Commit e9d8b2c2 authored by Wei Liu's avatar Wei Liu Committed by David S. Miller

xen-netback: disable rogue vif in kthread context

When netback discovers frontend is sending malformed packet it will
disables the interface which serves that frontend.

However disabling a network interface involving taking a mutex which
cannot be done in softirq context, so we need to defer this process to
kthread context.

This patch does the following:
1. introduce a flag to indicate the interface is disabled.
2. check that flag in TX path, don't do any work if it's true.
3. check that flag in RX path, turn off that interface if it's true.

The reason to disable it in RX path is because RX uses kthread. After
this change the behavior of netback is still consistent -- it won't do
any TX work for a rogue frontend, and the interface will be eventually
turned off.

Also change a "continue" to "break" after xenvif_fatal_tx_err, as it
doesn't make sense to continue processing packets if frontend is rogue.

This is a fix for XSA-90.
Reported-by: default avatarTörök Edwin <edwin@etorok.net>
Signed-off-by: default avatarWei Liu <wei.liu2@citrix.com>
Cc: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
Acked-by: default avatarIan Campbell <ian.campbell@citrix.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent a66132f3
...@@ -104,6 +104,11 @@ struct xenvif { ...@@ -104,6 +104,11 @@ struct xenvif {
domid_t domid; domid_t domid;
unsigned int handle; unsigned int handle;
/* Is this interface disabled? True when backend discovers
* frontend is rogue.
*/
bool disabled;
/* Use NAPI for guest TX */ /* Use NAPI for guest TX */
struct napi_struct napi; struct napi_struct napi;
/* When feature-split-event-channels = 0, tx_irq = rx_irq. */ /* When feature-split-event-channels = 0, tx_irq = rx_irq. */
......
...@@ -63,6 +63,15 @@ static int xenvif_poll(struct napi_struct *napi, int budget) ...@@ -63,6 +63,15 @@ static int xenvif_poll(struct napi_struct *napi, int budget)
struct xenvif *vif = container_of(napi, struct xenvif, napi); struct xenvif *vif = container_of(napi, struct xenvif, napi);
int work_done; int work_done;
/* This vif is rogue, we pretend we've there is nothing to do
* for this vif to deschedule it from NAPI. But this interface
* will be turned off in thread context later.
*/
if (unlikely(vif->disabled)) {
napi_complete(napi);
return 0;
}
work_done = xenvif_tx_action(vif, budget); work_done = xenvif_tx_action(vif, budget);
if (work_done < budget) { if (work_done < budget) {
...@@ -363,6 +372,8 @@ struct xenvif *xenvif_alloc(struct device *parent, domid_t domid, ...@@ -363,6 +372,8 @@ struct xenvif *xenvif_alloc(struct device *parent, domid_t domid,
vif->ip_csum = 1; vif->ip_csum = 1;
vif->dev = dev; vif->dev = dev;
vif->disabled = false;
vif->credit_bytes = vif->remaining_credit = ~0UL; vif->credit_bytes = vif->remaining_credit = ~0UL;
vif->credit_usec = 0UL; vif->credit_usec = 0UL;
init_timer(&vif->credit_timeout); init_timer(&vif->credit_timeout);
......
...@@ -711,7 +711,8 @@ static void xenvif_tx_err(struct xenvif *vif, ...@@ -711,7 +711,8 @@ static void xenvif_tx_err(struct xenvif *vif,
static void xenvif_fatal_tx_err(struct xenvif *vif) static void xenvif_fatal_tx_err(struct xenvif *vif)
{ {
netdev_err(vif->dev, "fatal error; disabling device\n"); netdev_err(vif->dev, "fatal error; disabling device\n");
xenvif_carrier_off(vif); vif->disabled = true;
xenvif_kick_thread(vif);
} }
static int xenvif_count_requests(struct xenvif *vif, static int xenvif_count_requests(struct xenvif *vif,
...@@ -1212,7 +1213,7 @@ static unsigned xenvif_tx_build_gops(struct xenvif *vif, int budget) ...@@ -1212,7 +1213,7 @@ static unsigned xenvif_tx_build_gops(struct xenvif *vif, int budget)
vif->tx.sring->req_prod, vif->tx.req_cons, vif->tx.sring->req_prod, vif->tx.req_cons,
XEN_NETIF_TX_RING_SIZE); XEN_NETIF_TX_RING_SIZE);
xenvif_fatal_tx_err(vif); xenvif_fatal_tx_err(vif);
continue; break;
} }
work_to_do = RING_HAS_UNCONSUMED_REQUESTS(&vif->tx); work_to_do = RING_HAS_UNCONSUMED_REQUESTS(&vif->tx);
...@@ -1808,7 +1809,18 @@ int xenvif_kthread_guest_rx(void *data) ...@@ -1808,7 +1809,18 @@ int xenvif_kthread_guest_rx(void *data)
while (!kthread_should_stop()) { while (!kthread_should_stop()) {
wait_event_interruptible(vif->wq, wait_event_interruptible(vif->wq,
rx_work_todo(vif) || rx_work_todo(vif) ||
vif->disabled ||
kthread_should_stop()); kthread_should_stop());
/* This frontend is found to be rogue, disable it in
* kthread context. Currently this is only set when
* netback finds out frontend sends malformed packet,
* but we cannot disable the interface in softirq
* context so we defer it here.
*/
if (unlikely(vif->disabled && netif_carrier_ok(vif->dev)))
xenvif_carrier_off(vif);
if (kthread_should_stop()) if (kthread_should_stop())
break; break;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment