operation. Without that I would have
been inclined to ask whether ...

> --- a/drivers/net/xen-netfront.c
> +++ b/drivers/net/xen-netfront.c
> @@ -435,7 +435,8 @@ struct xennet_gnttab_make_txreq {
>  	struct netfront_queue *queue;
>  	struct sk_buff *skb;
>  	struct page *page;
> -	struct xen_netif_tx_request *tx; /* Last request */
> +	struct xen_netif_tx_request *tx;      /* Last request on ring page */
> +	struct xen_netif_tx_request tx_local; /* Last request local copy*/

... retaining the tx field here is a good idea.

> @@ -463,30 +464,27 @@ static void xennet_tx_setup_grant(unsigned long gfn, unsigned int offset,
>  	queue->grant_tx_page[id] = page;
>  	queue->grant_tx_ref[id] = ref;
>  
> -	tx->id = id;
> -	tx->gref = ref;
> -	tx->offset = offset;
> -	tx->size = len;
> -	tx->flags = 0;
> +	info->tx_local.id = id;
> +	info->tx_local.gref = ref;
> +	info->tx_local.offset = offset;
> +	info->tx_local.size = len;
> +	info->tx_local.flags = 0;
> +
> +	*tx = info->tx_local;
>  
>  	info->tx = tx;
> -	info->size += tx->size;
> +	info->size += info->tx_local.size;
>  }
>  
>  static struct xen_netif_tx_request *xennet_make_first_txreq(
> -	struct netfront_queue *queue, struct sk_buff *skb,
> -	struct page *page, unsigned int offset, unsigned int len)
> +	struct xennet_gnttab_make_txreq *info,
> +	unsigned int offset, unsigned int len)
>  {
> -	struct xennet_gnttab_make_txreq info = {
> -		.queue = queue,
> -		.skb = skb,
> -		.page = page,
> -		.size = 0,
> -	};
> +	info->size = 0;
>  
> -	gnttab_for_one_grant(page, offset, len, xennet_tx_setup_grant, &info);
> +	gnttab_for_one_grant(info->page, offset, len, xennet_tx_setup_grant, info);
>  
> -	return info.tx;
> +	return info->tx;
>  }

Similarly this returning of a pointer into the ring looks at least
risky to me. At the very least it looks as if ...

> @@ -704,14 +699,16 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev
>  	}
>  
>  	/* First request for the linear area. */
> -	first_tx = tx = xennet_make_first_txreq(queue, skb,
> -						page, offset, len);
> +	info.queue = queue;
> +	info.skb = skb;
> +	info.page = page;
> +	first_tx = tx = xennet_make_first_txreq(&info, offset, len);

... you could avoid setting tx here; perhaps the local variable
could go away altogether, showing it's really just first_rx that
is still needed. It's odd that ...

>  	offset += tx->size;

... you don't change this one, when ...

>  	if (offset == PAGE_SIZE) {
>  		page++;
>  		offset = 0;
>  	}
> -	len -= tx->size;
> +	len -= info.tx_local.size;

... you do so here. Likely just an oversight.

Jan