From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 9B341A0519; Mon, 22 Jun 2020 14:11:54 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id BE7641D6AD; Mon, 22 Jun 2020 14:11:53 +0200 (CEST) Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by dpdk.org (Postfix) with ESMTP id CF4661D6A2; Mon, 22 Jun 2020 14:11:51 +0200 (CEST) IronPort-SDR: HmyLSVAGNk3/Uv7twzgAADdNb+Ux+VS1NpyxwYe94bdfZEmAdG3MV7t0jXYqGh1tgCK4qpJpGA GmbNKv62SRww== X-IronPort-AV: E=McAfee;i="6000,8403,9659"; a="208944771" X-IronPort-AV: E=Sophos;i="5.75,266,1589266800"; d="scan'208";a="208944771" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Jun 2020 05:11:50 -0700 IronPort-SDR: 7btNiRjJ+SqzKjpnBXVQ4C6W0ar91v5BwT2IYtd0ApE4C1jvKTkoJpv9lj/AkMXFyQBiZW11YU h4U+XLb9TWrA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,266,1589266800"; d="scan'208";a="280322109" Received: from aburakov-mobl.ger.corp.intel.com (HELO [10.252.33.112]) ([10.252.33.112]) by orsmga007.jf.intel.com with ESMTP; 22 Jun 2020 05:11:49 -0700 To: Haiyue Wang , dev@dpdk.org Cc: stable@dpdk.org References: <20200621174035.6858-1-haiyue.wang@intel.com> <20200622111351.101006-1-haiyue.wang@intel.com> From: "Burakov, Anatoly" Message-ID: <8a8efd84-5acb-4ad3-dba4-641853730796@intel.com> Date: Mon, 22 Jun 2020 13:11:48 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 MIME-Version: 1.0 In-Reply-To: <20200622111351.101006-1-haiyue.wang@intel.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: Re: [dpdk-dev] [PATCH v3] bus/pci: fix VF bus error for memory access X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" On 22-Jun-20 12:13 PM, Haiyue Wang wrote: > To fix CVE-2020-12888, the linux vfio-pci module will invalidate mmaps > and block MMIO access on disabled memory, it will send a SIGBUS to the > application: > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=abafbc551fddede3e0a08dee1dcde08fc0eb8476 > > When the application opens the vfio PCI device, the vfio-pci module will > enable the bus memory space through PCI read/write access. According to > the PCIe specification, the 'Memory Space Enable' is always zero for VF: > > Table 9-13 Command Register Changes > > Bit Location | PF and VF Register Differences | PF | VF > | From Base | Attributes | Attributes > -------------+--------------------------------+------------+----------- > | Memory Space Enable - Does not | | > | apply to VFs. Must be hardwired| Base | 0b > 1 | to 0b for VFs. VF Memory Space | | > | is controlled by the VF MSE bit| | > | in the VF Control register. | | > -------------+--------------------------------+------------+----------- > > Afterwards the vfio-pci will initialize its own virtual PCI config space > data ('vconfig') by reading the VF's physical PCI config space, then the > 'Memory Space Enable' bit in vconfig will always be 0b value. This will > make the vfio-pci treat the BAR memory space as disabled, and the SIGBUS > will be triggerred if access these BARs. > > By investigation, the VF PCI device *passthrough* into the Guest OS by > QEMU has the 'Memory Space Enable' with 1b value. That's because every > PCI driver will start to enable the memory space, and this action will > be hooked by vfio-pci virtual PCI read/write to set the 'Memory Space > Enable' in vconfig space to 1b. So VF runs in guest OS has 'Mem+', but > VF runs in host OS has 'Mem-'. > > Align with PCI working mode in Guest/QEMU/Host, in DPDK, enable the PCI > bus memory space explicitly to avoid access on disabled memory. > > Fixes: 33604c31354a ("vfio: refactor PCI BAR mapping") > Cc: stable@dpdk.org > > Signed-off-by: Haiyue Wang > --- > v3: update the commit log, and fix one debug log with redundant > description. > v2: Rewrite the commit log, and put the link into it even it is long. > --- Acked-by: Anatoly Burakov -- Thanks, Anatoly