178 lines
5.9 KiB
Diff
178 lines
5.9 KiB
Diff
From 6c7b9e32eb26ad5c535126c8775e2e4c68b0d57a Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
|
|
<marmarek@invisiblethingslab.com>
|
|
Date: Wed, 16 Dec 2015 05:09:55 +0100
|
|
Subject: [PATCH] xen-netfront: copy response out of shared buffer before
|
|
accessing it
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Make local copy of the response, otherwise backend might modify it while
|
|
frontend is already processing it - leading to time of check / time of
|
|
use issue.
|
|
|
|
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
|
|
---
|
|
drivers/net/xen-netfront.c | 51 +++++++++++++++++++-------------------
|
|
1 file changed, 25 insertions(+), 26 deletions(-)
|
|
|
|
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
|
|
index 5c9a0226dc8d..b981a17f2edd 100644
|
|
--- a/drivers/net/xen-netfront.c
|
|
+++ b/drivers/net/xen-netfront.c
|
|
@@ -385,13 +385,13 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue)
|
|
rmb(); /* Ensure we see responses up to 'rp'. */
|
|
|
|
for (cons = queue->tx.rsp_cons; cons != prod; cons++) {
|
|
- struct xen_netif_tx_response *txrsp;
|
|
+ struct xen_netif_tx_response txrsp;
|
|
|
|
- txrsp = RING_GET_RESPONSE(&queue->tx, cons);
|
|
- if (txrsp->status == XEN_NETIF_RSP_NULL)
|
|
+ RING_COPY_RESPONSE(&queue->tx, cons, &txrsp);
|
|
+ if (txrsp.status == XEN_NETIF_RSP_NULL)
|
|
continue;
|
|
|
|
- id = txrsp->id;
|
|
+ id = txrsp.id;
|
|
skb = queue->tx_skbs[id].skb;
|
|
if (unlikely(gnttab_query_foreign_access(
|
|
queue->grant_tx_ref[id]) != 0)) {
|
|
@@ -739,7 +739,7 @@ static int xennet_get_extras(struct netfront_queue *queue,
|
|
RING_IDX rp)
|
|
|
|
{
|
|
- struct xen_netif_extra_info *extra;
|
|
+ struct xen_netif_extra_info extra;
|
|
struct device *dev = &queue->info->netdev->dev;
|
|
RING_IDX cons = queue->rx.rsp_cons;
|
|
int err = 0;
|
|
@@ -755,24 +755,23 @@ static int xennet_get_extras(struct netfront_queue *queue,
|
|
break;
|
|
}
|
|
|
|
- extra = (struct xen_netif_extra_info *)
|
|
- RING_GET_RESPONSE(&queue->rx, ++cons);
|
|
+ RING_COPY_RESPONSE(&queue->rx, ++cons, &extra);
|
|
|
|
- if (unlikely(!extra->type ||
|
|
- extra->type >= XEN_NETIF_EXTRA_TYPE_MAX)) {
|
|
+ if (unlikely(!extra.type ||
|
|
+ extra.type >= XEN_NETIF_EXTRA_TYPE_MAX)) {
|
|
if (net_ratelimit())
|
|
dev_warn(dev, "Invalid extra type: %d\n",
|
|
- extra->type);
|
|
+ extra.type);
|
|
err = -EINVAL;
|
|
} else {
|
|
- memcpy(&extras[extra->type - 1], extra,
|
|
- sizeof(*extra));
|
|
+ memcpy(&extras[extra.type - 1], &extra,
|
|
+ sizeof(extra));
|
|
}
|
|
|
|
skb = xennet_get_rx_skb(queue, cons);
|
|
ref = xennet_get_rx_ref(queue, cons);
|
|
xennet_move_rx_slot(queue, skb, ref);
|
|
- } while (extra->flags & XEN_NETIF_EXTRA_FLAG_MORE);
|
|
+ } while (extra.flags & XEN_NETIF_EXTRA_FLAG_MORE);
|
|
|
|
queue->rx.rsp_cons = cons;
|
|
return err;
|
|
@@ -782,28 +781,28 @@ static int xennet_get_responses(struct netfront_queue *queue,
|
|
struct netfront_rx_info *rinfo, RING_IDX rp,
|
|
struct sk_buff_head *list)
|
|
{
|
|
- struct xen_netif_rx_response *rx = &rinfo->rx;
|
|
+ struct xen_netif_rx_response rx = rinfo->rx;
|
|
struct xen_netif_extra_info *extras = rinfo->extras;
|
|
struct device *dev = &queue->info->netdev->dev;
|
|
RING_IDX cons = queue->rx.rsp_cons;
|
|
struct sk_buff *skb = xennet_get_rx_skb(queue, cons);
|
|
grant_ref_t ref = xennet_get_rx_ref(queue, cons);
|
|
- int max = XEN_NETIF_NR_SLOTS_MIN + (rx->status <= RX_COPY_THRESHOLD);
|
|
+ int max = XEN_NETIF_NR_SLOTS_MIN + (rx.status <= RX_COPY_THRESHOLD);
|
|
int slots = 1;
|
|
int err = 0;
|
|
unsigned long ret;
|
|
|
|
- if (rx->flags & XEN_NETRXF_extra_info) {
|
|
+ if (rx.flags & XEN_NETRXF_extra_info) {
|
|
err = xennet_get_extras(queue, extras, rp);
|
|
cons = queue->rx.rsp_cons;
|
|
}
|
|
|
|
for (;;) {
|
|
- if (unlikely(rx->status < 0 ||
|
|
- rx->offset + rx->status > XEN_PAGE_SIZE)) {
|
|
+ if (unlikely(rx.status < 0 ||
|
|
+ rx.offset + rx.status > XEN_PAGE_SIZE)) {
|
|
if (net_ratelimit())
|
|
dev_warn(dev, "rx->offset: %u, size: %d\n",
|
|
- rx->offset, rx->status);
|
|
+ rx.offset, rx.status);
|
|
xennet_move_rx_slot(queue, skb, ref);
|
|
err = -EINVAL;
|
|
goto next;
|
|
@@ -817,7 +816,7 @@ static int xennet_get_responses(struct netfront_queue *queue,
|
|
if (ref == GRANT_INVALID_REF) {
|
|
if (net_ratelimit())
|
|
dev_warn(dev, "Bad rx response id %d.\n",
|
|
- rx->id);
|
|
+ rx.id);
|
|
err = -EINVAL;
|
|
goto next;
|
|
}
|
|
@@ -830,7 +829,7 @@ static int xennet_get_responses(struct netfront_queue *queue,
|
|
__skb_queue_tail(list, skb);
|
|
|
|
next:
|
|
- if (!(rx->flags & XEN_NETRXF_more_data))
|
|
+ if (!(rx.flags & XEN_NETRXF_more_data))
|
|
break;
|
|
|
|
if (cons + slots == rp) {
|
|
@@ -840,7 +839,7 @@ static int xennet_get_responses(struct netfront_queue *queue,
|
|
break;
|
|
}
|
|
|
|
- rx = RING_GET_RESPONSE(&queue->rx, cons + slots);
|
|
+ RING_COPY_RESPONSE(&queue->rx, cons + slots, &rx);
|
|
skb = xennet_get_rx_skb(queue, cons + slots);
|
|
ref = xennet_get_rx_ref(queue, cons + slots);
|
|
slots++;
|
|
@@ -895,9 +894,9 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
|
|
struct sk_buff *nskb;
|
|
|
|
while ((nskb = __skb_dequeue(list))) {
|
|
- struct xen_netif_rx_response *rx =
|
|
- RING_GET_RESPONSE(&queue->rx, ++cons);
|
|
+ struct xen_netif_rx_response rx;
|
|
skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0];
|
|
+ RING_COPY_RESPONSE(&queue->rx, ++cons, &rx);
|
|
|
|
if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) {
|
|
unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
|
|
@@ -913,7 +912,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
|
|
|
|
skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
|
|
skb_frag_page(nfrag),
|
|
- rx->offset, rx->status, PAGE_SIZE);
|
|
+ rx.offset, rx.status, PAGE_SIZE);
|
|
|
|
skb_shinfo(nskb)->nr_frags = 0;
|
|
kfree_skb(nskb);
|
|
@@ -1009,7 +1008,7 @@ static int xennet_poll(struct napi_struct *napi, int budget)
|
|
i = queue->rx.rsp_cons;
|
|
work_done = 0;
|
|
while ((i != rp) && (work_done < budget)) {
|
|
- memcpy(rx, RING_GET_RESPONSE(&queue->rx, i), sizeof(*rx));
|
|
+ RING_COPY_RESPONSE(&queue->rx, i, rx);
|
|
memset(extras, 0, sizeof(rinfo.extras));
|
|
|
|
err = xennet_get_responses(queue, &rinfo, rp, &tmpq);
|
|
--
|
|
2.20.1
|
|
|