From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 1691BA0350;
	Sun, 21 Jun 2020 19:50:05 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 69BCC1C10D;
	Sun, 21 Jun 2020 19:50:04 +0200 (CEST)
Received: from mga04.intel.com (mga04.intel.com [192.55.52.120])
 by dpdk.org (Postfix) with ESMTP id E0F851C0BD;
 Sun, 21 Jun 2020 19:50:02 +0200 (CEST)
IronPort-SDR: 74xQ7+43DJ1OHql54O5TXwoJSRJ0XkQtBfYIJTEdvEjyn1LxEzwPGGS8VySJjw8dwADf8neJYs
 6i8w9WSIE74w==
X-IronPort-AV: E=McAfee;i="6000,8403,9659"; a="141099784"
X-IronPort-AV: E=Sophos;i="5.75,263,1589266800"; d="scan'208";a="141099784"
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga008.fm.intel.com ([10.253.24.58])
 by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 21 Jun 2020 10:50:01 -0700
IronPort-SDR: D3RS9yo3+sIRYajc3f2sm7sDfuKeqM1SywpaShz8FvHsW8zBzVwKKWob2FyrZMdd4wehS8mLD/
 iVpxbL5I6P/A==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.75,263,1589266800"; d="scan'208";a="264319707"
Received: from npg-dpdk-haiyue-1.sh.intel.com ([10.67.119.213])
 by fmsmga008.fm.intel.com with ESMTP; 21 Jun 2020 10:50:00 -0700
From: Haiyue Wang <haiyue.wang@intel.com>
To: dev@dpdk.org,
	anatoly.burakov@intel.com
Cc: Haiyue Wang <haiyue.wang@intel.com>,
	stable@dpdk.org
Date: Mon, 22 Jun 2020 01:40:35 +0800
Message-Id: <20200621174035.6858-1-haiyue.wang@intel.com>
X-Mailer: git-send-email 2.27.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [dpdk-dev] [PATCH v1] bus/pci: fix VF bus error for memory access
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

To fix CVE-2020-12888, the linux vfio-pci module will invalidate mmaps
and block MMIO access on disabled memory, it will send a SIGBUS to the
application.

In fact, vfio-pci will enable the memory command when openning the PCI
device, but according to the PCIe specification, this enablement by real
PCI write command doesn't have effect, it still has 0 value:

    Table 9-13 Command Register Changes
Bit Location | PF and VF Register Differences | PF         | VF
             | From Base                      | Attributes | Attributes
-------------+--------------------------------+------------+-----------
             | Memory Space Enable - Does not |            |
             | apply to VFs. Must be hardwired|  Base      |  0b
     1       | to 0b for VFs. VF Memory Space |            |
             | is controlled by the VF MSE bit|            |
             | in the VF Control register.    |            |
-------------+--------------------------------+------------+-----------

So that when the vfio-pci initializes its own PCI configuration space
data called 'vconfig' by reading the VF's real configuration space, it
will have the memory command with 0b value, then, the vfio-pci finds the
BAR memory is disabled by checking the its vconfig space, and the SIGBUS
will be triggerred.

So it needs to enable PCI bus memory command explicitly to avoid access
on disabled memory, which will call vfio-pci ioctl to change the memory
command in vconfig space to 1b.

Fixes: 33604c31354a ("vfio: refactor PCI BAR mapping")
Cc: stable@dpdk.org

Signed-off-by: Haiyue Wang <haiyue.wang@intel.com>
---
Put the long link here, since the patch doesn't support to add so long
line.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=abafbc551fddede3e0a08dee1dcde08fc0eb8476
---
 drivers/bus/pci/linux/pci_vfio.c | 37 ++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/drivers/bus/pci/linux/pci_vfio.c b/drivers/bus/pci/linux/pci_vfio.c
index 64cd84a68..9b6e45da5 100644
--- a/drivers/bus/pci/linux/pci_vfio.c
+++ b/drivers/bus/pci/linux/pci_vfio.c
@@ -149,6 +149,38 @@ pci_vfio_get_msix_bar(int fd, struct pci_msix_table *msix_table)
 	return 0;
 }
 
+/* enable PCI bus memory command */
+static int
+pci_vfio_enable_bus_memory(int dev_fd)
+{
+	uint16_t cmd;
+	int ret;
+
+	ret = pread64(dev_fd, &cmd, sizeof(cmd),
+		      VFIO_GET_REGION_ADDR(VFIO_PCI_CONFIG_REGION_INDEX) +
+		      PCI_COMMAND);
+
+	if (ret != sizeof(cmd)) {
+		RTE_LOG(ERR, EAL, "Cannot read command from PCI config space!\n");
+		return -1;
+	}
+
+	if (cmd & PCI_COMMAND_MEMORY)
+		return 0;
+
+	cmd |= PCI_COMMAND_MEMORY;
+	ret = pwrite64(dev_fd, &cmd, sizeof(cmd),
+		       VFIO_GET_REGION_ADDR(VFIO_PCI_CONFIG_REGION_INDEX) +
+		       PCI_COMMAND);
+
+	if (ret != sizeof(cmd)) {
+		RTE_LOG(ERR, EAL, "Cannot write command to PCI config space!\n");
+		return -1;
+	}
+
+	return 0;
+}
+
 /* set PCI bus mastering */
 static int
 pci_vfio_set_bus_master(int dev_fd, bool op)
@@ -427,6 +459,11 @@ pci_rte_vfio_setup_device(struct rte_pci_device *dev, int vfio_dev_fd)
 		return -1;
 	}
 
+	if (pci_vfio_enable_bus_memory(vfio_dev_fd)) {
+		RTE_LOG(ERR, EAL, "Cannot enable bus memory command!\n");
+		return -1;
+	}
+
 	/* set bus mastering for the device */
 	if (pci_vfio_set_bus_master(vfio_dev_fd, true)) {
 		RTE_LOG(ERR, EAL, "Cannot set up bus mastering!\n");
-- 
2.27.0