Re: [PATCH 1/2] xen/netback: don't do grant copy across page boundary

From: Jan Beulich
Date: Tue Mar 28 2023 - 03:50:58 EST

Next message: Stefano Garzarella: "Re: [PATCH net-next] testing/vsock: add vsock_perf to gitignore"
Previous message: Neil Armstrong: "Re: [PATCH] dt-bindings: soc: amlogic: Drop unneeded quotes"
In reply to: Juergen Gross: "Re: [PATCH 1/2] xen/netback: don't do grant copy across page boundary"
Next in thread: Juergen Gross: "[PATCH 2/2] xen/netback: remove not needed test in xenvif_tx_build_gops()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 27.03.2023 18:22, Juergen Gross wrote:
> On 27.03.23 17:38, Jan Beulich wrote:
>> On 27.03.2023 12:07, Juergen Gross wrote:
>>> On 27.03.23 11:49, Jan Beulich wrote:
>>>> On 27.03.2023 10:36, Juergen Gross wrote:
>>>>> @@ -539,6 +553,13 @@ static int xenvif_tx_check_gop(struct xenvif_queue *queue,
>>>>> pending_idx = copy_pending_idx(skb, i);
>>>>>
>>>>> newerr = (*gopp_copy)->status;
>>>>> +
>>>>> + /* Split copies need to be handled together. */
>>>>> + if (XENVIF_TX_CB(skb)->split_mask & (1U << i)) {
>>>>> + (*gopp_copy)++;
>>>>> + if (!newerr)
>>>>> + newerr = (*gopp_copy)->status;
>>>>> + }
>>>>
>>>> It isn't guaranteed that a slot may be split only once, is it? Assuming a
>>>
>>> I think it is guaranteed.
>>>
>>> No slot can cover more than XEN_PAGE_SIZE bytes due to the grants being
>>> restricted to that size. There is no way how such a data packet could cross
>>> 2 page boundaries.
>>>
>>> In the end the problem isn't the copies for the linear area not crossing
>>> multiple page boundaries, but the copies for a single request slot not
>>> doing so. And this can't happen IMO.
>>
>> You're thinking of only well-formed requests. What about said request
>> providing a large size with only tiny fragments? xenvif_get_requests()
>> will happily process such, creating bogus grant-copy ops. But them failing
>> once submitted to Xen will be only after damage may already have occurred
>> (from bogus updates of internal state; the logic altogether is too
>> involved for me to be convinced that nothing bad can happen).
>
> There are sanity checks after each relevant RING_COPY_REQUEST() call, which
> will bail out if "(txp->offset + txp->size) > XEN_PAGE_SIZE" (the first one
> is after the call of xenvif_count_requests(), as this call will decrease the
> size of the request, the other check is in xenvif_count_requests()).

Oh, indeed - that's the check I've been overlooking. (The messages logged
there could do with also mentioning "Cross page boundary", like the one
in xenvif_count_requests() does.)

Jan

Next message: Stefano Garzarella: "Re: [PATCH net-next] testing/vsock: add vsock_perf to gitignore"
Previous message: Neil Armstrong: "Re: [PATCH] dt-bindings: soc: amlogic: Drop unneeded quotes"
In reply to: Juergen Gross: "Re: [PATCH 1/2] xen/netback: don't do grant copy across page boundary"
Next in thread: Juergen Gross: "[PATCH 2/2] xen/netback: remove not needed test in xenvif_tx_build_gops()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]