David Vrabel
2013-Mar-01 17:33 UTC
[PATCH] xen-blkback: correctly respond to unknown, non-native requests
From: David Vrabel <david.vrabel@citrix.com> If the frontend is using a non-native protocol (e.g., a 64-bit frontend with a 32-bit backend) and it sent an unrecognized request, the request was not translated and the response would have the incorrect ID. This may cause the frontend driver to behave incorrectly or crash. Since the ID field in the request is always in the same place, regardless of the request type we can get the correct ID and make a valid response (which will report BLKIF_RSP_EOPNOTSUPP). This bug affected 64-bit SLES 11 guests when using a 32-bit backend. This guest does a BLKIF_OP_RESERVED_1 (BLKIF_OP_PACKET in the SLES source) and would crash in blkif_int() as the ID in the response would be invalid. Signed-off-by: David Vrabel <david.vrabel@citrix.com> Cc: stable@vger.kernel.org --- drivers/block/xen-blkback/blkback.c | 31 +++++++++++++++++++++++++++---- drivers/block/xen-blkback/common.h | 25 +++++++++++++++++++++++++ include/xen/interface/io/blkif.h | 10 ++++++++++ 3 files changed, 62 insertions(+), 4 deletions(-) diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c index de1f319..9c8c1cc 100644 --- a/drivers/block/xen-blkback/blkback.c +++ b/drivers/block/xen-blkback/blkback.c @@ -679,6 +679,16 @@ static int dispatch_discard_io(struct xen_blkif *blkif, return err; } +static int dispatch_unknown_io(struct xen_blkif *blkif, + struct blkif_request *req, + struct pending_req *pending_req) +{ + free_req(pending_req); + make_response(blkif, req->u.unknown.id, req->operation, + BLKIF_RSP_EOPNOTSUPP); + return -EIO; +} + static void xen_blk_drain_io(struct xen_blkif *blkif) { atomic_set(&blkif->drain, 1); @@ -800,17 +810,30 @@ __do_block_io_op(struct xen_blkif *blkif) /* Apply all sanity checks to /private copy/ of request. */ barrier(); - if (unlikely(req.operation == BLKIF_OP_DISCARD)) { + + switch (req.operation) { + case BLKIF_OP_READ: + case BLKIF_OP_WRITE: + case BLKIF_OP_WRITE_BARRIER: + case BLKIF_OP_FLUSH_DISKCACHE: + if (dispatch_rw_block_io(blkif, &req, pending_req)) + goto done; + break; + case BLKIF_OP_DISCARD: free_req(pending_req); if (dispatch_discard_io(blkif, &req)) - break; - } else if (dispatch_rw_block_io(blkif, &req, pending_req)) + goto done; + break; + default: + if (dispatch_unknown_io(blkif, &req, pending_req)) + goto done; break; + } /* Yield point for this unbounded loop. */ cond_resched(); } - +done: return more_to_do; } diff --git a/drivers/block/xen-blkback/common.h b/drivers/block/xen-blkback/common.h index 6072390..8f28277 100644 --- a/drivers/block/xen-blkback/common.h +++ b/drivers/block/xen-blkback/common.h @@ -77,11 +77,18 @@ struct blkif_x86_32_request_discard { uint64_t nr_sectors; } __attribute__((__packed__)); +struct blkif_x86_32_request_unknown { + uint8_t _pad1; + blkif_vdev_t _pad2; + uint64_t id; /* private guest value, echoed in resp */ +} __attribute__((__packed__)); + struct blkif_x86_32_request { uint8_t operation; /* BLKIF_OP_??? */ union { struct blkif_x86_32_request_rw rw; struct blkif_x86_32_request_discard discard; + struct blkif_x86_32_request_unknown unknown; } u; } __attribute__((__packed__)); @@ -113,11 +120,19 @@ struct blkif_x86_64_request_discard { uint64_t nr_sectors; } __attribute__((__packed__)); +struct blkif_x86_64_request_unknown { + uint8_t _pad1; + blkif_vdev_t _pad2; + uint32_t _pad3; /* offsetof(blkif_..,u.discard.id)==8 */ + uint64_t id; /* private guest value, echoed in resp */ +} __attribute__((__packed__)); + struct blkif_x86_64_request { uint8_t operation; /* BLKIF_OP_??? */ union { struct blkif_x86_64_request_rw rw; struct blkif_x86_64_request_discard discard; + struct blkif_x86_64_request_unknown unknown; } u; } __attribute__((__packed__)); @@ -278,6 +293,11 @@ static inline void blkif_get_x86_32_req(struct blkif_request *dst, dst->u.discard.nr_sectors = src->u.discard.nr_sectors; break; default: + /* + * Don''t know how to translate this op. Only get the + * ID so failure can be reported to the frontend. + */ + dst->u.unknown.id = src->u.unknown.id; break; } } @@ -309,6 +329,11 @@ static inline void blkif_get_x86_64_req(struct blkif_request *dst, dst->u.discard.nr_sectors = src->u.discard.nr_sectors; break; default: + /* + * Don''t know how to translate this op. Only get the + * ID so failure can be reported to the frontend. + */ + dst->u.unknown.id = src->u.unknown.id; break; } } diff --git a/include/xen/interface/io/blkif.h b/include/xen/interface/io/blkif.h index 01c3d62..0e03ed8 100644 --- a/include/xen/interface/io/blkif.h +++ b/include/xen/interface/io/blkif.h @@ -138,11 +138,21 @@ struct blkif_request_discard { uint8_t _pad3; } __attribute__((__packed__)); +struct blkif_request_unknown { + uint8_t _pad1; + blkif_vdev_t _pad2; /* only for read/write requests */ +#ifdef CONFIG_X86_64 + uint32_t _pad3; /* offsetof(blkif_req..,u.unknown.id)==8*/ +#endif + uint64_t id; /* private guest value, echoed in resp */ +} __attribute__((__packed__)); + struct blkif_request { uint8_t operation; /* BLKIF_OP_??? */ union { struct blkif_request_rw rw; struct blkif_request_discard discard; + struct blkif_request_unknown unknown; } u; } __attribute__((__packed__)); -- 1.7.2.5
Jan Beulich
2013-Mar-04 09:57 UTC
Re: [PATCH] xen-blkback: correctly respond to unknown, non-native requests
>>> On 01.03.13 at 18:33, David Vrabel <david.vrabel@citrix.com> wrote: > If the frontend is using a non-native protocol (e.g., a 64-bit > frontend with a 32-bit backend) and it sent an unrecognized request, > the request was not translated and the response would have the > incorrect ID. This may cause the frontend driver to behave > incorrectly or crash. > > Since the ID field in the request is always in the same place, > regardless of the request type we can get the correct ID and make a > valid response (which will report BLKIF_RSP_EOPNOTSUPP). > > This bug affected 64-bit SLES 11 guests when using a 32-bit backend. > This guest does a BLKIF_OP_RESERVED_1 (BLKIF_OP_PACKET in the SLES > source) and would crash in blkif_int() as the ID in the response would > be invalid.I recognize the need for the change, and I''m also fine with the patch, but ...> --- a/include/xen/interface/io/blkif.h > +++ b/include/xen/interface/io/blkif.h > @@ -138,11 +138,21 @@ struct blkif_request_discard { > uint8_t _pad3; > } __attribute__((__packed__)); > > +struct blkif_request_unknown { > + uint8_t _pad1; > + blkif_vdev_t _pad2; /* only for read/write requests */ > +#ifdef CONFIG_X86_64 > + uint32_t _pad3; /* offsetof(blkif_req..,u.unknown.id)==8*/ > +#endif > + uint64_t id; /* private guest value, echoed in resp */ > +} __attribute__((__packed__)); > + > struct blkif_request { > uint8_t operation; /* BLKIF_OP_??? */ > union { > struct blkif_request_rw rw; > struct blkif_request_discard discard; > + struct blkif_request_unknown unknown; > } u; > } __attribute__((__packed__)); >... I wonder whether "unknown" here really is a suitable term. I''d favor "generic" or "other", as "unknown" suggests we know _nothing_ about it, which would include the position of the ID field. Also, we''d need a matching patch for the master copy of the public header... Jan
David Vrabel
2013-Mar-04 11:33 UTC
Re: [PATCH] xen-blkback: correctly respond to unknown, non-native requests
On 04/03/13 09:57, Jan Beulich wrote:>>>> On 01.03.13 at 18:33, David Vrabel <david.vrabel@citrix.com> wrote: >> If the frontend is using a non-native protocol (e.g., a 64-bit >> frontend with a 32-bit backend) and it sent an unrecognized request, >> the request was not translated and the response would have the >> incorrect ID. This may cause the frontend driver to behave >> incorrectly or crash. >> >> Since the ID field in the request is always in the same place, >> regardless of the request type we can get the correct ID and make a >> valid response (which will report BLKIF_RSP_EOPNOTSUPP). >> >> This bug affected 64-bit SLES 11 guests when using a 32-bit backend. >> This guest does a BLKIF_OP_RESERVED_1 (BLKIF_OP_PACKET in the SLES >> source) and would crash in blkif_int() as the ID in the response would >> be invalid. > > I recognize the need for the change, and I''m also fine with the > patch, but ... > >> --- a/include/xen/interface/io/blkif.h >> +++ b/include/xen/interface/io/blkif.h >> @@ -138,11 +138,21 @@ struct blkif_request_discard { >> uint8_t _pad3; >> } __attribute__((__packed__)); >> >> +struct blkif_request_unknown { >> + uint8_t _pad1; >> + blkif_vdev_t _pad2; /* only for read/write requests */ >> +#ifdef CONFIG_X86_64 >> + uint32_t _pad3; /* offsetof(blkif_req..,u.unknown.id)==8*/ >> +#endif >> + uint64_t id; /* private guest value, echoed in resp */ >> +} __attribute__((__packed__)); >> + >> struct blkif_request { >> uint8_t operation; /* BLKIF_OP_??? */ >> union { >> struct blkif_request_rw rw; >> struct blkif_request_discard discard; >> + struct blkif_request_unknown unknown; >> } u; >> } __attribute__((__packed__)); >> > > ... I wonder whether "unknown" here really is a suitable term. > I''d favor "generic" or "other", as "unknown" suggests we know > _nothing_ about it, which would include the position of the ID > field.''other'' it is then.> Also, we''d need a matching patch for the master copy of the > public header...The header in Xen only has the native structures doesn''t have any the union so there''s nothing to fix. David