QubesOS
/
qubes-linux-kernel
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update XSA155 patches

Browse Source
pull/22/head
fepitre 6 years ago
parent 3f7383afce
commit 853ff4cc62
6 changed files with 67 additions and 75 deletions
Show Stats Download Patch File Download Diff File

12
patches.xen/xsa155-linux-0008-xen-Add-RING_COPY_RESPONSE.patch
Unescape View File

@ -1,13 +1,11 @@
From 8322f4eddaf1fe5a9bdf5252c8140daa8bad60fd Mon Sep 17 00:00:00 2001 From bf0b3f33476360b5d72f87d749409b0a2b1a57cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
<marmarek@invisiblethingslab.com> <marmarek@invisiblethingslab.com>
Date: Tue, 15 Dec 2015 21:35:14 +0100 Date: Tue, 15 Dec 2015 21:35:14 +0100
Subject: [PATCH 08/13] xen: Add RING_COPY_RESPONSE() Subject: [PATCH] xen: Add RING_COPY_RESPONSE()
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit
Organization: Invisible Things Lab
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Using RING_GET_RESPONSE() on a shared ring is easy to use incorrectly Using RING_GET_RESPONSE() on a shared ring is easy to use incorrectly
(i.e., by not considering that the other end may alter the data in the (i.e., by not considering that the other end may alter the data in the
@ -31,10 +29,10 @@ Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
1 file changed, 14 insertions(+) 1 file changed, 14 insertions(+)
diff --git a/include/xen/interface/io/ring.h b/include/xen/interface/io/ring.h diff --git a/include/xen/interface/io/ring.h b/include/xen/interface/io/ring.h
index 7dc685b..312415c 100644 index 3f40501fc60b..03702f6874df 100644
--- a/include/xen/interface/io/ring.h --- a/include/xen/interface/io/ring.h
+++ b/include/xen/interface/io/ring.h +++ b/include/xen/interface/io/ring.h
@@ -198,6 +198,20 @@ struct __name##_back_ring { \ @@ -201,6 +201,20 @@ struct __name##_back_ring { \
#define RING_GET_RESPONSE(_r, _idx) \ #define RING_GET_RESPONSE(_r, _idx) \
(&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp)) (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp))
@ -56,5 +54,5 @@ index 7dc685b..312415c 100644
#define RING_REQUEST_CONS_OVERFLOW(_r, _cons) \ #define RING_REQUEST_CONS_OVERFLOW(_r, _cons) \
(((_cons) - (_r)->rsp_prod_pvt) >= RING_SIZE(_r)) (((_cons) - (_r)->rsp_prod_pvt) >= RING_SIZE(_r))
-- --
2.1.0 2.17.1

12
patches.xen/xsa155-linux-0011-xen-netfront-add-range-check-for-Tx-response-id.patch
Unescape View File

@ -1,13 +1,11 @@
From 76a020d3b2023ca02961eab38318ef2d6f1338d9 Mon Sep 17 00:00:00 2001 From f8bc4b3be49e47dcf005ce12ef25071fe16bd45b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
<marmarek@invisiblethingslab.com> <marmarek@invisiblethingslab.com>
Date: Wed, 16 Dec 2015 05:22:24 +0100 Date: Wed, 16 Dec 2015 05:22:24 +0100
Subject: [PATCH 11/13] xen-netfront: add range check for Tx response id Subject: [PATCH] xen-netfront: add range check for Tx response id
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit
Organization: Invisible Things Lab
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Tx response ID is fetched from shared page, so make sure it is sane Tx response ID is fetched from shared page, so make sure it is sane
before using it as an array index. before using it as an array index.
@ -21,10 +19,10 @@ Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
1 file changed, 1 insertion(+) 1 file changed, 1 insertion(+)
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index 959e479..94309e6 100644 index 026d39702217..4150128ab893 100644
--- a/drivers/net/xen-netfront.c --- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c
@@ -379,6 +379,7 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue) @@ -395,6 +395,7 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue)
continue; continue;
id = txrsp.id; id = txrsp.id;
@ -33,5 +31,5 @@ index 959e479..94309e6 100644
if (unlikely(gnttab_query_foreign_access( if (unlikely(gnttab_query_foreign_access(
queue->grant_tx_ref[id]) != 0)) { queue->grant_tx_ref[id]) != 0)) {
-- --
2.1.0 2.17.1

21
patches.xen/xsa155-linux312-0012-xen-blkfront-make-local-copy-of-response-before-usin.patch
Unescape View File

@ -1,14 +1,11 @@
From ef0d243bfeaf1da8854c26f89536dc1b69c56602 Mon Sep 17 00:00:00 2001 From 26baa3367516dac7e376e2595d187dd9887bf0e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
<marmarek@invisiblethingslab.com> <marmarek@invisiblethingslab.com>
Date: Wed, 16 Dec 2015 05:51:10 +0100 Date: Wed, 16 Dec 2015 05:51:10 +0100
Subject: [PATCH 12/13] xen-blkfront: make local copy of response before using Subject: [PATCH] xen-blkfront: make local copy of response before using it
it
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit
Organization: Invisible Things Lab
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Data on the shared page can be changed at any time by the backend. Make Data on the shared page can be changed at any time by the backend. Make
a local copy, which is no longer controlled by the backend. And only a local copy, which is no longer controlled by the backend. And only
@ -23,10 +20,10 @@ Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
1 file changed, 17 insertions(+), 17 deletions(-) 1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c
index 2fee2ee..5d7eb04 100644 index b5cedccb5d7d..87781c076733 100644
--- a/drivers/block/xen-blkfront.c --- a/drivers/block/xen-blkfront.c
+++ b/drivers/block/xen-blkfront.c +++ b/drivers/block/xen-blkfront.c
@@ -1552,7 +1552,7 @@ static bool blkif_completion(unsigned long *id, @@ -1548,7 +1548,7 @@ static bool blkif_completion(unsigned long *id,
static irqreturn_t blkif_interrupt(int irq, void *dev_id) static irqreturn_t blkif_interrupt(int irq, void *dev_id)
{ {
struct request *req; struct request *req;
@ -35,7 +32,7 @@ index 2fee2ee..5d7eb04 100644
RING_IDX i, rp; RING_IDX i, rp;
unsigned long flags; unsigned long flags;
struct blkfront_ring_info *rinfo = (struct blkfront_ring_info *)dev_id; struct blkfront_ring_info *rinfo = (struct blkfront_ring_info *)dev_id;
@@ -1569,8 +1569,8 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id) @@ -1565,8 +1565,8 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
for (i = rinfo->ring.rsp_cons; i != rp; i++) { for (i = rinfo->ring.rsp_cons; i != rp; i++) {
unsigned long id; unsigned long id;
@ -46,7 +43,7 @@ index 2fee2ee..5d7eb04 100644
/* /*
* The backend has messed up and given us an id that we would * The backend has messed up and given us an id that we would
* never have given to it (we stamp it up to BLK_RING_SIZE - * never have given to it (we stamp it up to BLK_RING_SIZE -
@@ -1578,39 +1578,39 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id) @@ -1574,39 +1574,39 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
*/ */
if (id >= BLK_RING_SIZE(info)) { if (id >= BLK_RING_SIZE(info)) {
WARN(1, "%s: response to %s has incorrect id (%ld)\n", WARN(1, "%s: response to %s has incorrect id (%ld)\n",
@ -94,7 +91,7 @@ index 2fee2ee..5d7eb04 100644
blkif_req(req)->error = BLK_STS_NOTSUPP; blkif_req(req)->error = BLK_STS_NOTSUPP;
info->feature_discard = 0; info->feature_discard = 0;
info->feature_secdiscard = 0; info->feature_secdiscard = 0;
@@ -1620,15 +1620,15 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id) @@ -1616,15 +1616,15 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
break; break;
case BLKIF_OP_FLUSH_DISKCACHE: case BLKIF_OP_FLUSH_DISKCACHE:
case BLKIF_OP_WRITE_BARRIER: case BLKIF_OP_WRITE_BARRIER:
@ -114,7 +111,7 @@ index 2fee2ee..5d7eb04 100644
blkif_req(req)->error = BLK_STS_NOTSUPP; blkif_req(req)->error = BLK_STS_NOTSUPP;
} }
if (unlikely(blkif_req(req)->error)) { if (unlikely(blkif_req(req)->error)) {
@@ -1641,9 +1641,9 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id) @@ -1637,9 +1637,9 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
/* fall through */ /* fall through */
case BLKIF_OP_READ: case BLKIF_OP_READ:
case BLKIF_OP_WRITE: case BLKIF_OP_WRITE:
@ -127,5 +124,5 @@ index 2fee2ee..5d7eb04 100644
break; break;
default: default:
-- --
2.1.0 2.17.1

42
patches.xen/xsa155-linux44-0009-xen-netfront-copy-response-out-of-shared-buffer-befo.patch
Unescape View File

@ -1,14 +1,12 @@
From 3a1006355114da4b8fc4b935a64928b7f6ae374f Mon Sep 17 00:00:00 2001 From c7c1661d1b265ea620939bb5da4958eb0fb1385b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
<marmarek@invisiblethingslab.com> <marmarek@invisiblethingslab.com>
Date: Wed, 16 Dec 2015 05:09:55 +0100 Date: Wed, 16 Dec 2015 05:09:55 +0100
Subject: [PATCH 09/13] xen-netfront: copy response out of shared buffer before Subject: [PATCH] xen-netfront: copy response out of shared buffer before
accessing it accessing it
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit
Organization: Invisible Things Lab
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Make local copy of the response, otherwise backend might modify it while Make local copy of the response, otherwise backend might modify it while
frontend is already processing it - leading to time of check / time of frontend is already processing it - leading to time of check / time of
@ -16,14 +14,14 @@ use issue.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
--- ---
drivers/net/xen-netfront.c | 51 +++++++++++++++++++++++----------------------- drivers/net/xen-netfront.c | 51 +++++++++++++++++++-------------------
1 file changed, 25 insertions(+), 26 deletions(-) 1 file changed, 25 insertions(+), 26 deletions(-)
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index d6abf19..2af5100 100644 index 9dd2ca62d84a..1b6c319d74f1 100644
--- a/drivers/net/xen-netfront.c --- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c
@@ -372,13 +372,13 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue) @@ -388,13 +388,13 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue)
rmb(); /* Ensure we see responses up to 'rp'. */ rmb(); /* Ensure we see responses up to 'rp'. */
for (cons = queue->tx.rsp_cons; cons != prod; cons++) { for (cons = queue->tx.rsp_cons; cons != prod; cons++) {
@ -41,7 +39,7 @@ index d6abf19..2af5100 100644
skb = queue->tx_skbs[id].skb; skb = queue->tx_skbs[id].skb;
if (unlikely(gnttab_query_foreign_access( if (unlikely(gnttab_query_foreign_access(
queue->grant_tx_ref[id]) != 0)) { queue->grant_tx_ref[id]) != 0)) {
@@ -721,7 +721,7 @@ static int xennet_get_extras(struct netfront_queue *queue, @@ -742,7 +742,7 @@ static int xennet_get_extras(struct netfront_queue *queue,
RING_IDX rp) RING_IDX rp)
{ {
@ -50,7 +48,7 @@ index d6abf19..2af5100 100644
struct device *dev = &queue->info->netdev->dev; struct device *dev = &queue->info->netdev->dev;
RING_IDX cons = queue->rx.rsp_cons; RING_IDX cons = queue->rx.rsp_cons;
int err = 0; int err = 0;
@@ -737,24 +737,23 @@ static int xennet_get_extras(struct netfront_queue *queue, @@ -758,24 +758,23 @@ static int xennet_get_extras(struct netfront_queue *queue,
break; break;
} }
@ -82,7 +80,7 @@ index d6abf19..2af5100 100644
queue->rx.rsp_cons = cons; queue->rx.rsp_cons = cons;
return err; return err;
@@ -764,28 +763,28 @@ static int xennet_get_responses(struct netfront_queue *queue, @@ -785,28 +784,28 @@ static int xennet_get_responses(struct netfront_queue *queue,
struct netfront_rx_info *rinfo, RING_IDX rp, struct netfront_rx_info *rinfo, RING_IDX rp,
struct sk_buff_head *list) struct sk_buff_head *list)
{ {
@ -93,8 +91,8 @@ index d6abf19..2af5100 100644
RING_IDX cons = queue->rx.rsp_cons; RING_IDX cons = queue->rx.rsp_cons;
struct sk_buff *skb = xennet_get_rx_skb(queue, cons); struct sk_buff *skb = xennet_get_rx_skb(queue, cons);
grant_ref_t ref = xennet_get_rx_ref(queue, cons); grant_ref_t ref = xennet_get_rx_ref(queue, cons);
- int max = MAX_SKB_FRAGS + (rx->status <= RX_COPY_THRESHOLD); - int max = XEN_NETIF_NR_SLOTS_MIN + (rx->status <= RX_COPY_THRESHOLD);
+ int max = MAX_SKB_FRAGS + (rx.status <= RX_COPY_THRESHOLD); + int max = XEN_NETIF_NR_SLOTS_MIN + (rx.status <= RX_COPY_THRESHOLD);
int slots = 1; int slots = 1;
int err = 0; int err = 0;
unsigned long ret; unsigned long ret;
@ -117,7 +115,7 @@ index d6abf19..2af5100 100644
xennet_move_rx_slot(queue, skb, ref); xennet_move_rx_slot(queue, skb, ref);
err = -EINVAL; err = -EINVAL;
goto next; goto next;
@@ -799,7 +798,7 @@ static int xennet_get_responses(struct netfront_queue *queue, @@ -820,7 +819,7 @@ static int xennet_get_responses(struct netfront_queue *queue,
if (ref == GRANT_INVALID_REF) { if (ref == GRANT_INVALID_REF) {
if (net_ratelimit()) if (net_ratelimit())
dev_warn(dev, "Bad rx response id %d.\n", dev_warn(dev, "Bad rx response id %d.\n",
@ -126,7 +124,7 @@ index d6abf19..2af5100 100644
err = -EINVAL; err = -EINVAL;
goto next; goto next;
} }
@@ -812,7 +811,7 @@ static int xennet_get_responses(struct netfront_queue *queue, @@ -833,7 +832,7 @@ static int xennet_get_responses(struct netfront_queue *queue,
__skb_queue_tail(list, skb); __skb_queue_tail(list, skb);
next: next:
@ -135,7 +133,7 @@ index d6abf19..2af5100 100644
break; break;
if (cons + slots == rp) { if (cons + slots == rp) {
@@ -822,7 +821,7 @@ next: @@ -843,7 +842,7 @@ static int xennet_get_responses(struct netfront_queue *queue,
break; break;
} }
@ -144,7 +142,7 @@ index d6abf19..2af5100 100644
skb = xennet_get_rx_skb(queue, cons + slots); skb = xennet_get_rx_skb(queue, cons + slots);
ref = xennet_get_rx_ref(queue, cons + slots); ref = xennet_get_rx_ref(queue, cons + slots);
slots++; slots++;
@@ -878,9 +877,9 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue, @@ -898,9 +897,9 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
struct sk_buff *nskb; struct sk_buff *nskb;
while ((nskb = __skb_dequeue(list))) { while ((nskb = __skb_dequeue(list))) {
@ -154,18 +152,18 @@ index d6abf19..2af5100 100644
skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0]; skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0];
+ RING_COPY_RESPONSE(&queue->rx, ++cons, &rx); + RING_COPY_RESPONSE(&queue->rx, ++cons, &rx);
if (shinfo->nr_frags == MAX_SKB_FRAGS) { if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) {
unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to; unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
@@ -891,7 +890,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue, @@ -912,7 +911,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
BUG_ON(shinfo->nr_frags >= MAX_SKB_FRAGS);
skb_add_rx_frag(skb, shinfo->nr_frags, skb_frag_page(nfrag), skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
skb_frag_page(nfrag),
- rx->offset, rx->status, PAGE_SIZE); - rx->offset, rx->status, PAGE_SIZE);
+ rx.offset, rx.status, PAGE_SIZE); + rx.offset, rx.status, PAGE_SIZE);
skb_shinfo(nskb)->nr_frags = 0; skb_shinfo(nskb)->nr_frags = 0;
kfree_skb(nskb); kfree_skb(nskb);
@@ -987,7 +986,7 @@ static int xennet_poll(struct napi_struct *napi, int budget) @@ -1008,7 +1007,7 @@ static int xennet_poll(struct napi_struct *napi, int budget)
i = queue->rx.rsp_cons; i = queue->rx.rsp_cons;
work_done = 0; work_done = 0;
while ((i != rp) && (work_done < budget)) { while ((i != rp) && (work_done < budget)) {
@ -175,5 +173,5 @@ index d6abf19..2af5100 100644
err = xennet_get_responses(queue, &rinfo, rp, &tmpq); err = xennet_get_responses(queue, &rinfo, rp, &tmpq);
-- --
2.1.0 2.17.1

22
patches.xen/xsa155-linux44-0010-xen-netfront-do-not-use-data-already-exposed-to-back.patch
Unescape View File

@ -1,14 +1,11 @@
From 2adc557330dde5b474d885518d2663180d3c8f45 Mon Sep 17 00:00:00 2001 From 11b753cc107f41aca56ba0698a1bd6b806cd6795 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
<marmarek@invisiblethingslab.com> <marmarek@invisiblethingslab.com>
Date: Wed, 16 Dec 2015 05:19:37 +0100 Date: Wed, 16 Dec 2015 05:19:37 +0100
Subject: [PATCH 10/13] xen-netfront: do not use data already exposed to Subject: [PATCH] xen-netfront: do not use data already exposed to backend
backend
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit
Organization: Invisible Things Lab
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Backend may freely modify anything on shared page, so use data which was Backend may freely modify anything on shared page, so use data which was
supposed to be written there, instead of reading it back from the shared supposed to be written there, instead of reading it back from the shared
@ -19,14 +16,14 @@ This is part of XSA155.
CC: stable@vger.kernel.org CC: stable@vger.kernel.org
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
--- ---
drivers/net/xen-netfront.c | 32 +++++++++++--------------------- drivers/net/xen-netfront.c | 9 +++++----
1 file changed, 11 insertions(+), 21 deletions(-) 1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index 2af5100..959e479 100644 index 1b6c319d74f1..026d39702217 100644
--- a/drivers/net/xen-netfront.c --- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c
@@ -453,7 +453,7 @@ static void xennet_tx_setup_grant(unsign @@ -459,7 +459,7 @@ static void xennet_tx_setup_grant(unsigned long gfn, unsigned int offset,
tx->flags = 0; tx->flags = 0;
info->tx = tx; info->tx = tx;
@ -35,7 +32,7 @@ index 2af5100..959e479 100644
} }
static struct xen_netif_tx_request *xennet_make_first_txreq( static struct xen_netif_tx_request *xennet_make_first_txreq(
@@ -522,7 +524,7 @@ static int xennet_start_xmit(struct sk_b @@ -575,7 +575,7 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev
int slots; int slots;
struct page *page; struct page *page;
unsigned int offset; unsigned int offset;
@ -44,7 +41,7 @@ index 2af5100..959e479 100644
unsigned long flags; unsigned long flags;
struct netfront_queue *queue = NULL; struct netfront_queue *queue = NULL;
unsigned int num_queues = dev->real_num_tx_queues; unsigned int num_queues = dev->real_num_tx_queues;
@@ -614,14 +614,15 @@ static int xennet_start_xmit(struct sk_b @@ -635,14 +635,15 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev
} }
/* First request for the linear area. */ /* First request for the linear area. */
@ -62,3 +59,6 @@ index 2af5100..959e479 100644
if (skb->ip_summed == CHECKSUM_PARTIAL) if (skb->ip_summed == CHECKSUM_PARTIAL)
/* local packet? */ /* local packet? */
--
2.17.1

33
patches.xen/xsa155-linux44-0013-xen-blkfront-prepare-request-locally-only-then-put-i.patch
Unescape View File

@ -1,14 +1,12 @@
From 74aaa42e1f25309a163acd00083ecbbc186fbb47 Mon Sep 17 00:00:00 2001 From 5c574ee1c388258969b2c66d46db20be16c3aeb3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
<marmarek@invisiblethingslab.com> <marmarek@invisiblethingslab.com>
Date: Wed, 16 Dec 2015 06:07:14 +0100 Date: Wed, 16 Dec 2015 06:07:14 +0100
Subject: [PATCH 13/13] xen-blkfront: prepare request locally, only then put it Subject: [PATCH] xen-blkfront: prepare request locally, only then put it on
on the shared ring the shared ring
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit
Organization: Invisible Things Lab
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Do not reuse data which theoretically might be already modified by the Do not reuse data which theoretically might be already modified by the
backend. This is mostly about private copy of the request backend. This is mostly about private copy of the request
@ -20,14 +18,14 @@ This is part of XSA155.
CC: stable@vger.kernel.org CC: stable@vger.kernel.org
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
--- ---
drivers/block/xen-blkfront.c | 56 ++++++++++++++++++++++++-------------------- drivers/block/xen-blkfront.c | 76 +++++++++++++++++++++---------------
1 file changed, 30 insertions(+), 26 deletions(-) 1 file changed, 44 insertions(+), 32 deletions(-)
diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c
index e99ea22..7191800 100644 index 87781c076733..3da0f6be24c9 100644
--- a/drivers/block/xen-blkfront.c --- a/drivers/block/xen-blkfront.c
+++ b/drivers/block/xen-blkfront.c +++ b/drivers/block/xen-blkfront.c
@@ -528,19 +528,16 @@ static int blkif_ioctl(struct block_device *bdev, fmode_t mode, @@ -524,19 +524,16 @@ static int blkif_ioctl(struct block_device *bdev, fmode_t mode,
static unsigned long blkif_ring_get_request(struct blkfront_ring_info *rinfo, static unsigned long blkif_ring_get_request(struct blkfront_ring_info *rinfo,
struct request *req, struct request *req,
@ -49,7 +47,7 @@ index e99ea22..7191800 100644
return id; return id;
} }
@@ -548,23 +545,28 @@ static unsigned long blkif_ring_get_request(struct blkfront_ring_info *rinfo, @@ -544,23 +541,28 @@ static unsigned long blkif_ring_get_request(struct blkfront_ring_info *rinfo,
static int blkif_queue_discard_req(struct request *req, struct blkfront_ring_info *rinfo) static int blkif_queue_discard_req(struct request *req, struct blkfront_ring_info *rinfo)
{ {
struct blkfront_info *info = rinfo->dev_info; struct blkfront_info *info = rinfo->dev_info;
@ -86,7 +84,7 @@ index e99ea22..7191800 100644
return 0; return 0;
} }
@@ -696,7 +698,7 @@ static void blkif_setup_extra_req(struct blkif_request *first, @@ -692,7 +694,7 @@ static void blkif_setup_extra_req(struct blkif_request *first,
static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *rinfo) static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *rinfo)
{ {
struct blkfront_info *info = rinfo->dev_info; struct blkfront_info *info = rinfo->dev_info;
@ -95,7 +93,7 @@ index e99ea22..7191800 100644
unsigned long id, extra_id = NO_ASSOCIATED_ID; unsigned long id, extra_id = NO_ASSOCIATED_ID;
bool require_extra_req = false; bool require_extra_req = false;
int i; int i;
@@ -761,16 +763,16 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri @@ -757,16 +759,16 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
* BLKIF_OP_WRITE * BLKIF_OP_WRITE
*/ */
BUG_ON(req_op(req) == REQ_OP_FLUSH || req->cmd_flags & REQ_FUA); BUG_ON(req_op(req) == REQ_OP_FLUSH || req->cmd_flags & REQ_FUA);
@ -120,7 +118,7 @@ index e99ea22..7191800 100644
BLKIF_OP_WRITE : BLKIF_OP_READ; BLKIF_OP_WRITE : BLKIF_OP_READ;
if (req_op(req) == REQ_OP_FLUSH || req->cmd_flags & REQ_FUA) { if (req_op(req) == REQ_OP_FLUSH || req->cmd_flags & REQ_FUA) {
/* /*
@@ -781,15 +783,15 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri @@ -777,15 +779,15 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
* since it is guaranteed ordered WRT previous writes.) * since it is guaranteed ordered WRT previous writes.)
*/ */
if (info->feature_flush && info->feature_fua) if (info->feature_flush && info->feature_fua)
@ -140,7 +138,7 @@ index e99ea22..7191800 100644
if (unlikely(require_extra_req)) { if (unlikely(require_extra_req)) {
extra_id = blkif_ring_get_request(rinfo, req, extra_id = blkif_ring_get_request(rinfo, req,
&extra_ring_req); &extra_ring_req);
@@ -799,7 +801,7 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri @@ -795,7 +797,7 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
*/ */
rinfo->shadow[extra_id].num_sg = 0; rinfo->shadow[extra_id].num_sg = 0;
@ -149,7 +147,7 @@ index e99ea22..7191800 100644
/* Link the 2 requests together */ /* Link the 2 requests together */
rinfo->shadow[extra_id].associated_id = id; rinfo->shadow[extra_id].associated_id = id;
@@ -807,12 +809,12 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri @@ -803,12 +805,12 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
} }
} }
@ -164,7 +162,7 @@ index e99ea22..7191800 100644
for_each_sg(rinfo->shadow[id].sg, sg, num_sg, i) { for_each_sg(rinfo->shadow[id].sg, sg, num_sg, i) {
BUG_ON(sg->offset + sg->length > PAGE_SIZE); BUG_ON(sg->offset + sg->length > PAGE_SIZE);
@@ -834,10 +836,20 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri @@ -830,10 +832,20 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
if (setup.segments) if (setup.segments)
kunmap_atomic(setup.segments); kunmap_atomic(setup.segments);
@ -188,3 +186,6 @@ index e99ea22..7191800 100644
if (new_persistent_gnts) if (new_persistent_gnts)
gnttab_free_grant_references(setup.gref_head); gnttab_free_grant_references(setup.gref_head);
--
2.17.1

Write Preview
Loading…
Cancel
Save