Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 413C9C433F5 for ; Mon, 20 Dec 2021 14:42:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234931AbhLTOmd (ORCPT ); Mon, 20 Dec 2021 09:42:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59764 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235292AbhLTOlG (ORCPT ); Mon, 20 Dec 2021 09:41:06 -0500 Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 07FB0C0698D6; Mon, 20 Dec 2021 06:40:41 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 5A241CE10FE; Mon, 20 Dec 2021 14:40:39 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 271E4C36AE8; Mon, 20 Dec 2021 14:40:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1640011237; bh=6lCVY5COw0CEcv1f15jkDBnbfj3oEBGx3Usu2ezsoIE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jeC2DHkW0RjAeQGKSdDVBgtlB7v1ftF5XBopaY23C4xOPZvAXZHV0Mc0/s8NQMDJr 6mJhHm9d104I1nyQnR8kkmF0gYTaaTn+5B9VYp38YH5eRwDusWxbgGEY5HzNtxM9gW BpcH9Kt1Yu+1THHUX6vaozPKNSOVar9BIXKNwkMA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Juergen Gross , Jan Beulich Subject: [PATCH 4.14 41/45] xen/blkfront: harden blkfront against event channel storms Date: Mon, 20 Dec 2021 15:34:36 +0100 Message-Id: <20211220143023.639041898@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20211220143022.266532675@linuxfoundation.org> References: <20211220143022.266532675@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Juergen Gross commit 0fd08a34e8e3b67ec9bd8287ac0facf8374b844a upstream. The Xen blkfront driver is still vulnerable for an attack via excessive number of events sent by the backend. Fix that by using lateeoi event channels. This is part of XSA-391 Signed-off-by: Juergen Gross Reviewed-by: Jan Beulich Signed-off-by: Greg Kroah-Hartman --- drivers/block/xen-blkfront.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) --- a/drivers/block/xen-blkfront.c +++ b/drivers/block/xen-blkfront.c @@ -1566,9 +1566,12 @@ static irqreturn_t blkif_interrupt(int i unsigned long flags; struct blkfront_ring_info *rinfo = (struct blkfront_ring_info *)dev_id; struct blkfront_info *info = rinfo->dev_info; + unsigned int eoiflag = XEN_EOI_FLAG_SPURIOUS; - if (unlikely(info->connected != BLKIF_STATE_CONNECTED)) + if (unlikely(info->connected != BLKIF_STATE_CONNECTED)) { + xen_irq_lateeoi(irq, XEN_EOI_FLAG_SPURIOUS); return IRQ_HANDLED; + } spin_lock_irqsave(&rinfo->ring_lock, flags); again: @@ -1584,6 +1587,8 @@ static irqreturn_t blkif_interrupt(int i unsigned long id; unsigned int op; + eoiflag = 0; + RING_COPY_RESPONSE(&rinfo->ring, i, &bret); id = bret.id; @@ -1699,6 +1704,8 @@ static irqreturn_t blkif_interrupt(int i spin_unlock_irqrestore(&rinfo->ring_lock, flags); + xen_irq_lateeoi(irq, eoiflag); + return IRQ_HANDLED; err: @@ -1706,6 +1713,8 @@ static irqreturn_t blkif_interrupt(int i spin_unlock_irqrestore(&rinfo->ring_lock, flags); + /* No EOI in order to avoid further interrupts. */ + pr_alert("%s disabled for further use\n", info->gd->disk_name); return IRQ_HANDLED; } @@ -1745,8 +1754,8 @@ static int setup_blkring(struct xenbus_d if (err) goto fail; - err = bind_evtchn_to_irqhandler(rinfo->evtchn, blkif_interrupt, 0, - "blkif", rinfo); + err = bind_evtchn_to_irqhandler_lateeoi(rinfo->evtchn, blkif_interrupt, + 0, "blkif", rinfo); if (err <= 0) { xenbus_dev_fatal(dev, err, "bind_evtchn_to_irqhandler failed");