[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH net-next v2] xen-netfront: clean up code in xennet_release_rx_bufs




On 2014/1/18 1:50, David Vrabel wrote:
On 17/01/14 15:43, annie li wrote:
No, I am trying to implement 2 patches.
I don't understand the need for two patches here, particularly when
the first patch introduces a security issue.

This is basically connected with personal taste. I am thinking that my original patch is removing unnecessary code for grant transfer and then keep rx release consistent with tx path, the security issue you mentioned exist in current tx too. The second one is to change gnttab_end_foreign_access and netfront tx/rx, blkfront, etc. But if you like to merge them together, I can do that.

Thanks
Annie
You can fold the following
(untested) patch into your v2 patch and give it a try?

Thanks.

David

8<----------------------
xen-netfront: prevent unsafe reuse of rx buf pages after uninit

---
  drivers/net/xen-netfront.c |   21 +++++++++++++++++----
  1 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index 692589e..47aa599 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -1134,19 +1134,32 @@ static void xennet_release_tx_bufs(struct netfront_info 
*np)
static void xennet_release_rx_bufs(struct netfront_info *np)
  {
-       struct sk_buff *skb;
        int id, ref;
spin_lock_bh(&np->rx_lock); for (id = 0; id < NET_RX_RING_SIZE; id++) {
+               struct sk_buff *skb;
+               skb_frag_t *frag;
+               const struct page *page;
+
+               skb = np->rx_skbs[id];
+               if (!skb)
+                       continue;
+
                ref = np->grant_rx_ref[id];
                if (ref == GRANT_INVALID_REF)
                        continue;
- skb = np->rx_skbs[id];
-               gnttab_end_foreign_access_ref(ref, 0);
-               gnttab_release_grant_reference(&np->gref_rx_head, ref);
+               frag = &skb_shinfo(skb)->frags[0];
+               page = skb_frag_page(frag);
+
+               /* gnttab_end_foreign_access() needs a page ref until
+                * foreign access is ended (which may be deferred).
+                */
+               get_page(page);
+
+               gnttab_end_foreign_access(ref, 0, page);
                np->grant_rx_ref[id] = GRANT_INVALID_REF;
kfree_skb(skb);


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.