1. 02 4月, 2014 1 次提交
    • W
      xen-netback: disable rogue vif in kthread context · e9d8b2c2
      Wei Liu 提交于
      When netback discovers frontend is sending malformed packet it will
      disables the interface which serves that frontend.
      
      However disabling a network interface involving taking a mutex which
      cannot be done in softirq context, so we need to defer this process to
      kthread context.
      
      This patch does the following:
      1. introduce a flag to indicate the interface is disabled.
      2. check that flag in TX path, don't do any work if it's true.
      3. check that flag in RX path, turn off that interface if it's true.
      
      The reason to disable it in RX path is because RX uses kthread. After
      this change the behavior of netback is still consistent -- it won't do
      any TX work for a rogue frontend, and the interface will be eventually
      turned off.
      
      Also change a "continue" to "break" after xenvif_fatal_tx_err, as it
      doesn't make sense to continue processing packets if frontend is rogue.
      
      This is a fix for XSA-90.
      Reported-by: NTörök Edwin <edwin@etorok.net>
      Signed-off-by: NWei Liu <wei.liu2@citrix.com>
      Cc: Ian Campbell <ian.campbell@citrix.com>
      Reviewed-by: NDavid Vrabel <david.vrabel@citrix.com>
      Acked-by: NIan Campbell <ian.campbell@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e9d8b2c2
  2. 27 3月, 2014 1 次提交
    • Z
      xen-netback: Stop using xenvif_tx_pending_slots_available · 869b9b19
      Zoltan Kiss 提交于
      Since the early days TX stops if there isn't enough free pending slots to
      consume a maximum sized (slot-wise) packet. Probably the reason for that is to
      avoid the case when we don't have enough free pending slot in the ring to finish
      the packet. But if we make sure that the pending ring has the same size as the
      shared ring, that shouldn't really happen. The frontend can only post packets
      which fit the to the free space of the shared ring. If it doesn't, the frontend
      has to stop, as it can only increase the req_prod when the whole packet fits
      onto the ring.
      This patch avoid using this checking, makes sure the 2 ring has the same size,
      and remove a checking from the callback. As now we don't stop the NAPI instance
      on this condition, we don't have to wake it up if we free pending slots up.
      Signed-off-by: NZoltan Kiss <zoltan.kiss@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      869b9b19
  3. 26 3月, 2014 1 次提交
  4. 08 3月, 2014 8 次提交
    • Z
      xen-netback: Aggregate TX unmap operations · e9275f5e
      Zoltan Kiss 提交于
      Unmapping causes TLB flushing, therefore we should make it in the largest
      possible batches. However we shouldn't starve the guest for too long. So if
      the guest has space for at least two big packets and we don't have at least a
      quarter ring to unmap, delay it for at most 1 milisec.
      Signed-off-by: NZoltan Kiss <zoltan.kiss@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e9275f5e
    • Z
      xen-netback: Timeout packets in RX path · 09350788
      Zoltan Kiss 提交于
      A malicious or buggy guest can leave its queue filled indefinitely, in which
      case qdisc start to queue packets for that VIF. If those packets came from an
      another guest, it can block its slots and prevent shutdown. To avoid that, we
      make sure the queue is drained in every 10 seconds.
      The QDisc queue in worst case takes 3 round to flush usually.
      Signed-off-by: NZoltan Kiss <zoltan.kiss@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      09350788
    • Z
      xen-netback: Handle guests with too many frags · e3377f36
      Zoltan Kiss 提交于
      Xen network protocol had implicit dependency on MAX_SKB_FRAGS. Netback has to
      handle guests sending up to XEN_NETBK_LEGACY_SLOTS_MAX slots. To achieve that:
      - create a new skb
      - map the leftover slots to its frags (no linear buffer here!)
      - chain it to the previous through skb_shinfo(skb)->frag_list
      - map them
      - copy and coalesce the frags into a brand new one and send it to the stack
      - unmap the 2 old skb's pages
      
      It's also introduces new stat counters, which help determine how often the guest
      sends a packet with more than MAX_SKB_FRAGS frags.
      
      NOTE: if bisect brought you here, you should apply the series up until
      "xen-netback: Timeout packets in RX path", otherwise malicious guests can block
      other guests by not releasing their sent packets.
      Signed-off-by: NZoltan Kiss <zoltan.kiss@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e3377f36
    • Z
      xen-netback: Add stat counters for zerocopy · 1bb332af
      Zoltan Kiss 提交于
      These counters help determine how often the buffers had to be copied. Also
      they help find out if packets are leaked, as if "sent != success + fail",
      there are probably packets never freed up properly.
      
      NOTE: if bisect brought you here, you should apply the series up until
      "xen-netback: Timeout packets in RX path", otherwise Windows guests can't work
      properly and malicious guests can block other guests by not releasing their sent
      packets.
      Signed-off-by: NZoltan Kiss <zoltan.kiss@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1bb332af
    • Z
      xen-netback: Remove old TX grant copy definitons and fix indentations · 62bad319
      Zoltan Kiss 提交于
      These became obsolete with grant mapping. I've left intentionally the
      indentations in this way, to improve readability of previous patches.
      
      NOTE: if bisect brought you here, you should apply the series up until
      "xen-netback: Timeout packets in RX path", otherwise Windows guests can't work
      properly and malicious guests can block other guests by not releasing their sent
      packets.
      Signed-off-by: NZoltan Kiss <zoltan.kiss@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      62bad319
    • Z
      xen-netback: Introduce TX grant mapping · f53c3fe8
      Zoltan Kiss 提交于
      This patch introduces grant mapping on netback TX path. It replaces grant copy
      operations, ditching grant copy coalescing along the way. Another solution for
      copy coalescing is introduced in "xen-netback: Handle guests with too many
      frags", older guests and Windows can broke before that patch applies.
      There is a callback (xenvif_zerocopy_callback) from core stack to release the
      slots back to the guests when kfree_skb or skb_orphan_frags called. It feeds a
      separate dealloc thread, as scheduling NAPI instance from there is inefficient,
      therefore we can't do dealloc from the instance.
      Signed-off-by: NZoltan Kiss <zoltan.kiss@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f53c3fe8
    • Z
      xen-netback: Handle foreign mapped pages on the guest RX path · 3e2234b3
      Zoltan Kiss 提交于
      RX path need to know if the SKB fragments are stored on pages from another
      domain.
      Logically this patch should be after introducing the grant mapping itself, as
      it makes sense only after that. But to keep bisectability, I moved it here. It
      shouldn't change any functionality here. xenvif_zerocopy_callback and
      ubuf_to_vif are just stubs here, they will be introduced properly later on.
      Signed-off-by: NZoltan Kiss <zoltan.kiss@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3e2234b3
    • Z
      xen-netback: Minor refactoring of netback code · 121fa4b7
      Zoltan Kiss 提交于
      This patch contains a few bits of refactoring before introducing the grant
      mapping changes:
      - introducing xenvif_tx_pending_slots_available(), as this is used several
        times, and will be used more often
      - rename the thread to vifX.Y-guest-rx, to signify it does RX work from the
        guest point of view
      Signed-off-by: NZoltan Kiss <zoltan.kiss@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      121fa4b7
  5. 06 2月, 2014 1 次提交
    • Z
      xen-netback: Fix Rx stall due to race condition · 9ab9831b
      Zoltan Kiss 提交于
      The recent patch to fix receive side flow control
      (11b57f90: xen-netback: stop vif thread
      spinning if frontend is unresponsive) solved the spinning thread problem,
      however caused an another one. The receive side can stall, if:
      - [THREAD] xenvif_rx_action sets rx_queue_stopped to true
      - [INTERRUPT] interrupt happens, and sets rx_event to true
      - [THREAD] then xenvif_kthread sets rx_event to false
      - [THREAD] rx_work_todo doesn't return true anymore
      
      Also, if interrupt sent but there is still no room in the ring, it take quite a
      long time until xenvif_rx_action realize it. This patch ditch that two variable,
      and rework rx_work_todo. If the thread finds it can't fit more skb's into the
      ring, it saves the last slot estimation into rx_last_skb_slots, otherwise it's
      kept as 0. Then rx_work_todo will check if:
      - there is something to send to the ring (like before)
      - there is space for the topmost packet in the queue
      
      I think that's more natural and optimal thing to test than two bool which are
      set somewhere else.
      Signed-off-by: NZoltan Kiss <zoltan.kiss@citrix.com>
      Reviewed-by: NPaul Durrant <paul.durrant@citrix.com>
      Acked-by: NWei Liu <wei.liu2@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9ab9831b
  6. 10 1月, 2014 1 次提交
    • P
      xen-netback: stop vif thread spinning if frontend is unresponsive · 11b57f90
      Paul Durrant 提交于
      The recent patch to improve guest receive side flow control (ca2f09f2) had a
      slight flaw in the wait condition for the vif thread in that any remaining
      skbs in the guest receive side netback internal queue would prevent the
      thread from sleeping. An unresponsive frontend can lead to a permanently
      non-empty internal queue and thus the thread will spin. In this case the
      thread should really sleep until the frontend becomes responsive again.
      
      This patch adds an extra flag to the vif which is set if the shared ring
      is full and cleared when skbs are drained into the shared ring. Thus,
      if the thread runs, finds the shared ring full and can make no progress the
      flag remains set. If the flag remains set then the thread will sleep,
      regardless of a non-empty queue, until the next event from the frontend.
      Signed-off-by: NPaul Durrant <paul.durrant@citrix.com>
      Cc: Wei Liu <wei.liu2@citrix.com>
      Cc: Ian Campbell <ian.campbell@citrix.com>
      Cc: David Vrabel <david.vrabel@citrix.com>
      Acked-by: NWei Liu <wei.liu2@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      11b57f90
  7. 30 12月, 2013 1 次提交
    • P
      xen-netback: fix guest-receive-side array sizes · ac3d5ac2
      Paul Durrant 提交于
      The sizes chosen for the metadata and grant_copy_op arrays on the guest
      receive size are wrong;
      
      - The meta array is needlessly twice the ring size, when we only ever
        consume a single array element per RX ring slot
      - The grant_copy_op array is way too small. It's sized based on a bogus
        assumption: that at most two copy ops will be used per ring slot. This
        may have been true at some point in the past but it's clear from looking
        at start_new_rx_buffer() that a new ring slot is only consumed if a frag
        would overflow the current slot (plus some other conditions) so the actual
        limit is MAX_SKB_FRAGS grant_copy_ops per ring slot.
      
      This patch fixes those two sizing issues and, because grant_copy_ops grows
      so much, it pulls it out into a separate chunk of vmalloc()ed memory.
      Signed-off-by: NPaul Durrant <paul.durrant@citrix.com>
      Acked-by: NWei Liu <wei.liu2@citrix.com>
      Cc: Ian Campbell <ian.campbell@citrix.com>
      Cc: David Vrabel <david.vrabel@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ac3d5ac2
  8. 10 12月, 2013 1 次提交
    • P
      xen-netback: improve guest-receive-side flow control · ca2f09f2
      Paul Durrant 提交于
      The way that flow control works without this patch is that, in start_xmit()
      the code uses xenvif_count_skb_slots() to predict how many slots
      xenvif_gop_skb() will consume and then adds this to a 'req_cons_peek'
      counter which it then uses to determine if the shared ring has that amount
      of space available by checking whether 'req_prod' has passed that value.
      If the ring doesn't have space the tx queue is stopped.
      xenvif_gop_skb() will then consume slots and update 'req_cons' and issue
      responses, updating 'rsp_prod' as it goes. The frontend will consume those
      responses and post new requests, by updating req_prod. So, req_prod chases
      req_cons which chases rsp_prod, and can never exceed that value. Thus if
      xenvif_count_skb_slots() ever returns a number of slots greater than
      xenvif_gop_skb() uses, req_cons_peek will get to a value that req_prod cannot
      possibly achieve (since it's limited by the 'real' req_cons) and, if this
      happens enough times, req_cons_peek gets more than a ring size ahead of
      req_cons and the tx queue then remains stopped forever waiting for an
      unachievable amount of space to become available in the ring.
      
      Having two routines trying to calculate the same value is always going to be
      fragile, so this patch does away with that. All we essentially need to do is
      make sure that we have 'enough stuff' on our internal queue without letting
      it build up uncontrollably. So start_xmit() makes a cheap optimistic check
      of how much space is needed for an skb and only turns the queue off if that
      is unachievable. net_rx_action() is the place where we could do with an
      accurate predicition but, since that has proven tricky to calculate, a cheap
      worse-case (but not too bad) estimate is all we really need since the only
      thing we *must* prevent is xenvif_gop_skb() consuming more slots than are
      available.
      
      Without this patch I can trivially stall netback permanently by just doing
      a large guest to guest file copy between two Windows Server 2008R2 VMs on a
      single host.
      
      Patch tested with frontends in:
      - Windows Server 2008R2
      - CentOS 6.0
      - Debian Squeeze
      - Debian Wheezy
      - SLES11
      Signed-off-by: NPaul Durrant <paul.durrant@citrix.com>
      Cc: Wei Liu <wei.liu2@citrix.com>
      Cc: Ian Campbell <ian.campbell@citrix.com>
      Cc: David Vrabel <david.vrabel@citrix.com>
      Cc: Annie Li <annie.li@oracle.com>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Acked-by: NWei Liu <wei.liu2@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ca2f09f2
  9. 29 10月, 2013 1 次提交
  10. 18 10月, 2013 2 次提交
  11. 20 9月, 2013 1 次提交
    • P
      xen-netback: Don't destroy the netdev until the vif is shut down · 279f438e
      Paul Durrant 提交于
      Without this patch, if a frontend cycles through states Closing
      and Closed (which Windows frontends need to do) then the netdev
      will be destroyed and requires re-invocation of hotplug scripts
      to restore state before the frontend can move to Connected. Thus
      when udev is not in use the backend gets stuck in InitWait.
      
      With this patch, the netdev is left alone whilst the backend is
      still online and is only de-registered and freed just prior to
      destroying the vif (which is also nicely symmetrical with the
      netdev allocation and registration being done during probe) so
      no re-invocation of hotplug scripts is required.
      Signed-off-by: NPaul Durrant <paul.durrant@citrix.com>
      Cc: David Vrabel <david.vrabel@citrix.com>
      Cc: Wei Liu <wei.liu2@citrix.com>
      Cc: Ian Campbell <ian.campbell@citrix.com>
      Acked-by: NWei Liu <wei.liu2@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      279f438e
  12. 29 8月, 2013 2 次提交
  13. 24 5月, 2013 1 次提交
  14. 18 5月, 2013 1 次提交
    • W
      xen-netback: enable user to unload netback module · b103f358
      Wei Liu 提交于
      This patch enables user to unload netback module, which is useful when user
      wants to upgrade to a newer netback module without rebooting the host.
      
      Netfront cannot handle netback removal event. As we cannot fix all possible
      frontends we add module get / put along with vif get / put to avoid
      mis-unloading of netback. To unload netback module, user needs to shutdown all
      VMs or migrate them to another host or unplug all vifs before hand.
      Signed-off-by: NWei Liu <wei.liu2@citrix.com>
      Acked-by: Ian Campbell <ian.campbell@citrix.com>¬
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b103f358
  15. 08 2月, 2013 1 次提交
    • I
      xen/netback: shutdown the ring if it contains garbage. · 48856286
      Ian Campbell 提交于
      A buggy or malicious frontend should not be able to confuse netback.
      If we spot anything which is not as it should be then shutdown the
      device and don't try to continue with the ring in a potentially
      hostile state. Well behaved and non-hostile frontends will not be
      penalised.
      
      As well as making the existing checks for such errors fatal also add a
      new check that ensures that there isn't an insane number of requests
      on the ring (i.e. more than would fit in the ring). If the ring
      contains garbage then previously is was possible to loop over this
      insane number, getting an error each time and therefore not generating
      any more pending requests and therefore not exiting the loop in
      xen_netbk_tx_build_gops for an externded period.
      
      Also turn various netdev_dbg calls which no precipitate a fatal error
      into netdev_err, they are rate limited because the device is shutdown
      afterwards.
      
      This fixes at least one known DoS/softlockup of the backend domain.
      Signed-off-by: NIan Campbell <ian.campbell@citrix.com>
      Reviewed-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Acked-by: NJan Beulich <JBeulich@suse.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      48856286
  16. 26 10月, 2011 1 次提交
  17. 18 5月, 2011 1 次提交
    • I
      xen: netback: use __CONST_RING_SIZE not __RING_SIZE · 11e73de7
      Ian Campbell 提交于
      The later causes warnings with gcc 4.5+. __CONST_RING_SIZE was introduced in
      667c78af to fix this but as netback wasn't upstream at the time it did not
      benefit, hence:
      
        CC      drivers/net/xen-netback/netback.o
      drivers/net/xen-netback/netback.c:110:37: warning: variably modified 'grant_copy_op' at file scope [enabled by default]
      drivers/net/xen-netback/netback.c:111:30: warning: variably modified 'meta' at file scope [enabled by default]
      drivers/net/xen-netback/netback.c: In function 'xen_netbk_rx_action':
      drivers/net/xen-netback/netback.c:584:6: warning: variable 'irq' set but not used [-Wunused-but-set-variable]
      
      Thanks to Witold Baryluk for pointing this out.
      Signed-off-by: NIan Campbell <ian.campbell@citrix.com>
      Cc: Witold Baryluk <baryluk@smp.if.uj.edu.pl>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      11e73de7
  18. 20 4月, 2011 1 次提交
  19. 16 3月, 2011 1 次提交
    • I
      xen network backend driver · f942dc25
      Ian Campbell 提交于
      netback is the host side counterpart to the frontend driver in
      drivers/net/xen-netfront.c. The PV protocol is also implemented by
      frontend drivers in other OSes too, such as the BSDs and even Windows.
      
      The patch is based on the driver from the xen.git pvops kernel tree but
      has been put through the checkpatch.pl wringer plus several manual
      cleanup passes and review iterations. The driver has been moved from
      drivers/xen/netback to drivers/net/xen-netback.
      
      One major change from xen.git is that the guest transmit path (i.e. what
      looks like receive to netback) has been significantly reworked to remove
      the dependency on the out of tree PageForeign page flag (a core kernel
      patch which enables a per page destructor callback on the final
      put_page). This page flag was used in order to implement a grant map
      based transmit path (where guest pages are mapped directly into SKB
      frags). Instead this version of netback uses grant copy operations into
      regular memory belonging to the backend domain. Reinstating the grant
      map functionality is something which I would like to revisit in the
      future.
      
      Note that this driver depends on 2e820f58 "xen/irq: implement
      bind_interdomain_evtchn_to_irqhandler for backend drivers" which is in
      linux next via the "xen-two" tree and is intended for the 2.6.39 merge
      window:
              git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen.git stable/backends
      this branch has only that single commit since 2.6.38-rc2 and is safe for
      cross merging into the net branch.
      Signed-off-by: NIan Campbell <ian.campbell@citrix.com>
      Reviewed-by: NBen Hutchings <bhutchings@solarflare.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f942dc25