From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id E9369A0350 for ; Tue, 23 Jun 2020 17:12:46 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id C58271D6A0; Tue, 23 Jun 2020 17:12:46 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by dpdk.org (Postfix) with ESMTP id AC02A1D693; Tue, 23 Jun 2020 17:12:43 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 05NFBHVv021329; Tue, 23 Jun 2020 08:12:42 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=date : from : to : cc : subject : message-id : references : content-type : in-reply-to : mime-version; s=pfpt0818; bh=fxCdHBPqFZUxS9KO0Vy7uxpNky51WU6VFlcCSoLMI6s=; b=rba2qSvf4o82goZ19OSjjOk9NLgMAZYYEOzIFdU3WDeywollHy/bIbYDb5Crh3RU7mly wLDNapTGVOiW6TNk8JbiP+Eg7oUcbkTBVUMDHroPakPiq8eTEEdR6poxKRN19LT+PmO7 /1pG4Wq1AVowVbdA/kyX5epgyChglm8hrSvHElSJP1h7wF/GxKQzVRQ4meILXicQLAUk KSDv57CLq65170n8kLycWvW+Ts/yWNItrYYlNCUJjRB2W6GwYVSqd1LPzbT/rLW69u6G MZ4cvfwQxXN6o4LjPICKrtXxRnR5t95Za5H9iI4Fw38+A+i3f1DQf6ocq4xQukdt6sqg Kw== Received: from sc-exch04.marvell.com ([199.233.58.184]) by mx0b-0016f401.pphosted.com with ESMTP id 31uk2j0bsd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 23 Jun 2020 08:12:42 -0700 Received: from SC-EXCH01.marvell.com (10.93.176.81) by SC-EXCH04.marvell.com (10.93.176.84) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 23 Jun 2020 08:12:41 -0700 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.172) by SC-EXCH01.marvell.com (10.93.176.81) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 23 Jun 2020 08:12:40 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nT1Uehi8F4tcjLykXVsEEiG5ez9zglhjn0R0I3xvjQF5WAczdZ8P1dnaeIZcOOjlpOgavP7pbqiqxyKrDg3IWFw1e9c6k/uU+sITJoriBjYUT/wo/Si+vRfy4qVVHGsRCdzh/pXMy29r7BA4yW7n28RvZ9EMHBAi0jAjxlZTuR1tdhedZytFBtBRDRb7r0nWPOKal9lcZSFAmlp4T5ir1u00JhuQjvFsFOI/qMxcYFfg2q06Y1esSdhZ4LgdvPS5md5GsMxtUeLOl1SRD0xMMa6xklfmJwOuSs63mNGt/dSY5w/w5Yw1+rKo9Z/8yF0sj2dUk4sRHZ1dPRIEkefOVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fxCdHBPqFZUxS9KO0Vy7uxpNky51WU6VFlcCSoLMI6s=; b=hi7ADUjzeOpAZIBT+EnuJuhSPbORUo93GjhncyaAYZ2o1e0YnN5vknWnq3pM7bozZCD/y7Usy5aw6Bz4BGFLX+LVjRk3ba6eOFNnu8j2FqdFYWohRpT0kiwUSLT2fupf4uxCKKvZI3eE7vNRFnFXkNmDIgj3EeoGutPR6vbU8cu+pyIVgIn+YqJhiLm9m0126UYFjH3YWJb9wJep8BMO+vlO4/jf9+M/TBs49W41vu6mZuyAUyjIzX64/7eI94o/02y2SjuyV0U50rZCYVCHLxv1TXr4JjyI/WuAoSyBc0h4cutJQ8TIu3gyAJtZR/OpJpiIYFHQs56bZOXuCuWW7A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=marvell.com; dmarc=pass action=none header.from=marvell.com; dkim=pass header.d=marvell.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.onmicrosoft.com; s=selector1-marvell-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fxCdHBPqFZUxS9KO0Vy7uxpNky51WU6VFlcCSoLMI6s=; b=nNuXqQJbBzuX0Nj8YcOAFqDeO6FlbzRQlfluv/vZ094SSliB7WUsqD1neZMZIDDN4a9Usq0uR3BLBxjCmP0ri+J5ejAoy5oaRKbOxkl9INgScHBnkBlnb7+WgrHNpAaxbPT7wSrTaXLkx/u4T3Jklrv+TnYCZ72QM2pbYMd6Muk= Authentication-Results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=marvell.com; Received: from MWHPR18MB1070.namprd18.prod.outlook.com (2603:10b6:300:a5::11) by MWHPR18MB1392.namprd18.prod.outlook.com (2603:10b6:320:25::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.23; Tue, 23 Jun 2020 15:12:38 +0000 Received: from MWHPR18MB1070.namprd18.prod.outlook.com ([fe80::e895:bdac:e157:2ed2]) by MWHPR18MB1070.namprd18.prod.outlook.com ([fe80::e895:bdac:e157:2ed2%11]) with mapi id 15.20.3131.020; Tue, 23 Jun 2020 15:12:38 +0000 Date: Tue, 23 Jun 2020 20:42:23 +0530 From: Harman Kalra To: Haiyue Wang CC: , , Message-ID: <20200623151222.GA23588@outlook.office365.com> References: <20200621174035.6858-1-haiyue.wang@intel.com> <20200622111351.101006-1-haiyue.wang@intel.com> Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200622111351.101006-1-haiyue.wang@intel.com> User-Agent: Mutt/1.10.0 (2018-05-17) X-ClientProxiedBy: BMXPR01CA0064.INDPRD01.PROD.OUTLOOK.COM (2603:1096:b00:2c::28) To MWHPR18MB1070.namprd18.prod.outlook.com (2603:10b6:300:a5::11) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from outlook.office365.com (115.113.156.2) by BMXPR01CA0064.INDPRD01.PROD.OUTLOOK.COM (2603:1096:b00:2c::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.22 via Frontend Transport; Tue, 23 Jun 2020 15:12:36 +0000 X-Originating-IP: [115.113.156.2] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: af691f8d-0327-4dcd-7997-08d81787ddc5 X-MS-TrafficTypeDiagnostic: MWHPR18MB1392: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1051; X-Forefront-PRVS: 04433051BF X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: RLqEU3AcFQCJb+Q1t5KB6GY54LJiz/861vk/oGwJcSlT7qrEJ+DnXZMshzPlsq3Vaclv8T3HINTnNz43yahVELBP9sqZKuVrlHkfpposnY22pTW+XEiUsBThZ8sa3pWoKfCEeS8Yi28c4YAVVazCYjKfv2mK7VXQWma1EX56Ly77llotKXUco9gQkyMFap4KvdwLCtbdmqsx77LhXoWNYSvOrj3UBvw+SIVDXjCII+avW9Olo1tSy32DkXo2IVEb76FGuADBlKnG83kEZWe95h3r07AuEpKzAlMVmyF2uQ8ZvbNa4KyKy9H7tWVjksfEaC5T+ObSMz2SiD7D02Wwtls7yqx24PNjAyKE8mS6eTyxaMvw+21RxkT3L9Kr8TFxvrT2hF8PnaEhtvquReX4jg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR18MB1070.namprd18.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(136003)(346002)(366004)(39850400004)(376002)(1076003)(966005)(86362001)(9686003)(2906002)(8936002)(6666004)(55016002)(83380400001)(956004)(7696005)(478600001)(8676002)(52116002)(5660300002)(33656002)(66946007)(66556008)(66476007)(6916009)(6506007)(4326008)(55236004)(16526019)(186003)(26005)(316002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData: iEozI1QrzellEsMYXJ86bkohNkpUlEb1c+TqyRcxl01h2MdbE58ugQ4NKkFupLH7Zpd73vuzYBFzSyFGtgF56FIyvd+N/jBwMTlWnQEXHCOtBbvMNIE6CCObkNmsYlxI/DlcKEgu+kvX7gPZZ1i2wli1bLj54E5zhek7vuReqyjybWk92hJAKQMH7utR4OEhBfeI8uvby+n8t7/pHHARa5HKoVi7cQrjRLfla7bROiJbpkimR5JMCgJpWkfjPuCsnQH6e3iqJZPTN0lL9iEcWTh1dMP4uEswvT625rJx2ZfsLhHKxCsZ2AC+8L8wOkg0KWSlxneCE/fB8GVaCbnT6aTTTSbkKD2kJ2UB6y3tEkF18WEDzH24ms5CfQ9TAxBNxPcH26yhnWKWBZoop5haD4jdUjU4JMs0uZj6gt9wM18DomE0+I2GtUZTfCYqRcoV4ArMsm96QSY98xRVkRcep+AztHD0dX7ZLo3tdbrcyLo= X-MS-Exchange-CrossTenant-Network-Message-Id: af691f8d-0327-4dcd-7997-08d81787ddc5 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Jun 2020 15:12:38.4604 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 70e1fb47-1155-421d-87fc-2e58f638b6e0 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 0Yqtvqa2HWhdawkp16DJKIFMiAZPqLkhMvL5dxbhaArBKz6hZSbauYlUKlYfgujQbSc9yfRMqU4y/MJ1uHmLlg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR18MB1392 X-OriginatorOrg: marvell.com X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.687 definitions=2020-06-23_07:2020-06-23, 2020-06-23 signatures=0 Subject: Re: [dpdk-stable] [dpdk-dev] [PATCH v3] bus/pci: fix VF bus error for memory access X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" On Mon, Jun 22, 2020 at 07:13:51PM +0800, Haiyue Wang wrote: > To fix CVE-2020-12888, the linux vfio-pci module will invalidate mmaps > and block MMIO access on disabled memory, it will send a SIGBUS to the > application: > https://urldefense.proofpoint.com/v2/url?u=https-3A__git.kernel.org_pub_scm_linux_kernel_git_torvalds_linux.git_commit_-3Fid-3Dabafbc551fddede3e0a08dee1dcde08fc0eb8476&d=DwIDAg&c=nKjWec2b6R0mOyPaz7xtfQ&r=5ESHPj7V-7JdkxT_Z_SU6RrS37ys4UXudBQ_rrS5LRo&m=L4wvNYSLDBSsweJGHfGSw3cDNDi0ioJdsQbH2-pEVqE&s=9v3r9tYw6p5Paet2O3Nc2IPdOL1-o77RjYJx5H8G0vc&e= > > When the application opens the vfio PCI device, the vfio-pci module will > enable the bus memory space through PCI read/write access. According to > the PCIe specification, the 'Memory Space Enable' is always zero for VF: > > Table 9-13 Command Register Changes > > Bit Location | PF and VF Register Differences | PF | VF > | From Base | Attributes | Attributes > -------------+--------------------------------+------------+----------- > | Memory Space Enable - Does not | | > | apply to VFs. Must be hardwired| Base | 0b > 1 | to 0b for VFs. VF Memory Space | | > | is controlled by the VF MSE bit| | > | in the VF Control register. | | > -------------+--------------------------------+------------+----------- > > Afterwards the vfio-pci will initialize its own virtual PCI config space > data ('vconfig') by reading the VF's physical PCI config space, then the > 'Memory Space Enable' bit in vconfig will always be 0b value. This will > make the vfio-pci treat the BAR memory space as disabled, and the SIGBUS > will be triggerred if access these BARs. > > By investigation, the VF PCI device *passthrough* into the Guest OS by > QEMU has the 'Memory Space Enable' with 1b value. That's because every > PCI driver will start to enable the memory space, and this action will > be hooked by vfio-pci virtual PCI read/write to set the 'Memory Space > Enable' in vconfig space to 1b. So VF runs in guest OS has 'Mem+', but > VF runs in host OS has 'Mem-'. > > Align with PCI working mode in Guest/QEMU/Host, in DPDK, enable the PCI > bus memory space explicitly to avoid access on disabled memory. > > Fixes: 33604c31354a ("vfio: refactor PCI BAR mapping") > Cc: stable@dpdk.org > > Signed-off-by: Haiyue Wang Tested-by: Harman Kalra > --- > v3: update the commit log, and fix one debug log with redundant > description. > v2: Rewrite the commit log, and put the link into it even it is long. > --- > drivers/bus/pci/linux/pci_vfio.c | 37 ++++++++++++++++++++++++++++++++ > 1 file changed, 37 insertions(+) > > diff --git a/drivers/bus/pci/linux/pci_vfio.c b/drivers/bus/pci/linux/pci_vfio.c > index 64cd84a68..ba60e7ce9 100644 > --- a/drivers/bus/pci/linux/pci_vfio.c > +++ b/drivers/bus/pci/linux/pci_vfio.c > @@ -149,6 +149,38 @@ pci_vfio_get_msix_bar(int fd, struct pci_msix_table *msix_table) > return 0; > } > > +/* enable PCI bus memory space */ > +static int > +pci_vfio_enable_bus_memory(int dev_fd) > +{ > + uint16_t cmd; > + int ret; > + > + ret = pread64(dev_fd, &cmd, sizeof(cmd), > + VFIO_GET_REGION_ADDR(VFIO_PCI_CONFIG_REGION_INDEX) + > + PCI_COMMAND); > + > + if (ret != sizeof(cmd)) { > + RTE_LOG(ERR, EAL, "Cannot read command from PCI config space!\n"); > + return -1; > + } > + > + if (cmd & PCI_COMMAND_MEMORY) > + return 0; > + > + cmd |= PCI_COMMAND_MEMORY; > + ret = pwrite64(dev_fd, &cmd, sizeof(cmd), > + VFIO_GET_REGION_ADDR(VFIO_PCI_CONFIG_REGION_INDEX) + > + PCI_COMMAND); > + > + if (ret != sizeof(cmd)) { > + RTE_LOG(ERR, EAL, "Cannot write command to PCI config space!\n"); > + return -1; > + } > + > + return 0; > +} > + > /* set PCI bus mastering */ > static int > pci_vfio_set_bus_master(int dev_fd, bool op) > @@ -427,6 +459,11 @@ pci_rte_vfio_setup_device(struct rte_pci_device *dev, int vfio_dev_fd) > return -1; > } > > + if (pci_vfio_enable_bus_memory(vfio_dev_fd)) { > + RTE_LOG(ERR, EAL, "Cannot enable bus memory!\n"); > + return -1; > + } > + > /* set bus mastering for the device */ > if (pci_vfio_set_bus_master(vfio_dev_fd, true)) { > RTE_LOG(ERR, EAL, "Cannot set up bus mastering!\n"); > -- > 2.27.0 >