Re: [PATCH v2 3/3] xen/blkfront: don't trust the backend response data blindly

Thu, 08 Jul 2021 06:11:25 -0700 

On 08.07.2021 14:43, Juergen Gross wrote:
> Today blkfront will trust the backend to send only sane response data.
> In order to avoid privilege escalations or crashes in case of malicious
> backends verify the data to be within expected limits. Especially make
> sure that the response always references an outstanding request.
> 
> Introduce a new state of the ring BLKIF_STATE_ERROR which will be
> switched to in case an inconsistency is being detected. Recovering from
> this state is possible only via removing and adding the virtual device
> again (e.g. via a suspend/resume cycle).
> 
> Signed-off-by: Juergen Gross <[email protected]>

Reviewed-by: Jan Beulich <[email protected]>
albeit ...

> @@ -1602,7 +1628,8 @@ static irqreturn_t blkif_interrupt(int irq, void 
> *dev_id)
>               case BLKIF_OP_DISCARD:
>                       if (unlikely(bret.status == BLKIF_RSP_EOPNOTSUPP)) {
>                               struct request_queue *rq = info->rq;
> -                             printk(KERN_WARNING "blkfront: %s: %s op 
> failed\n",
> +
> +                             pr_warn_ratelimited("blkfront: %s: %s op 
> failed\n",
>                                          info->gd->disk_name, 
> op_name(bret.operation));
>                               blkif_req(req)->error = BLK_STS_NOTSUPP;
>                               info->feature_discard = 0;
> @@ -1614,13 +1641,13 @@ static irqreturn_t blkif_interrupt(int irq, void 
> *dev_id)
>               case BLKIF_OP_FLUSH_DISKCACHE:
>               case BLKIF_OP_WRITE_BARRIER:
>                       if (unlikely(bret.status == BLKIF_RSP_EOPNOTSUPP)) {
> -                             printk(KERN_WARNING "blkfront: %s: %s op 
> failed\n",
> +                             pr_warn_ratelimited("blkfront: %s: %s op 
> failed\n",
>                                      info->gd->disk_name, 
> op_name(bret.operation));
>                               blkif_req(req)->error = BLK_STS_NOTSUPP;
>                       }
>                       if (unlikely(bret.status == BLKIF_RSP_ERROR &&
>                                    rinfo->shadow[id].req.u.rw.nr_segments == 
> 0)) {
> -                             printk(KERN_WARNING "blkfront: %s: empty %s op 
> failed\n",
> +                             pr_warn_ratelimited("blkfront: %s: empty %s op 
> failed\n",
>                                      info->gd->disk_name, 
> op_name(bret.operation));
>                               blkif_req(req)->error = BLK_STS_NOTSUPP;
>                       }
> @@ -1635,8 +1662,8 @@ static irqreturn_t blkif_interrupt(int irq, void 
> *dev_id)
>               case BLKIF_OP_READ:
>               case BLKIF_OP_WRITE:
>                       if (unlikely(bret.status != BLKIF_RSP_OKAY))
> -                             dev_dbg(&info->xbdev->dev, "Bad return from 
> blkdev data "
> -                                     "request: %x\n", bret.status);
> +                             dev_dbg_ratelimited(&info->xbdev->dev,
> +                                     "Bad return from blkdev data request: 
> %x\n", bret.status);
>  
>                       break;
>               default:

... all of these look kind of unrelated to the topic of the patch,
and the conversion also isn't mentioned as on-purpose in the
description.

Jan

Reply via email to