Commit Graph

26 Commits

Author SHA1 Message Date
Mike Christie
00903af94d scsi: xen: Drop use of internal host codes
The error codes:

 - DID_TARGET_FAILURE

 - DID_NEXUS_FAILURE

 - DID_ALLOC_FAILURE

 - DID_MEDIUM_ERROR

are internal to the SCSI layer. Drivers must not use them because:

 1. They are not propagated upwards, so SG IO/passthrough users will not
    see an error and think a command was successful.

    xen-scsiback will never see this error and should not try to send it.

 2. There is no handling for them in scsi_decide_disposition() so if
    xen-scsifront were to return the error to the SCSI midlayer then it
    kicks off the error handler which is definitely not what we want.

Remove the use from xen-scsifront/back.

Link: https://lore.kernel.org/r/20220812010027.8251-2-michael.christie@oracle.com
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2022-09-06 22:05:58 -04:00
Juergen Gross
caa427d252 xen/scsifront: use xenbus_setup_ring() and xenbus_teardown_ring()
Simplify scsifront's ring creation and removal via xenbus_setup_ring()
and xenbus_teardown_ring().

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
2022-05-19 14:22:03 +02:00
Juergen Gross
70920be6ff xen/scsifront: remove unused GRANT_INVALID_REF definition
GRANT_INVALID_REF isn't used in scsifront, so remove it.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
2022-05-19 14:21:42 +02:00
Juergen Gross
6d1c2f48f3 xen/scsifront: harden driver against malicious backend
Instead of relying on a well behaved PV scsi backend verify all meta
data received from the backend and avoid multiple reads of the same
data from the shared ring page.

In case any illegal data from the backend is detected switch the
PV device to a new "error" state and deactivate it for further use.

Use the "lateeoi" variant for the event channel in order to avoid
event storms blocking the guest.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Link: https://lore.kernel.org/r/20220428075323.12853-5-jgross@suse.com
Signed-off-by: Juergen Gross <jgross@suse.com>
2022-05-19 14:02:49 +02:00
Juergen Gross
a2f6751d5a xen/scsifront: use new command result macros
Add a translation layer for the command result values.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Link: https://lore.kernel.org/r/20220428075323.12853-4-jgross@suse.com
Signed-off-by: Juergen Gross <jgross@suse.com>
2022-05-19 14:02:47 +02:00
Juergen Gross
c94b731da2 xen/grant-table: remove readonly parameter from functions
The gnttab_end_foreign_access() family of functions is taking a
"readonly" parameter, which isn't used. Remove it from the function
parameters.

Signed-off-by: Juergen Gross <jgross@suse.com>
Link: https://lore.kernel.org/r/20220311103429.12845-3-jgross@suse.com
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
2022-03-15 20:34:40 -05:00
Juergen Gross
33172ab50a xen/scsifront: don't use gnttab_query_foreign_access() for mapped status
It isn't enough to check whether a grant is still being in use by
calling gnttab_query_foreign_access(), as a mapping could be realized
by the other side just after having called that function.

In case the call was done in preparation of revoking a grant it is
better to do so via gnttab_try_end_foreign_access() and check the
success of that operation instead.

This is CVE-2022-23038 / part of XSA-396.

Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
V2:
- use gnttab_try_end_foreign_access()
2022-03-07 09:48:54 +01:00
Bart Van Assche
fd17badb66 scsi: xen-scsifront: Call scsi_done() directly
Conditional statements are faster than indirect calls. Hence call
scsi_done() directly.

Link: https://lore.kernel.org/r/20211007204618.2196847-6-bvanassche@acm.org
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2021-10-16 21:31:43 -04:00
Bart Van Assche
80ca10b605 scsi: xen-scsifront: Use scsi_cmd_to_rq() instead of scsi_cmnd.request
Prepare for removal of the request pointer by using scsi_cmd_to_rq()
instead. This patch does not change any functionality.

Link: https://lore.kernel.org/r/20210809230355.8186-50-bvanassche@acm.org
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2021-08-11 22:25:42 -04:00
Hannes Reinecke
b840abeffc scsi: xen-scsifront: Compability status handling
The Xen guest might run against arbitrary backends, so the driver might
receive a status with driver_byte set. Map these errors to DID_ERROR to be
consistent with recent changes.

Link: https://lore.kernel.org/r/20210427083046.31620-14-hare@suse.de
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2021-05-31 22:48:22 -04:00
Gustavo A. R. Silva
df561f6688 treewide: Use fallthrough pseudo-keyword
Replace the existing /* fall through */ comments and its variants with
the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary
fall-through markings when it is the case.

[1] https://www.kernel.org/doc/html/v5.7/process/deprecated.html?highlight=fallthrough#implicit-switch-case-fall-through

Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
2020-08-23 17:36:59 -05:00
Christoph Hellwig
e08ea3009f scsi: xen-scsifront: remove DISABLE_CLUSTERING
There is no such limitation in the protocol or implementation, so
remove it.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2018-12-18 23:13:12 -05:00
Gustavo A. R. Silva
9167f0dcc5 scsi: xen-scsifront: mark expected switch fall-through
In preparation to enabling -Wimplicit-fallthrough, mark switch cases where
we are expecting to fall through.

Notice that, in this particular case, I replaced "Missed the backend's
Closing state -- fallthrough" with "fall through - Missed the backend's
Closing state", which contains the "fall through" annotation at the
beginnig of the code comment, which is what GCC is expecting to find.

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2018-11-28 21:47:30 -05:00
Zhouyang Jia
93efbd3987 scsi: xen-scsifront: add error handling for xenbus_printf
When xenbus_printf fails, the lack of error-handling code may
cause unexpected results.

This patch adds error-handling code after calling xenbus_printf.

Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
2018-06-19 14:54:41 +02:00
Bart Van Assche
f7de50da14 scsi: xen-scsifront: Remove code that zeroes driver-private command data
Since the SCSI core zeroes driver-private command data, remove
that code from the xen-scsifront driver.

Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: xen-devel@lists.xenproject.org
Cc: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2017-06-12 21:02:04 -04:00
Geliang Tang
6483e3135a xen/scsifront: use offset_in_page() macro
Use offset_in_page() macro instead of open-coding.

Signed-off-by: Geliang Tang <geliangtang@gmail.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
2017-05-02 11:14:53 +02:00
Juergen Gross
3da96be58f xen/scsifront: don't request a slot on the ring until request is ready
Instead of requesting a new slot on the ring to the backend early, do
so only after all has been setup for the request to be sent. This
makes error handling easier as we don't need to undo the request id
allocation and ring slot allocation.

Suggested-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
2016-12-09 10:59:13 +01:00
Quentin Lambert
1eb08545c0 xen-scsifront: Add a missing call to kfree
Most error branches following the call to kmalloc contain
a call to kfree. This patch add these calls where they are
missing.

This issue was found with Hector.

Signed-off-by: Quentin Lambert <lambert.quentin@gmail.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
2016-11-24 09:23:14 +01:00
Juergen Gross
1080b38db4 xen: make use of xenbus_read_unsigned() in xen-scsifront
Use xenbus_read_unsigned() instead of xenbus_scanf() when possible.

Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: David Vrabel <david.vrabel@citrix.com>
2016-11-07 13:55:28 +01:00
Julien Grall
0df4f266b3 xen: Use correctly the Xen memory terminologies
Based on include/xen/mm.h [1], Linux is mistakenly using MFN when GFN
is meant, I suspect this is because the first support for Xen was for
PV. This resulted in some misimplementation of helpers on ARM and
confused developers about the expected behavior.

For instance, with pfn_to_mfn, we expect to get an MFN based on the name.
Although, if we look at the implementation on x86, it's returning a GFN.

For clarity and avoid new confusion, replace any reference to mfn with
gfn in any helpers used by PV drivers. The x86 code will still keep some
reference of pfn_to_mfn which may be used by all kind of guests
No changes as been made in the hypercall field, even
though they may be invalid, in order to keep the same as the defintion
in xen repo.

Note that page_to_mfn has been renamed to xen_page_to_gfn to avoid a
name to close to the KVM function gfn_to_page.

Take also the opportunity to simplify simple construction such
as pfn_to_mfn(page_to_pfn(page)) into xen_page_to_gfn. More complex clean up
will come in follow-up patches.

[1] http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=e758ed14f390342513405dd766e874934573e6cb

Signed-off-by: Julien Grall <julien.grall@citrix.com>
Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
2015-09-08 18:03:49 +01:00
Wei Liu
ccc9d90a9a xenbus_client: Extend interface to support multi-page ring
Originally Xen PV drivers only use single-page ring to pass along
information. This might limit the throughput between frontend and
backend.

The patch extends Xenbus driver to support multi-page ring, which in
general should improve throughput if ring is the bottleneck. Changes to
various frontend / backend to adapt to the new interface are also
included.

Affected Xen drivers:
* blkfront/back
* netfront/back
* pcifront/back
* scsifront/back
* vtpmfront

The interface is documented, as before, in xenbus_client.c.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Signed-off-by: Bob Liu <bob.liu@oracle.com>
Cc: Konrad Wilk <konrad.wilk@oracle.com>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
2015-04-15 10:56:47 +01:00
Juergen Gross
85617dc7ee xen: support suspend/resume in pvscsi frontend
Up to now the pvscsi frontend hasn't supported domain suspend and
resume. When a domain with an assigned pvscsi device was suspended
and resumed again, it was not able to use the device any more: trying
to do so resulted in hanging processes.

Support suspend and resume of pvscsi devices.

Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
2015-03-16 14:49:15 +00:00
David Vrabel
95afae4814 xen: remove DEFINE_XENBUS_DRIVER() macro
The DEFINE_XENBUS_DRIVER() macro looks a bit weird and causes sparse
errors.

Replace the uses with standard structure definitions instead.  This is
similar to pci and usb device registration.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
2014-10-06 10:27:57 +01:00
David Vrabel
7921a11c7b xen-scsifront: don't deadlock if the ring becomes full
scsifront_action_handler() will deadlock on host->host_lock, if the
ring is full and it has to wait for entries to become available.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
2014-10-03 12:34:40 +01:00
Dan Carpenter
d9b1e6374b xen-scsifront: use GFP_ATOMIC under spin_lock
This function is only called with a spin_lock held and IRQs disabled.
The allocation is not allowed to sleep and NOIO is not sufficient, it
has to be ATOMIC.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
2014-09-23 13:36:19 +00:00
Juergen Gross
8beb8d4c91 xen-scsifront: Add Xen PV SCSI frontend driver
Introduces the Xen pvSCSI frontend. With pvSCSI it is possible for a
Xen domU to issue SCSI commands to a SCSI LUN assigned to that
domU. The SCSI commands are passed to the pvSCSI backend in a driver
domain (usually Dom0) which is owner of the physical device. This
allows e.g. to use SCSI tape drives in a Xen domU.

The code is taken from the pvSCSI implementation in Xen done by
Fujitsu based on Linux kernel 2.6.18.

Changes from the original version are:
- port to upstream kernel
- put all code in just one source file
- move module to appropriate location in kernel tree
- adapt to Linux style guide
- some minor code simplifications
- replace constants with defines
- remove not used defines
- add support for larger SG lists by putting them in a granted page

Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
2014-09-23 13:36:19 +00:00