From: David Vrabel <david.vrabel@citrix.com>
To: annie li <annie.li@oracle.com>
Cc: Wei Liu <wei.liu2@citrix.com>, <ian.campbell@citrix.com>,
<netdev@vger.kernel.org>, <xen-devel@lists.xen.org>,
<andrew.bennieston@citrix.com>, <davem@davemloft.net>
Subject: Re: [Xen-devel] [PATCH net-next v2] xen-netfront: clean up code in xennet_release_rx_bufs
Date: Fri, 17 Jan 2014 17:50:43 +0000 [thread overview]
Message-ID: <52D96D73.1030803@citrix.com> (raw)
In-Reply-To: <52D94F8C.7060509@oracle.com>
On 17/01/14 15:43, annie li wrote:
>
> No, I am trying to implement 2 patches.
I don't understand the need for two patches here, particularly when
the first patch introduces a security issue. You can fold the following
(untested) patch into your v2 patch and give it a try?
Thanks.
David
8<----------------------
xen-netfront: prevent unsafe reuse of rx buf pages after uninit
---
drivers/net/xen-netfront.c | 21 +++++++++++++++++----
1 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index 692589e..47aa599 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -1134,19 +1134,32 @@ static void xennet_release_tx_bufs(struct netfront_info *np)
static void xennet_release_rx_bufs(struct netfront_info *np)
{
- struct sk_buff *skb;
int id, ref;
spin_lock_bh(&np->rx_lock);
for (id = 0; id < NET_RX_RING_SIZE; id++) {
+ struct sk_buff *skb;
+ skb_frag_t *frag;
+ const struct page *page;
+
+ skb = np->rx_skbs[id];
+ if (!skb)
+ continue;
+
ref = np->grant_rx_ref[id];
if (ref == GRANT_INVALID_REF)
continue;
- skb = np->rx_skbs[id];
- gnttab_end_foreign_access_ref(ref, 0);
- gnttab_release_grant_reference(&np->gref_rx_head, ref);
+ frag = &skb_shinfo(skb)->frags[0];
+ page = skb_frag_page(frag);
+
+ /* gnttab_end_foreign_access() needs a page ref until
+ * foreign access is ended (which may be deferred).
+ */
+ get_page(page);
+
+ gnttab_end_foreign_access(ref, 0, page);
np->grant_rx_ref[id] = GRANT_INVALID_REF;
kfree_skb(skb);
--
1.7.2.5
next prev parent reply other threads:[~2014-01-17 17:50 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-15 23:57 [Xen-devel][PATCH net-next v2] xen-netfront: clean up code in xennet_release_rx_bufs Annie Li
2014-01-16 11:10 ` David Vrabel
2014-01-16 13:42 ` annie li
2014-01-17 1:25 ` David Miller
2014-01-17 6:25 ` [Xen-devel] [PATCH " annie li
2014-01-17 6:58 ` annie li
2014-01-17 12:08 ` Wei Liu
2014-01-17 12:32 ` annie li
2014-01-17 14:02 ` Wei Liu
2014-01-17 15:43 ` annie li
2014-01-17 17:50 ` David Vrabel [this message]
2014-01-20 2:33 ` annie li
2014-01-17 15:40 ` David Vrabel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52D96D73.1030803@citrix.com \
--to=david.vrabel@citrix.com \
--cc=andrew.bennieston@citrix.com \
--cc=annie.li@oracle.com \
--cc=davem@davemloft.net \
--cc=ian.campbell@citrix.com \
--cc=netdev@vger.kernel.org \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).