This is a note to let you know that I've just added the patch titled
xen/blkfront: harden blkfront against event channel storms
to the 4.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
xen-blkfront-harden-blkfront-against-event-channel-storms.patch
and it can be found in the queue-4.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From foo@baz Mon Dec 20 02:39:52 PM CET 2021
From: Juergen Gross <jgross@xxxxxxxx>
Date: Thu, 16 Dec 2021 08:24:08 +0100
Subject: xen/blkfront: harden blkfront against event channel storms
From: Juergen Gross <jgross@xxxxxxxx>
commit 0fd08a34e8e3b67ec9bd8287ac0facf8374b844a upstream.
The Xen blkfront driver is still vulnerable for an attack via excessive
number of events sent by the backend. Fix that by using lateeoi event
channels.
This is part of XSA-391
Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/block/xen-blkfront.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/drivers/block/xen-blkfront.c
+++ b/drivers/block/xen-blkfront.c
@@ -1319,11 +1319,13 @@ static irqreturn_t blkif_interrupt(int i
unsigned long flags;
struct blkfront_info *info = (struct blkfront_info *)dev_id;
int error;
+ unsigned int eoiflag = XEN_EOI_FLAG_SPURIOUS;
spin_lock_irqsave(&info->io_lock, flags);
if (unlikely(info->connected != BLKIF_STATE_CONNECTED)) {
spin_unlock_irqrestore(&info->io_lock, flags);
+ xen_irq_lateeoi(irq, XEN_EOI_FLAG_SPURIOUS);
return IRQ_HANDLED;
}
@@ -1340,6 +1342,8 @@ static irqreturn_t blkif_interrupt(int i
unsigned long id;
unsigned int op;
+ eoiflag = 0;
+
RING_COPY_RESPONSE(&info->ring, i, &bret);
id = bret.id;
@@ -1444,6 +1448,8 @@ static irqreturn_t blkif_interrupt(int i
spin_unlock_irqrestore(&info->io_lock, flags);
+ xen_irq_lateeoi(irq, eoiflag);
+
return IRQ_HANDLED;
err:
@@ -1451,6 +1457,8 @@ static irqreturn_t blkif_interrupt(int i
spin_unlock_irqrestore(&info->io_lock, flags);
+ /* No EOI in order to avoid further interrupts. */
+
pr_alert("%s disabled for further use\n", info->gd->disk_name);
return IRQ_HANDLED;
}
@@ -1489,8 +1497,8 @@ static int setup_blkring(struct xenbus_d
if (err)
goto fail;
- err = bind_evtchn_to_irqhandler(info->evtchn, blkif_interrupt, 0,
- "blkif", info);
+ err = bind_evtchn_to_irqhandler_lateeoi(info->evtchn, blkif_interrupt,
+ 0, "blkif", info);
if (err <= 0) {
xenbus_dev_fatal(dev, err,
"bind_evtchn_to_irqhandler failed");
Patches currently in stable-queue which might be from jgross@xxxxxxxx are
queue-4.4/xen-blkfront-harden-blkfront-against-event-channel-storms.patch
queue-4.4/xen-console-harden-hvc_xen-against-event-channel-storms.patch
queue-4.4/xen-netback-don-t-queue-unlimited-number-of-packages.patch
queue-4.4/xen-netfront-harden-netfront-against-event-channel-storms.patch
