From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 94FEDA0518 for ; Fri, 24 Jul 2020 14:04:01 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 8D0A01BFE5; Fri, 24 Jul 2020 14:04:01 +0200 (CEST) Received: from mail-wr1-f66.google.com (mail-wr1-f66.google.com [209.85.221.66]) by dpdk.org (Postfix) with ESMTP id 251EF1BFE5 for ; Fri, 24 Jul 2020 14:04:00 +0200 (CEST) Received: by mail-wr1-f66.google.com with SMTP id a15so8068268wrh.10 for ; Fri, 24 Jul 2020 05:04:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=g1JpQAoEgg4l8ipcJ4HshNl7rPmj45ivAqWW0EXGW+Q=; b=s19aae+ZXD7U/9BKRiBEx4pQq4UYLxc4U8Ue8Ctr+T4Kow/w81mLTLDC3eZLdtX56W F72FPSmLtmBBAQ9Pw8sSrwn2/wYS81EM5XX9BsMefR0msvqyU2gGRWKyP2gS6x6Fdl4L lDU0d86Vn7PYeLJ7yklJyNqD0+TstzKKiQHsdrtvuFGbFQEuKAXuz/lantEU6O3lrYc0 RHQ+Ur7TiEO2f6jJGZd7Lor1prDqDKeLV+O6fAFNuvuXrHxf32Fh8RkySUmiteojZENN nO2KPSNDrRl9cEGDmJkqTInAiDdYcJIWVoeaB/ZejxFVDn+zs6b3WMTcF92KwJ/PYFVB o86g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=g1JpQAoEgg4l8ipcJ4HshNl7rPmj45ivAqWW0EXGW+Q=; b=g9rGl+krwyEDSZJJjZ2BCE239/iaaNDjcdHIbF9nnP7aQ5xG/yT2Q70DAXlfz6sowu okTaYZvshw2VEohxk6qJ6Kob6be7IP46qEG7vUSkOdhWpcjhQxU+O2+z983WjsJ6zbfl I8ugg3eTARPlACzi3xSwMvGTuQ0XC0VLw3oBqmhThVXaSV8BSlW5Qlt4PhYOADMqvEFn BHupLrTtMqfwGC+cKzAUeXoOEknZ/yr+XX72tKKDEsLeEWJms2jCv6iAipAMM5udu71Z ceGGintO1MrUHpPXi0d2EHeMveTcB5om9lRwPD+TiynJeqO6dEpT0CUMSvW3Sj0pLyl8 jByA== X-Gm-Message-State: AOAM533XPeIAsa5EYsdg73LlAfDzE49XiisQ1AyFLSpNKs9aelGFI+OB NIjyoQHVh3PdGUqbJs3fJJA= X-Google-Smtp-Source: ABdhPJzApC6Kv3Zcp+F2D300N5wEjiUFIZbIoWAgLuNg99r3FeTpgsrfXC6PwN2jto0tPC2ioFgiUA== X-Received: by 2002:adf:9e8d:: with SMTP id a13mr2536599wrf.94.1595592239775; Fri, 24 Jul 2020 05:03:59 -0700 (PDT) Received: from localhost ([88.98.246.218]) by smtp.gmail.com with ESMTPSA id 32sm1155940wrn.86.2020.07.24.05.03.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 24 Jul 2020 05:03:57 -0700 (PDT) From: luca.boccassi@gmail.com To: Haiyue Wang Cc: Anatoly Burakov , Harman Kalra , David Marchand , Thierry Martin , dpdk stable Date: Fri, 24 Jul 2020 12:58:09 +0100 Message-Id: <20200724120030.1863487-51-luca.boccassi@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200724120030.1863487-1-luca.boccassi@gmail.com> References: <20200724120030.1863487-1-luca.boccassi@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-stable] patch 'bus/pci: fix VF memory access' has been queued to stable release 19.11.4 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" Hi, FYI, your patch has been queued to stable release 19.11.4 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 07/26/20. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Thanks. Luca Boccassi --- >From 2381dc9e10050265ee3c6abf178328eee4322804 Mon Sep 17 00:00:00 2001 From: Haiyue Wang Date: Thu, 25 Jun 2020 11:50:46 +0800 Subject: [PATCH] bus/pci: fix VF memory access [ upstream commit 54f3fb127d9c265a5724d193e5c7c6db29fb4150 ] To fix CVE-2020-12888, the linux vfio-pci module will invalidate mmaps and block MMIO access on disabled memory, it will send a SIGBUS to the application: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=abafbc551fdd When the application opens the vfio PCI device, the vfio-pci module will enable the bus memory space through PCI read/write access. According to the PCIe specification, the 'Memory Space Enable' is always zero for VF: Table 9-13 Command Register Changes Bit Location | PF and VF Register Differences | PF | VF | From Base | Attributes | Attributes -------------+--------------------------------+------------+----------- | Memory Space Enable - Does not | | | apply to VFs. Must be hardwired| Base | 0b 1 | to 0b for VFs. VF Memory Space | | | is controlled by the VF MSE bit| | | in the VF Control register. | | -------------+--------------------------------+------------+----------- Afterwards the vfio-pci will initialize its own virtual PCI config space data ('vconfig') by reading the VF's physical PCI config space, then the 'Memory Space Enable' bit in vconfig will always be 0b value. This will make the vfio-pci treat the BAR memory space as disabled, and the SIGBUS will be triggered if access these BARs. By investigation, the VF PCI device *passthrough* into the Guest OS by QEMU has the 'Memory Space Enable' with 1b value. That's because every PCI driver will start to enable the memory space, and this action will be hooked by vfio-pci virtual PCI read/write to set the 'Memory Space Enable' in vconfig space to 1b. So VF runs in guest OS has 'Mem+', but VF runs in host OS has 'Mem-'. Align with PCI working mode in Guest/QEMU/Host, in DPDK, enable the PCI bus memory space explicitly to avoid access on disabled memory. Fixes: 33604c31354a ("vfio: refactor PCI BAR mapping") Signed-off-by: Haiyue Wang Acked-by: Anatoly Burakov Tested-by: Harman Kalra Tested-by: David Marchand Tested-by: Thierry Martin --- drivers/bus/pci/linux/pci_vfio.c | 37 ++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/drivers/bus/pci/linux/pci_vfio.c b/drivers/bus/pci/linux/pci_vfio.c index 64cd84a68..ba60e7ce9 100644 --- a/drivers/bus/pci/linux/pci_vfio.c +++ b/drivers/bus/pci/linux/pci_vfio.c @@ -149,6 +149,38 @@ pci_vfio_get_msix_bar(int fd, struct pci_msix_table *msix_table) return 0; } +/* enable PCI bus memory space */ +static int +pci_vfio_enable_bus_memory(int dev_fd) +{ + uint16_t cmd; + int ret; + + ret = pread64(dev_fd, &cmd, sizeof(cmd), + VFIO_GET_REGION_ADDR(VFIO_PCI_CONFIG_REGION_INDEX) + + PCI_COMMAND); + + if (ret != sizeof(cmd)) { + RTE_LOG(ERR, EAL, "Cannot read command from PCI config space!\n"); + return -1; + } + + if (cmd & PCI_COMMAND_MEMORY) + return 0; + + cmd |= PCI_COMMAND_MEMORY; + ret = pwrite64(dev_fd, &cmd, sizeof(cmd), + VFIO_GET_REGION_ADDR(VFIO_PCI_CONFIG_REGION_INDEX) + + PCI_COMMAND); + + if (ret != sizeof(cmd)) { + RTE_LOG(ERR, EAL, "Cannot write command to PCI config space!\n"); + return -1; + } + + return 0; +} + /* set PCI bus mastering */ static int pci_vfio_set_bus_master(int dev_fd, bool op) @@ -427,6 +459,11 @@ pci_rte_vfio_setup_device(struct rte_pci_device *dev, int vfio_dev_fd) return -1; } + if (pci_vfio_enable_bus_memory(vfio_dev_fd)) { + RTE_LOG(ERR, EAL, "Cannot enable bus memory!\n"); + return -1; + } + /* set bus mastering for the device */ if (pci_vfio_set_bus_master(vfio_dev_fd, true)) { RTE_LOG(ERR, EAL, "Cannot set up bus mastering!\n"); -- 2.20.1 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2020-07-24 12:53:50.576143210 +0100 +++ 0051-bus-pci-fix-VF-memory-access.patch 2020-07-24 12:53:48.275006236 +0100 @@ -1,8 +1,10 @@ -From 54f3fb127d9c265a5724d193e5c7c6db29fb4150 Mon Sep 17 00:00:00 2001 +From 2381dc9e10050265ee3c6abf178328eee4322804 Mon Sep 17 00:00:00 2001 From: Haiyue Wang Date: Thu, 25 Jun 2020 11:50:46 +0800 Subject: [PATCH] bus/pci: fix VF memory access +[ upstream commit 54f3fb127d9c265a5724d193e5c7c6db29fb4150 ] + To fix CVE-2020-12888, the linux vfio-pci module will invalidate mmaps and block MMIO access on disabled memory, it will send a SIGBUS to the application: @@ -41,7 +43,6 @@ bus memory space explicitly to avoid access on disabled memory. Fixes: 33604c31354a ("vfio: refactor PCI BAR mapping") -Cc: stable@dpdk.org Signed-off-by: Haiyue Wang Acked-by: Anatoly Burakov