[PATCH openEuler-5.10 88/92] xen/blkfront: harden blkfront against event channel storms

14 Jan 2022

From: Juergen Gross jgross@suse.com
stable inclusion
from stable-v5.10.88
commit 8ac3b6ee7c9ff2df7c99624bb1235e2e55623825
bugzilla: 186058 https://gitee.com/openeuler/kernel/issues/I4QW6A
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit 0fd08a34e8e3b67ec9bd8287ac0facf8374b844a upstream.
The Xen blkfront driver is still vulnerable for an attack via excessive
number of events sent by the backend. Fix that by using lateeoi event
channels.
This is part of XSA-391
Signed-off-by: Juergen Gross jgross@suse.com
Reviewed-by: Jan Beulich jbeulich@suse.com
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Signed-off-by: Chen Jun chenjun102@huawei.com
Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com
---
 drivers/block/xen-blkfront.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c
index ff7b62597b52..22842d2938c2 100644
--- a/drivers/block/xen-blkfront.c
+++ b/drivers/block/xen-blkfront.c
@@ -1573,9 +1573,12 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
    unsigned long flags;
    struct blkfront_ring_info *rinfo = (struct blkfront_ring_info *)dev_id;
    struct blkfront_info *info = rinfo->dev_info;
+	unsigned int eoiflag = XEN_EOI_FLAG_SPURIOUS;
-	if (unlikely(info->connected != BLKIF_STATE_CONNECTED))
+	if (unlikely(info->connected != BLKIF_STATE_CONNECTED)) {
+		xen_irq_lateeoi(irq, XEN_EOI_FLAG_SPURIOUS);
    	return IRQ_HANDLED;
+	}
spin_lock_irqsave(&rinfo->ring_lock, flags);
  again:
@@ -1591,6 +1594,8 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
    	unsigned long id;
    	unsigned int op;
+		eoiflag = 0;
+
    	RING_COPY_RESPONSE(&rinfo->ring, i, &bret);
    	id = bret.id;
@@ -1707,6 +1712,8 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
spin_unlock_irqrestore(&rinfo->ring_lock, flags);
+	xen_irq_lateeoi(irq, eoiflag);
+
    return IRQ_HANDLED;
err:
@@ -1714,6 +1721,8 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
spin_unlock_irqrestore(&rinfo->ring_lock, flags);
+	/* No EOI in order to avoid further interrupts. */
+
    pr_alert("%s disabled for further use\n", info->gd->disk_name);
    return IRQ_HANDLED;
 }
@@ -1753,8 +1762,8 @@ static int setup_blkring(struct xenbus_device *dev,
    if (err)
    	goto fail;
-	err = bind_evtchn_to_irqhandler(rinfo->evtchn, blkif_interrupt, 0,
-					"blkif", rinfo);
+	err = bind_evtchn_to_irqhandler_lateeoi(rinfo->evtchn, blkif_interrupt,
+						0, "blkif", rinfo);
    if (err <= 0) {
    	xenbus_dev_fatal(dev, err,
    			 "bind_evtchn_to_irqhandler failed");
-- 
2.20.1

    

2024

2023

2022

2021

2020

2019

[PATCH openEuler-5.10 88/92] xen/blkfront: harden blkfront against event channel storms