Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp493500pxj; Tue, 18 May 2021 07:59:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyqtSjMC5XcQw4a8WEyl/2RhANa+Dzow0WbpsicAVxIfjSzXEXmILL64ZtDQ8k5kS+HqHTy X-Received: by 2002:aa7:df96:: with SMTP id b22mr7534664edy.95.1621349966676; Tue, 18 May 2021 07:59:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621349966; cv=none; d=google.com; s=arc-20160816; b=N3H4sA7zoAleFDPKURZdwYX4+hEc2I0z5EVMyHaBw2dyh+33NBjLxWhkO0y3gFZ12V FXtoBR2EDtBa1zYRF/QeYyIGRtjQsYuAfdnT1qZRJ3YvM5jGZY6h8cqEfKho8HUTlbYQ sfyHoApyQjvIQoAu1ZmHVOg/Kt2V18Wo37IBLtKtK9AtmL7AKZMZ3b+QZxQMFvuZau3Q DH4iYdDfID2ucbQhlS65jjLer6HVqBXCAigZKVus1u2jw5A+m4oAiXDdENfqbTVPwDp9 9i4q/I9U5mmqVp1AH/gVOjzUJ+XBv7gxoMp9iN/OZ7LOOHvGGoYAFs0dgOCzw5/KUXm7 neng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=D78x0RQykGxtuFVKDLK2tegONNqQIINNV1fp5HE+u1o=; b=coOhI9BbkHkoKPPmtdu7rqcifcrVOR5g0XDlvDYnZOV1No8umtqV5dhBrrXazSS0S6 cbJedm5NeBsltsNgSRCMLV2QNFjn+EdS4RD9MZZvpBkiOzRDw+dUU5Jm8x6TNCMhFwh7 EhbVvMTCSgo0aJYSxLGZ/+BfYCxLea8fCKqPV0hG+LDQEMk+2LCrw9ZTTHDjjfol9LgI XzcsIzeW2ufHon6ZBmTJ09ahrPIBuP+rr25jpiE3tNYDzW6OW2tNLenbhhP8UAyhN750 0KoBifQPXqGIJB+7vTLjsHhak78+SGPsOnPLsm+l+woYRwfMxG0gtFhPgTOyjiqKX0Jm Nvdw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=UlpURxft; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=suse.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dh22si3503582edb.330.2021.05.18.07.59.03; Tue, 18 May 2021 07:59:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=UlpURxft; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=suse.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343897AbhEQPth (ORCPT + 99 others); Mon, 17 May 2021 11:49:37 -0400 Received: from mx2.suse.de ([195.135.220.15]:52508 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244705AbhEQPdB (ORCPT ); Mon, 17 May 2021 11:33:01 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1621265504; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=D78x0RQykGxtuFVKDLK2tegONNqQIINNV1fp5HE+u1o=; b=UlpURxft8mCNp5WtrDPvtUpGOpEsRnDR0jJF0c7mh+vDsIm6ScJ7qTGjqT60UiVDQRJ6k0 41KGiWtA9xdJD4l8MO7kltHMJ9fUX+Dq08VZR9dbQatXEsB9+Cf/xLGKQnaKCC2nOvEHGu Hwt42g0mrif5bw2UWDSVartMsW1ZQPg= Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 4AAFDB038; Mon, 17 May 2021 15:31:44 +0000 (UTC) Subject: Re: [PATCH 7/8] xen/netfront: don't trust the backend response data blindly To: Juergen Gross Cc: Boris Ostrovsky , Stefano Stabellini , "David S. Miller" , Jakub Kicinski , xen-devel@lists.xenproject.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org References: <20210513100302.22027-1-jgross@suse.com> <20210513100302.22027-8-jgross@suse.com> From: Jan Beulich Message-ID: <18aa307e-edf0-cb8b-1fd2-2b5c89522d02@suse.com> Date: Mon, 17 May 2021 17:31:43 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1 MIME-Version: 1.0 In-Reply-To: <20210513100302.22027-8-jgross@suse.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 13.05.2021 12:03, Juergen Gross wrote: > @@ -429,6 +453,12 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue) > } while (more_to_do); > > xennet_maybe_wake_tx(queue); > + > + return; > + > + err: > + queue->info->broken = true; > + dev_alert(dev, "Disabled for further use\n"); > } If in blkfront the ability to revive a device via a suspend/resume cycle is "a nice side effect", wouldn't it be nice for all frontends to behave similarly in this regard? I.e. wouldn't you want to also clear this flag somewhere? And shouldn't additionally / more generally a disconnect / connect cycle allow proper operation again? > @@ -472,6 +502,13 @@ static void xennet_tx_setup_grant(unsigned long gfn, unsigned int offset, > > *tx = info->tx_local; > > + /* > + * The request is not in its final form, as size and flags might be > + * modified later, but even if a malicious backend will send a response > + * now, nothing bad regarding security could happen. > + */ > + queue->tx_pending[id] = true; I'm not sure I can agree with what the comment says. If the backend sent a response prematurely, wouldn't the underlying slot(s) become available for re-use, and hence potentially get filled / updated by two parties? Jan