From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 07F49A0350; Thu, 25 Jun 2020 16:09:18 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 6B2D8AAB7; Thu, 25 Jun 2020 16:09:17 +0200 (CEST) Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) by dpdk.org (Postfix) with ESMTP id 5BBCE3B5 for ; Thu, 25 Jun 2020 16:09:15 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1593094154; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=RUHV0LQUvXfRT/OgnjWdzfB6AZKI/IQvp3oBCrhly9A=; b=ghd/Ebhl1yoaXhVfhLQSFFcGz0aYIw36DSyawo1OKp3poPWkqjzSHe9S85oh3HrAlMRcdz qj6kTb8Fsw+0EqBOGLfUEaHSvFtC9zEDaFq/h720P+WeUPP+YgYFrACifxW56mVGSDnvFE z0kYPB0YDWC7rM4w1o+/k655XBRQEJE= Received: from mail-vs1-f72.google.com (mail-vs1-f72.google.com [209.85.217.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-161-r63_0YXfNMuIakSoZarXwQ-1; Thu, 25 Jun 2020 10:09:12 -0400 X-MC-Unique: r63_0YXfNMuIakSoZarXwQ-1 Received: by mail-vs1-f72.google.com with SMTP id d6so2121041vso.3 for ; Thu, 25 Jun 2020 07:09:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RUHV0LQUvXfRT/OgnjWdzfB6AZKI/IQvp3oBCrhly9A=; b=MREe8kJNB6L+K7XxQbVLyGMJ/cGYjlQhv7VJiN4bg+JyXfwT2vTYHY1bohoVkeJn0G KEc5XISRXYrAikDmxs9OB1NmJqN1ssnR+OH2QD4DVy7+2QTdeQ0lmOIrDxp8q9sWJnrx MXuaBTS9vI7Bdp1VQfCXjjSnRnZWTCThDkoDdhaVqJfsD/dyQpbVfn3Xtcuk6+K6ifzJ ysCoCKELM2JXlcb/YhulNxSQ5KLHo3eAsmYOBTZh+ANcjNUkEmju7AC15DEPDJBh/0b4 JdqGwJbQroqe4ctSY4wUcDvip5tBUVjEJBNUK6K7d48zQQfpb126ky+vKUuP3dTR/S6V e5JA== X-Gm-Message-State: AOAM532b7IzJlt0aiRLc1ej0kPNpfF+CcOabG3M0IHxYUi7rOgu2RZNp fsrHeAaVPIGOZ35Lmmx7NNyo5HfdxPZ71W2BO5Bme0xj+xvV8Zsq5kdIWHzlQfKegpk3fPoCi3/ DU2KN0Pm7VrQ/Z9mBN0A= X-Received: by 2002:a05:6102:15b:: with SMTP id a27mr28773084vsr.141.1593094151898; Thu, 25 Jun 2020 07:09:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzi8auWWYBsP7K5POZ81ntoPZr1Vo3rl5SYYR6ywEYvYLSbuFMIZJpz0DYbJNUwKp3WzPmFYuW7361wY1rDegA= X-Received: by 2002:a05:6102:15b:: with SMTP id a27mr28773054vsr.141.1593094151611; Thu, 25 Jun 2020 07:09:11 -0700 (PDT) MIME-Version: 1.0 References: <20200621174035.6858-1-haiyue.wang@intel.com> <20200625035046.19820-1-haiyue.wang@intel.com> In-Reply-To: <20200625035046.19820-1-haiyue.wang@intel.com> From: David Marchand Date: Thu, 25 Jun 2020 16:09:00 +0200 Message-ID: To: Haiyue Wang , Kevin Traynor , Luca Boccassi Cc: dev , "Burakov, Anatoly" , dpdk stable , Harman Kalra X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="UTF-8" Subject: Re: [dpdk-dev] [PATCH v4] bus/pci: fix VF bus error for memory access X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" On Thu, Jun 25, 2020 at 6:00 AM Haiyue Wang wrote: > > To fix CVE-2020-12888, the linux vfio-pci module will invalidate mmaps > and block MMIO access on disabled memory, it will send a SIGBUS to the > application: > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=abafbc551fddede3e0a08dee1dcde08fc0eb8476 > > When the application opens the vfio PCI device, the vfio-pci module will > enable the bus memory space through PCI read/write access. According to > the PCIe specification, the 'Memory Space Enable' is always zero for VF: > > Table 9-13 Command Register Changes > > Bit Location | PF and VF Register Differences | PF | VF > | From Base | Attributes | Attributes > -------------+--------------------------------+------------+----------- > | Memory Space Enable - Does not | | > | apply to VFs. Must be hardwired| Base | 0b > 1 | to 0b for VFs. VF Memory Space | | > | is controlled by the VF MSE bit| | > | in the VF Control register. | | > -------------+--------------------------------+------------+----------- > > Afterwards the vfio-pci will initialize its own virtual PCI config space > data ('vconfig') by reading the VF's physical PCI config space, then the > 'Memory Space Enable' bit in vconfig will always be 0b value. This will > make the vfio-pci treat the BAR memory space as disabled, and the SIGBUS > will be triggered if access these BARs. > > By investigation, the VF PCI device *passthrough* into the Guest OS by > QEMU has the 'Memory Space Enable' with 1b value. That's because every > PCI driver will start to enable the memory space, and this action will > be hooked by vfio-pci virtual PCI read/write to set the 'Memory Space > Enable' in vconfig space to 1b. So VF runs in guest OS has 'Mem+', but > VF runs in host OS has 'Mem-'. > > Align with PCI working mode in Guest/QEMU/Host, in DPDK, enable the PCI > bus memory space explicitly to avoid access on disabled memory. > > Fixes: 33604c31354a ("vfio: refactor PCI BAR mapping") > Cc: stable@dpdk.org > > Signed-off-by: Haiyue Wang > Acked-by: Anatoly Burakov > Tested-by: Harman Kalra > Tested-by: David Marchand Tested-by: Thierry Martin Applied, thanks again Haiyue. Kevin, Luca, I can see that some distros have already started backporting the fix in kernel (fc31, fc32 and rhel7 at least for what I saw). 18.11 and 19.11 will need this fix at some point. I'll let you decide on the proper timing. -- David Marchand