Re: [PATCH v2 3/3] xen/blkfront: don't trust the backend response data blindly

From: Jan Beulich
Date: Thu Jul 08 2021 - 09:11:17 EST


On 08.07.2021 14:43, Juergen Gross wrote:
> Today blkfront will trust the backend to send only sane response data.
> In order to avoid privilege escalations or crashes in case of malicious
> backends verify the data to be within expected limits. Especially make
> sure that the response always references an outstanding request.
>
> Introduce a new state of the ring BLKIF_STATE_ERROR which will be
> switched to in case an inconsistency is being detected. Recovering from
> this state is possible only via removing and adding the virtual device
> again (e.g. via a suspend/resume cycle).
>
> Signed-off-by: Juergen Gross <jgross@xxxxxxxx>

Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
albeit ...

> @@ -1602,7 +1628,8 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
> case BLKIF_OP_DISCARD:
> if (unlikely(bret.status == BLKIF_RSP_EOPNOTSUPP)) {
> struct request_queue *rq = info->rq;
> - printk(KERN_WARNING "blkfront: %s: %s op failed\n",
> +
> + pr_warn_ratelimited("blkfront: %s: %s op failed\n",
> info->gd->disk_name, op_name(bret.operation));
> blkif_req(req)->error = BLK_STS_NOTSUPP;
> info->feature_discard = 0;
> @@ -1614,13 +1641,13 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
> case BLKIF_OP_FLUSH_DISKCACHE:
> case BLKIF_OP_WRITE_BARRIER:
> if (unlikely(bret.status == BLKIF_RSP_EOPNOTSUPP)) {
> - printk(KERN_WARNING "blkfront: %s: %s op failed\n",
> + pr_warn_ratelimited("blkfront: %s: %s op failed\n",
> info->gd->disk_name, op_name(bret.operation));
> blkif_req(req)->error = BLK_STS_NOTSUPP;
> }
> if (unlikely(bret.status == BLKIF_RSP_ERROR &&
> rinfo->shadow[id].req.u.rw.nr_segments == 0)) {
> - printk(KERN_WARNING "blkfront: %s: empty %s op failed\n",
> + pr_warn_ratelimited("blkfront: %s: empty %s op failed\n",
> info->gd->disk_name, op_name(bret.operation));
> blkif_req(req)->error = BLK_STS_NOTSUPP;
> }
> @@ -1635,8 +1662,8 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
> case BLKIF_OP_READ:
> case BLKIF_OP_WRITE:
> if (unlikely(bret.status != BLKIF_RSP_OKAY))
> - dev_dbg(&info->xbdev->dev, "Bad return from blkdev data "
> - "request: %x\n", bret.status);
> + dev_dbg_ratelimited(&info->xbdev->dev,
> + "Bad return from blkdev data request: %x\n", bret.status);
>
> break;
> default:

... all of these look kind of unrelated to the topic of the patch,
and the conversion also isn't mentioned as on-purpose in the
description.

Jan