Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932946AbcJLNAB (ORCPT <rfc822;w@1wt.eu>);
        Wed, 12 Oct 2016 09:00:01 -0400
Received: from userp1040.oracle.com ([156.151.31.81]:42386 "EHLO
        userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S933063AbcJLM7r (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 12 Oct 2016 08:59:47 -0400
Date: Wed, 12 Oct 2016 08:59:32 -0400
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: lizf@kernel.org
Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org,
        Jan Beulich <JBeulich@suse.com>,
        David Vrabel <david.vrabel@citrix.com>, Zefan Li <lizefan@huawei.com>
Subject: Re: [PATCH 3.4 096/125] xen/pciback: Save xen_pci_op commands before
 processing it
Message-ID: <20161012125932.GA27599@char.us.oracle.com>
References: <1476275600-4626-1-git-send-email-lizf@kernel.org>
 <1476275641-4697-96-git-send-email-lizf@kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1476275641-4697-96-git-send-email-lizf@kernel.org>
User-Agent: Mutt/1.6.2 (2016-07-01)
X-Source-IP: aserv0022.oracle.com [141.146.126.234]
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3531
Lines: 100

On Wed, Oct 12, 2016 at 08:33:32PM +0800, lizf@kernel.org wrote:
> From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> 
> 3.4.113-rc1 review patch.  If anyone has any objections, please let me know.

You also need:


commit d159457b84395927b5a52adb72f748dd089ad5e5
Author: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date:   Thu Feb 11 16:10:24 2016 -0500

    xen/pciback: Save the number of MSI-X entries to be copied later.

    Commit 8135cf8b092723dbfcc611fe6fdcb3a36c9951c5 (xen/pciback: Save
    xen_pci_op commands before processing it) broke enabling MSI-X because
    it would never copy the resulting vectors into the response.  The

Thanks.
> 
> ------------------
> 
> 
> commit 8135cf8b092723dbfcc611fe6fdcb3a36c9951c5 upstream.
> 
> Double fetch vulnerabilities that happen when a variable is
> fetched twice from shared memory but a security check is only
> performed the first time.
> 
> The xen_pcibk_do_op function performs a switch statements on the op->cmd
> value which is stored in shared memory. Interestingly this can result
> in a double fetch vulnerability depending on the performed compiler
> optimization.
> 
> This patch fixes it by saving the xen_pci_op command before
> processing it. We also use 'barrier' to make sure that the
> compiler does not perform any optimization.
> 
> This is part of XSA155.
> 
> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> Signed-off-by: Jan Beulich <JBeulich@suse.com>
> Signed-off-by: David Vrabel <david.vrabel@citrix.com>
> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> Signed-off-by: Zefan Li <lizefan@huawei.com>
> ---
>  drivers/xen/xen-pciback/pciback.h     |  1 +
>  drivers/xen/xen-pciback/pciback_ops.c | 15 ++++++++++++++-
>  2 files changed, 15 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/xen/xen-pciback/pciback.h b/drivers/xen/xen-pciback/pciback.h
> index a7def01..7a642e3 100644
> --- a/drivers/xen/xen-pciback/pciback.h
> +++ b/drivers/xen/xen-pciback/pciback.h
> @@ -37,6 +37,7 @@ struct xen_pcibk_device {
>  	struct xen_pci_sharedinfo *sh_info;
>  	unsigned long flags;
>  	struct work_struct op_work;
> +	struct xen_pci_op op;
>  };
>  
>  struct xen_pcibk_dev_data {
> diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c
> index d52703c..a751a66 100644
> --- a/drivers/xen/xen-pciback/pciback_ops.c
> +++ b/drivers/xen/xen-pciback/pciback_ops.c
> @@ -297,9 +297,11 @@ void xen_pcibk_do_op(struct work_struct *data)
>  		container_of(data, struct xen_pcibk_device, op_work);
>  	struct pci_dev *dev;
>  	struct xen_pcibk_dev_data *dev_data = NULL;
> -	struct xen_pci_op *op = &pdev->sh_info->op;
> +	struct xen_pci_op *op = &pdev->op;
>  	int test_intx = 0;
>  
> +	*op = pdev->sh_info->op;
> +	barrier();
>  	dev = xen_pcibk_get_pci_dev(pdev, op->domain, op->bus, op->devfn);
>  
>  	if (dev == NULL)
> @@ -341,6 +343,17 @@ void xen_pcibk_do_op(struct work_struct *data)
>  		if ((dev_data->enable_intx != test_intx))
>  			xen_pcibk_control_isr(dev, 0 /* no reset */);
>  	}
> +	pdev->sh_info->op.err = op->err;
> +	pdev->sh_info->op.value = op->value;
> +#ifdef CONFIG_PCI_MSI
> +	if (op->cmd == XEN_PCI_OP_enable_msix && op->err == 0) {
> +		unsigned int i;
> +
> +		for (i = 0; i < op->value; i++)
> +			pdev->sh_info->op.msix_entries[i].vector =
> +				op->msix_entries[i].vector;
> +	}
> +#endif
>  	/* Tell the driver domain that we're done. */
>  	wmb();
>  	clear_bit(_XEN_PCIF_active, (unsigned long *)&pdev->sh_info->flags);
> -- 
> 1.9.1
>