From 2adc557330dde5b474d885518d2663180d3c8f45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Wed, 16 Dec 2015 05:19:37 +0100 Subject: [PATCH 10/13] xen-netfront: do not use data already exposed to backend MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Organization: Invisible Things Lab Cc: Marek Marczykowski-Górecki Backend may freely modify anything on shared page, so use data which was supposed to be written there, instead of reading it back from the shared page. This unfortunatelly require putting xennet_make_first_txreq inline into xennet_start_xmit (the only use), because we need info.size, which isn't available anywhere else (other than shared page). This is part of XSA155. CC: stable@xxxxxxxxxxxxxxx Signed-off-by: Marek Marczykowski-Górecki --- drivers/net/xen-netfront.c | 32 +++++++++++--------------------- 1 file changed, 11 insertions(+), 21 deletions(-) diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c index 2af5100..959e479 100644 --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -453,23 +453,7 @@ static void xennet_tx_setup_grant(unsigned long gfn, unsigned int offset, tx->flags = 0; info->tx = tx; - info->size += tx->size; -} - -static struct xen_netif_tx_request *xennet_make_first_txreq( - struct netfront_queue *queue, struct sk_buff *skb, - struct page *page, unsigned int offset, unsigned int len) -{ - struct xennet_gnttab_make_txreq info = { - .queue = queue, - .skb = skb, - .page = page, - .size = 0, - }; - - gnttab_for_one_grant(page, offset, len, xennet_tx_setup_grant, &info); - - return info.tx; + info->size += len; } static void xennet_make_one_txreq(unsigned long gfn, unsigned int offset, @@ -564,6 +548,7 @@ static int xennet_start_xmit(struct sk_buff *skb, struct net_device *dev) struct netfront_info *np = netdev_priv(dev); struct netfront_stats *tx_stats = this_cpu_ptr(np->tx_stats); struct xen_netif_tx_request *tx, *first_tx; + struct xennet_gnttab_make_txreq info; unsigned int i; int notify; int slots; @@ -614,14 +599,19 @@ static int xennet_start_xmit(struct sk_buff *skb, struct net_device *dev) } /* First request for the linear area. */ - first_tx = tx = xennet_make_first_txreq(queue, skb, - page, offset, len); - offset += tx->size; + info.queue = queue; + info.skb = skb; + info.page = page; + info.size = 0; + gnttab_for_one_grant(page, offset, len, xennet_tx_setup_grant, &info); + + first_tx = tx = info.tx; + offset += info.size; if (offset == PAGE_SIZE) { page++; offset = 0; } - len -= tx->size; + len -= info.size; if (skb->ip_summed == CHECKSUM_PARTIAL) /* local packet? */ -- 2.1.0