Apply XSA 90

The only vulnerable versions are >=3.12-rc1.
2014-04-02 03:07:19 +02:00 · 2014-04-02 03:07:19 +02:00 · a2465eb0e3
commit a2465eb0e3
parent 927942a2c0
2 changed files with 120 additions and 0 deletions
--- a/patches.xen/xsa90.patch
+++ b/patches.xen/xsa90.patch
@ -0,0 +1,117 @@
+From: Wei Liu <wei.liu2@citrix.com>
+Date: Mon, 17 Mar 2014 11:52:53 +0000
+Subject: [PATCH RFC] xen-netback: disable rogue vif in kthread context
+
+When netback discovers frontend is sending malformed packet it will
+disables the interface which serves that frontend.
+
+However disabling a network interface involving taking a mutex which
+cannot be done in softirq context, so we need to defer this process to
+kthread context.
+
+This patch does the following:
+1. introduce a flag to indicate the interface is disabled.
+2. check that flag in TX path, don't do any work if it's true.
+3. check that flag in RX path, turn off that interface if it's true.
+
+The reason to disable it in RX path is because RX uses kthread. After
+this change the behavior of netback is still consistent -- it won't do
+any TX work for a rogue frontend, and the interface will be eventually
+turned off.
+
+Also change a "continue" to "break" after xenvif_fatal_tx_err, as it
+doesn't make sense to continue processing packets if frontend is rogue.
+
+Signed-off-by: Wei Liu <wei.liu2@citrix.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+---
+ drivers/net/xen-netback/common.h    |    5 +++++
+ drivers/net/xen-netback/interface.c |    9 +++++++++
+ drivers/net/xen-netback/netback.c   |   14 ++++++++++++--
+ 3 files changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/xen-netback/common.h b/drivers/net/xen-netback/common.h
+index ae413a2..4bf5b33 100644
+--- a/drivers/net/xen-netback/common.h
+++ b/drivers/net/xen-netback/common.h
+@@ -113,6 +113,11 @@ struct xenvif {
+ 	domid_t          domid;
+ 	unsigned int     handle;
+ 
+	/* Is this interface disabled? True when backend discovers
+	 * frontend is rogue.
+	 */
+	bool disabled;
+
+ 	/* Use NAPI for guest TX */
+ 	struct napi_struct napi;
+ 	/* When feature-split-event-channels = 0, tx_irq = rx_irq. */
+diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c
+index 301cc03..234f1c8 100644
+--- a/drivers/net/xen-netback/interface.c
+++ b/drivers/net/xen-netback/interface.c
+@@ -62,6 +62,13 @@ static int xenvif_poll(struct napi_struct *napi, int budget)
+ 	struct xenvif *vif = container_of(napi, struct xenvif, napi);
+ 	int work_done;
+ 
+	/* This vif is rogue, we pretend we've used up all budget to
+	 * deschedule it from NAPI. But this interface will be turned
+	 * off in thread context later.
+	 */
+	if (unlikely(vif->disabled))
+		return budget;
+
+ 	work_done = xenvif_tx_action(vif, budget);
+ 
+ 	if (work_done < budget) {
+@@ -321,6 +328,8 @@ struct xenvif *xenvif_alloc(struct device *parent, domid_t domid,
+ 	vif->csum = 1;
+ 	vif->dev = dev;
+ 
+	vif->disabled = false;
+
+ 	vif->credit_bytes = vif->remaining_credit = ~0UL;
+ 	vif->credit_usec  = 0UL;
+ 	init_timer(&vif->credit_timeout);
+diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
+index 438d0c0..94e7261 100644
+--- a/drivers/net/xen-netback/netback.c
+++ b/drivers/net/xen-netback/netback.c
+@@ -655,7 +655,7 @@ static void xenvif_tx_err(struct xenvif *vif,
+ static void xenvif_fatal_tx_err(struct xenvif *vif)
+ {
+ 	netdev_err(vif->dev, "fatal error; disabling device\n");
+-	xenvif_carrier_off(vif);
+	vif->disabled = true;
+ }
+ 
+ static int xenvif_count_requests(struct xenvif *vif,
+@@ -1126,7 +1126,7 @@ static unsigned xenvif_tx_build_gops(struct xenvif *vif, int budget)
+ 				   vif->tx.sring->req_prod, vif->tx.req_cons,
+ 				   XEN_NETIF_TX_RING_SIZE);
+ 			xenvif_fatal_tx_err(vif);
+-			continue;
+			break;
+ 		}
+ 
+ 		RING_FINAL_CHECK_FOR_REQUESTS(&vif->tx, work_to_do);
+@@ -1549,6 +1549,16 @@ int xenvif_kthread(void *data)
+ 		wait_event_interruptible(vif->wq,
+ 					 rx_work_todo(vif) ||
+ 					 kthread_should_stop());
+
+		/* This frontend is found to be rogue, disable it in
+		 * kthread context. Currently this is only set when
+		 * netback finds out frontend sends malformed packet,
+		 * but we cannot disable the interface in softirq
+		 * context so we defer it here.
+		 */
+		if (unlikely(vif->disabled && netif_carrier_ok(vif->dev)))
+			xenvif_carrier_off(vif);
+
+ 		if (kthread_should_stop())
+ 			break;
+ 
+-- 
+1.7.10.4
+
--- a/series-pvops.conf
+++ b/series-pvops.conf
@ -1,5 +1,8 @@
 patches.rpmify/makefile-after_link.patch

+# bug introduced after 3.11 release
+patches.xen/xsa90.patch
+
 # fix for GPU performance (revert workaround and apply proper fix), should go in 3.5
 patches.xen/pvops-3.4-Revert-xen-pat-Disable-PAT-support-for-now.patch
 patches.xen/pvops-Revert-xen-pat-Disable-PAT-using-pat_enabled-value.patch