xen/netback: don't call kfree_skb() with interrupts disabled

jgross1 · jgross1 · commit 74e7e1efdad4 · 2022-12-06T16:00:33.000+01:00
It is not allowed to call kfree_skb() from hardware interrupt context or with interrupts being disabled. So remove kfree_skb() from the spin_lock_irqsave() section and use the already existing "drop" label in xenvif_start_xmit() for dropping the SKB. At the same time replace the dev_kfree_skb() call there with a call of dev_kfree_skb_any(), as xenvif_start_xmit() can be called with disabled interrupts. This is XSA-424 / CVE-2022-42328 / CVE-2022-42329. Fixes: be81992 ("xen/netback: don't queue unlimited number of packages") Reported-by: Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Juergen Gross <jgross@suse.com>
diff --git a/drivers/net/xen-netback/common.h b/drivers/net/xen-netback/common.h
@@ -386,7 +386,7 @@ int xenvif_dealloc_kthread(void *data);
 irqreturn_t xenvif_ctrl_irq_fn(int irq, void *data);
 
 bool xenvif_have_rx_work(struct xenvif_queue *queue, bool test_kthread);
-void xenvif_rx_queue_tail(struct xenvif_queue *queue, struct sk_buff *skb);
+bool xenvif_rx_queue_tail(struct xenvif_queue *queue, struct sk_buff *skb);
 
 void xenvif_carrier_on(struct xenvif *vif);
 
diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c
@@ -254,14 +254,16 @@ xenvif_start_xmit(struct sk_buff *skb, struct net_device *dev)
 	if (vif->hash.alg == XEN_NETIF_CTRL_HASH_ALGORITHM_NONE)
 		skb_clear_hash(skb);
 
-	xenvif_rx_queue_tail(queue, skb);
+	if (!xenvif_rx_queue_tail(queue, skb))
+		goto drop;
+
 	xenvif_kick_thread(queue);
 
 	return NETDEV_TX_OK;
 
  drop:
 	vif->dev->stats.tx_dropped++;
-	dev_kfree_skb(skb);
+	dev_kfree_skb_any(skb);
 	return NETDEV_TX_OK;
 }
 
diff --git a/drivers/net/xen-netback/rx.c b/drivers/net/xen-netback/rx.c
@@ -82,18 +82,18 @@ static bool xenvif_rx_ring_slots_available(struct xenvif_queue *queue)
 	return false;
 }
 
-void xenvif_rx_queue_tail(struct xenvif_queue *queue, struct sk_buff *skb)
+bool xenvif_rx_queue_tail(struct xenvif_queue *queue, struct sk_buff *skb)
 {
 	unsigned long flags;
+	bool ret = true;
 
 	spin_lock_irqsave(&queue->rx_queue.lock, flags);
 
 	if (queue->rx_queue_len >= queue->rx_queue_max) {
 		struct net_device *dev = queue->vif->dev;
 
 		netif_tx_stop_queue(netdev_get_tx_queue(dev, queue->id));
-		kfree_skb(skb);
-		queue->vif->dev->stats.rx_dropped++;
+		ret = false;
 	} else {
 		if (skb_queue_empty(&queue->rx_queue))
 			xenvif_update_needed_slots(queue, skb);
@@ -104,6 +104,8 @@ void xenvif_rx_queue_tail(struct xenvif_queue *queue, struct sk_buff *skb)
 	}
 
 	spin_unlock_irqrestore(&queue->rx_queue.lock, flags);
+
+	return ret;
 }
 
 static struct sk_buff *xenvif_rx_dequeue(struct xenvif_queue *queue)

Original file line number	Diff line number	Diff line change
`@@ -82,18 +82,18 @@ static bool xenvif_rx_ring_slots_available(struct xenvif_queue *queue)`
`82`	`82`	`return false;`
`83`	`83`	`}`
`84`	`84`
`85`		`-void xenvif_rx_queue_tail(struct xenvif_queue queue, struct sk_buff skb)`
	`85`	`+bool xenvif_rx_queue_tail(struct xenvif_queue queue, struct sk_buff skb)`
`86`	`86`	`{`
`87`	`87`	`unsigned long flags;`
	`88`	`+ bool ret = true;`
`88`	`89`
`89`	`90`	`spin_lock_irqsave(&queue->rx_queue.lock, flags);`
`90`	`91`
`91`	`92`	`if (queue->rx_queue_len >= queue->rx_queue_max) {`
`92`	`93`	`struct net_device *dev = queue->vif->dev;`
`93`	`94`
`94`	`95`	`netif_tx_stop_queue(netdev_get_tx_queue(dev, queue->id));`
`95`		`- kfree_skb(skb);`
`96`		`- queue->vif->dev->stats.rx_dropped++;`
	`96`	`+ ret = false;`
`97`	`97`	`} else {`
`98`	`98`	`if (skb_queue_empty(&queue->rx_queue))`
`99`	`99`	`xenvif_update_needed_slots(queue, skb);`
`@@ -104,6 +104,8 @@ void xenvif_rx_queue_tail(struct xenvif_queue queue, struct sk_buff skb)`
`104`	`104`	`}`
`105`	`105`
`106`	`106`	`spin_unlock_irqrestore(&queue->rx_queue.lock, flags);`
	`107`	`+`
	`108`	`+ return ret;`
`107`	`109`	`}`
`108`	`110`
`109`	`111`	`static struct sk_buff xenvif_rx_dequeue(struct xenvif_queue queue)`