| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 24 Mar 2014 12:49:11 +0000
From: David Vrabel <david.vrabel@...rix.com>
To: Wei Liu <wei.liu2@...rix.com>
CC: <netdev@...r.kernel.org>, <xen-devel@...ts.xen.org>,
<paul.durrant@...rix.com>, <edwin@...rok.net>,
Ian Campbell <ian.campbell@...rix.com>,
<zoltan.kiss@...rix.com>
Subject: Re: [Xen-devel] [PATCH net] xen-netback: disable rogue vif in kthread
context
On 24/03/14 12:13, Wei Liu wrote:
> When netback discovers frontend is sending malformed packet it will
> disables the interface which serves that frontend.
>
> However disabling a network interface involving taking a mutex which
> cannot be done in softirq context, so we need to defer this process to
> kthread context.
>
> This patch does the following:
> 1. introduce a flag to indicate the interface is disabled.
> 2. check that flag in TX path, don't do any work if it's true.
> 3. check that flag in RX path, turn off that interface if it's true.
>
> The reason to disable it in RX path is because RX uses kthread. After
> this change the behavior of netback is still consistent -- it won't do
> any TX work for a rogue frontend, and the interface will be eventually
> turned off.
>
> Also change a "continue" to "break" after xenvif_fatal_tx_err, as it
> doesn't make sense to continue processing packets if frontend is rogue.
[...]
> --- a/drivers/net/xen-netback/interface.c
> +++ b/drivers/net/xen-netback/interface.c
> @@ -62,6 +62,13 @@ static int xenvif_poll(struct napi_struct *napi, int budget)
> struct xenvif *vif = container_of(napi, struct xenvif, napi);
> int work_done;
>
> + /* This vif is rogue, we pretend we've used up all budget to
> + * deschedule it from NAPI. But this interface will be turned
> + * off in thread context later.
> + */
> + if (unlikely(vif->disabled))
> + return budget;
Shouldn't you call __napi_complete() and return 0? Returning budget
will make NAPI poll repeatedly (since you're pretending to do work).
> diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
> index 438d0c0..94e7261 100644
> --- a/drivers/net/xen-netback/netback.c
> +++ b/drivers/net/xen-netback/netback.c
> @@ -655,7 +655,7 @@ static void xenvif_tx_err(struct xenvif *vif,
> static void xenvif_fatal_tx_err(struct xenvif *vif)
> {
> netdev_err(vif->dev, "fatal error; disabling device\n");
> - xenvif_carrier_off(vif);
> + vif->disabled = true;
Do you need to wake the thread here?
> @@ -1549,6 +1549,16 @@ int xenvif_kthread(void *data)
> wait_event_interruptible(vif->wq,
> rx_work_todo(vif) ||
> kthread_should_stop());
|| vif->disabled ?
> +
> + /* This frontend is found to be rogue, disable it in
> + * kthread context. Currently this is only set when
> + * netback finds out frontend sends malformed packet,
> + * but we cannot disable the interface in softirq
> + * context so we defer it here.
> + */
> + if (unlikely(vif->disabled) && netif_carrier_ok(vif->dev))
> + xenvif_carrier_off(vif);
> +
> if (kthread_should_stop())
> break;
>
As an aside, since I happened to be looking at xenvif_poll(), disabling
local irqs to avoid problems with concurrent events looks unsafe as the
event may occur on another VCPU.
__napi_complete(napi);
RING_FINAL_CHECK_FOR_REQUESTS(&vif->tx, more_to_do);
if (more_to_do)
napi_schedule(napi);
Would work I think.
David
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists