lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <533029C7.1080006@citrix.com>
Date:	Mon, 24 Mar 2014 12:49:11 +0000
From:	David Vrabel <david.vrabel@...rix.com>
To:	Wei Liu <wei.liu2@...rix.com>
CC:	<netdev@...r.kernel.org>, <xen-devel@...ts.xen.org>,
	<paul.durrant@...rix.com>, <edwin@...rok.net>,
	Ian Campbell <ian.campbell@...rix.com>,
	<zoltan.kiss@...rix.com>
Subject: Re: [Xen-devel] [PATCH net] xen-netback: disable rogue vif in kthread
 context

On 24/03/14 12:13, Wei Liu wrote:
> When netback discovers frontend is sending malformed packet it will
> disables the interface which serves that frontend.
> 
> However disabling a network interface involving taking a mutex which
> cannot be done in softirq context, so we need to defer this process to
> kthread context.
> 
> This patch does the following:
> 1. introduce a flag to indicate the interface is disabled.
> 2. check that flag in TX path, don't do any work if it's true.
> 3. check that flag in RX path, turn off that interface if it's true.
> 
> The reason to disable it in RX path is because RX uses kthread. After
> this change the behavior of netback is still consistent -- it won't do
> any TX work for a rogue frontend, and the interface will be eventually
> turned off.
> 
> Also change a "continue" to "break" after xenvif_fatal_tx_err, as it
> doesn't make sense to continue processing packets if frontend is rogue.
[...]
> --- a/drivers/net/xen-netback/interface.c
> +++ b/drivers/net/xen-netback/interface.c
> @@ -62,6 +62,13 @@ static int xenvif_poll(struct napi_struct *napi, int budget)
>  	struct xenvif *vif = container_of(napi, struct xenvif, napi);
>  	int work_done;
>  
> +	/* This vif is rogue, we pretend we've used up all budget to
> +	 * deschedule it from NAPI. But this interface will be turned
> +	 * off in thread context later.
> +	 */
> +	if (unlikely(vif->disabled))
> +		return budget;

Shouldn't you call __napi_complete() and return 0?  Returning budget
will make NAPI poll repeatedly (since you're pretending to do work).

> diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
> index 438d0c0..94e7261 100644
> --- a/drivers/net/xen-netback/netback.c
> +++ b/drivers/net/xen-netback/netback.c
> @@ -655,7 +655,7 @@ static void xenvif_tx_err(struct xenvif *vif,
>  static void xenvif_fatal_tx_err(struct xenvif *vif)
>  {
>  	netdev_err(vif->dev, "fatal error; disabling device\n");
> -	xenvif_carrier_off(vif);
> +	vif->disabled = true;

Do you need to wake the thread here?

> @@ -1549,6 +1549,16 @@ int xenvif_kthread(void *data)
>  		wait_event_interruptible(vif->wq,
>  					 rx_work_todo(vif) ||
>  					 kthread_should_stop());

                                         || vif->disabled ?

> +
> +		/* This frontend is found to be rogue, disable it in
> +		 * kthread context. Currently this is only set when
> +		 * netback finds out frontend sends malformed packet,
> +		 * but we cannot disable the interface in softirq
> +		 * context so we defer it here.
> +		 */
> +		if (unlikely(vif->disabled) && netif_carrier_ok(vif->dev))
> +			xenvif_carrier_off(vif);
> +
>  		if (kthread_should_stop())
>  			break;
>  

As an aside, since I happened to be looking at xenvif_poll(), disabling
local irqs to avoid problems with concurrent events looks unsafe as the
event may occur on another VCPU.

   __napi_complete(napi);
   RING_FINAL_CHECK_FOR_REQUESTS(&vif->tx, more_to_do);
   if (more_to_do)
       napi_schedule(napi);

Would work I think.

David
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ