diff options
| author | David S. Miller <davem@davemloft.net> | 2018-09-25 13:39:35 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2018-09-25 13:39:35 -0400 |
| commit | 970f1713ce22e625257af62a3f7d5e1761cc4f02 (patch) | |
| tree | d11b87a3087bb42159cecc05a7c8fbbd3ab3219a | |
| parent | e1e5d8a9fe737d94ccc0ccbaf0c97f69a8f3e000 (diff) | |
| parent | 871088bf92e11efb69bbdbd537e48c0ad4f63729 (diff) | |
Merge branch 'xen-netback-hash'
Jan Beulich says:
====================
xen-netback: hash mapping handling adjustments
First and foremost the fix for XSA-270. On top of that further changes
which looked desirable to me while investigating that XSA.
1: fix input validation in xenvif_set_hash_mapping()
2: validate queue numbers in xenvif_set_hash_mapping()
3: handle page straddling in xenvif_set_hash_mapping()
====================
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | drivers/net/xen-netback/common.h | 3 | ||||
| -rw-r--r-- | drivers/net/xen-netback/hash.c | 51 | ||||
| -rw-r--r-- | drivers/net/xen-netback/interface.c | 3 |
3 files changed, 40 insertions, 17 deletions
diff --git a/drivers/net/xen-netback/common.h b/drivers/net/xen-netback/common.h index a46a1e94505d..936c0b3e0ba2 100644 --- a/drivers/net/xen-netback/common.h +++ b/drivers/net/xen-netback/common.h | |||
| @@ -241,8 +241,9 @@ struct xenvif_hash_cache { | |||
| 241 | struct xenvif_hash { | 241 | struct xenvif_hash { |
| 242 | unsigned int alg; | 242 | unsigned int alg; |
| 243 | u32 flags; | 243 | u32 flags; |
| 244 | bool mapping_sel; | ||
| 244 | u8 key[XEN_NETBK_MAX_HASH_KEY_SIZE]; | 245 | u8 key[XEN_NETBK_MAX_HASH_KEY_SIZE]; |
| 245 | u32 mapping[XEN_NETBK_MAX_HASH_MAPPING_SIZE]; | 246 | u32 mapping[2][XEN_NETBK_MAX_HASH_MAPPING_SIZE]; |
| 246 | unsigned int size; | 247 | unsigned int size; |
| 247 | struct xenvif_hash_cache cache; | 248 | struct xenvif_hash_cache cache; |
| 248 | }; | 249 | }; |
diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c index 3c4c58b9fe76..0ccb021f1e78 100644 --- a/drivers/net/xen-netback/hash.c +++ b/drivers/net/xen-netback/hash.c | |||
| @@ -324,7 +324,8 @@ u32 xenvif_set_hash_mapping_size(struct xenvif *vif, u32 size) | |||
| 324 | return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; | 324 | return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; |
| 325 | 325 | ||
| 326 | vif->hash.size = size; | 326 | vif->hash.size = size; |
| 327 | memset(vif->hash.mapping, 0, sizeof(u32) * size); | 327 | memset(vif->hash.mapping[vif->hash.mapping_sel], 0, |
| 328 | sizeof(u32) * size); | ||
| 328 | 329 | ||
| 329 | return XEN_NETIF_CTRL_STATUS_SUCCESS; | 330 | return XEN_NETIF_CTRL_STATUS_SUCCESS; |
| 330 | } | 331 | } |
| @@ -332,31 +333,49 @@ u32 xenvif_set_hash_mapping_size(struct xenvif *vif, u32 size) | |||
| 332 | u32 xenvif_set_hash_mapping(struct xenvif *vif, u32 gref, u32 len, | 333 | u32 xenvif_set_hash_mapping(struct xenvif *vif, u32 gref, u32 len, |
| 333 | u32 off) | 334 | u32 off) |
| 334 | { | 335 | { |
| 335 | u32 *mapping = &vif->hash.mapping[off]; | 336 | u32 *mapping = vif->hash.mapping[!vif->hash.mapping_sel]; |
| 336 | struct gnttab_copy copy_op = { | 337 | unsigned int nr = 1; |
| 338 | struct gnttab_copy copy_op[2] = {{ | ||
| 337 | .source.u.ref = gref, | 339 | .source.u.ref = gref, |
| 338 | .source.domid = vif->domid, | 340 | .source.domid = vif->domid, |
| 339 | .dest.u.gmfn = virt_to_gfn(mapping), | ||
| 340 | .dest.domid = DOMID_SELF, | 341 | .dest.domid = DOMID_SELF, |
| 341 | .dest.offset = xen_offset_in_page(mapping), | 342 | .len = len * sizeof(*mapping), |
| 342 | .len = len * sizeof(u32), | ||
| 343 | .flags = GNTCOPY_source_gref | 343 | .flags = GNTCOPY_source_gref |
| 344 | }; | 344 | }}; |
| 345 | 345 | ||
| 346 | if ((off + len > vif->hash.size) || copy_op.len > XEN_PAGE_SIZE) | 346 | if ((off + len < off) || (off + len > vif->hash.size) || |
| 347 | len > XEN_PAGE_SIZE / sizeof(*mapping)) | ||
| 347 | return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; | 348 | return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; |
| 348 | 349 | ||
| 349 | while (len-- != 0) | 350 | copy_op[0].dest.u.gmfn = virt_to_gfn(mapping + off); |
| 350 | if (mapping[off++] >= vif->num_queues) | 351 | copy_op[0].dest.offset = xen_offset_in_page(mapping + off); |
| 351 | return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; | 352 | if (copy_op[0].dest.offset + copy_op[0].len > XEN_PAGE_SIZE) { |
| 353 | copy_op[1] = copy_op[0]; | ||
| 354 | copy_op[1].source.offset = XEN_PAGE_SIZE - copy_op[0].dest.offset; | ||
| 355 | copy_op[1].dest.u.gmfn = virt_to_gfn(mapping + off + len); | ||
| 356 | copy_op[1].dest.offset = 0; | ||
| 357 | copy_op[1].len = copy_op[0].len - copy_op[1].source.offset; | ||
| 358 | copy_op[0].len = copy_op[1].source.offset; | ||
| 359 | nr = 2; | ||
| 360 | } | ||
| 352 | 361 | ||
| 353 | if (copy_op.len != 0) { | 362 | memcpy(mapping, vif->hash.mapping[vif->hash.mapping_sel], |
| 354 | gnttab_batch_copy(©_op, 1); | 363 | vif->hash.size * sizeof(*mapping)); |
| 355 | 364 | ||
| 356 | if (copy_op.status != GNTST_okay) | 365 | if (copy_op[0].len != 0) { |
| 366 | gnttab_batch_copy(copy_op, nr); | ||
| 367 | |||
| 368 | if (copy_op[0].status != GNTST_okay || | ||
| 369 | copy_op[nr - 1].status != GNTST_okay) | ||
| 357 | return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; | 370 | return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; |
| 358 | } | 371 | } |
| 359 | 372 | ||
| 373 | while (len-- != 0) | ||
| 374 | if (mapping[off++] >= vif->num_queues) | ||
| 375 | return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; | ||
| 376 | |||
| 377 | vif->hash.mapping_sel = !vif->hash.mapping_sel; | ||
| 378 | |||
| 360 | return XEN_NETIF_CTRL_STATUS_SUCCESS; | 379 | return XEN_NETIF_CTRL_STATUS_SUCCESS; |
| 361 | } | 380 | } |
| 362 | 381 | ||
| @@ -408,6 +427,8 @@ void xenvif_dump_hash_info(struct xenvif *vif, struct seq_file *m) | |||
| 408 | } | 427 | } |
| 409 | 428 | ||
| 410 | if (vif->hash.size != 0) { | 429 | if (vif->hash.size != 0) { |
| 430 | const u32 *mapping = vif->hash.mapping[vif->hash.mapping_sel]; | ||
| 431 | |||
| 411 | seq_puts(m, "\nHash Mapping:\n"); | 432 | seq_puts(m, "\nHash Mapping:\n"); |
| 412 | 433 | ||
| 413 | for (i = 0; i < vif->hash.size; ) { | 434 | for (i = 0; i < vif->hash.size; ) { |
| @@ -420,7 +441,7 @@ void xenvif_dump_hash_info(struct xenvif *vif, struct seq_file *m) | |||
| 420 | seq_printf(m, "[%4u - %4u]: ", i, i + n - 1); | 441 | seq_printf(m, "[%4u - %4u]: ", i, i + n - 1); |
| 421 | 442 | ||
| 422 | for (j = 0; j < n; j++, i++) | 443 | for (j = 0; j < n; j++, i++) |
| 423 | seq_printf(m, "%4u ", vif->hash.mapping[i]); | 444 | seq_printf(m, "%4u ", mapping[i]); |
| 424 | 445 | ||
| 425 | seq_puts(m, "\n"); | 446 | seq_puts(m, "\n"); |
| 426 | } | 447 | } |
diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c index 92274c237200..f6ae23fc3f6b 100644 --- a/drivers/net/xen-netback/interface.c +++ b/drivers/net/xen-netback/interface.c | |||
| @@ -162,7 +162,8 @@ static u16 xenvif_select_queue(struct net_device *dev, struct sk_buff *skb, | |||
| 162 | if (size == 0) | 162 | if (size == 0) |
| 163 | return skb_get_hash_raw(skb) % dev->real_num_tx_queues; | 163 | return skb_get_hash_raw(skb) % dev->real_num_tx_queues; |
| 164 | 164 | ||
| 165 | return vif->hash.mapping[skb_get_hash_raw(skb) % size]; | 165 | return vif->hash.mapping[vif->hash.mapping_sel] |
| 166 | [skb_get_hash_raw(skb) % size]; | ||
| 166 | } | 167 | } |
| 167 | 168 | ||
| 168 | static int xenvif_start_xmit(struct sk_buff *skb, struct net_device *dev) | 169 | static int xenvif_start_xmit(struct sk_buff *skb, struct net_device *dev) |