Received: by 10.223.185.116 with SMTP id b49csp2464121wrg;
        Mon, 12 Feb 2018 09:57:55 -0800 (PST)
X-Google-Smtp-Source: AH8x2245f8ewRvQxitzUkKvqyGWI9NI2OVNyJ/bAplZdVyyQjTayqSutMC8+b8OpE8P2a5AYqxfw
X-Received: by 2002:a17:902:7b98:: with SMTP id w24-v6mr3567363pll.328.1518458275334;
        Mon, 12 Feb 2018 09:57:55 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518458275; cv=none;
        d=google.com; s=arc-20160816;
        b=Lt+wyHcWUdhvXEuHBp6gzQaR/MSDHj7gZDA2fJjWvauhE5HgoO4yy2U24+jSwlMsjB
         L5p1vPX+m0sg2io8z+0f1I3bWYyrESBxtbEmtDjxiprV//jJj9a4ovF/iXb9NEWZP/wi
         WrRXm1VkalHmPON96RCB1aeFA+PVPXrf1jJaFdKWWUV85eC1fQhZx5EwaL+YkL+RrHWX
         peQcFbmfaTRW2r5iTykjKiwUFvd1Iab0U+a3FNhCLD/WPW224oNgPOXRfu49zleKmiTx
         4hjFfaaTWlspJCsZuQa54IDVkNhDnjrbituHijR4gm+5FcSnGHEEsSgau0UbD3M14inN
         sxYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=0q89QBviKetRZFPizfQMI/Wh6eTsRapr7AmsnQoiJps=;
        b=INADCc1y1vlAJdc48sUBzBniFaxsDVlc/8wzcQAS12OYnQxHHPwnSRFKoSp5nIv+Or
         iol++6aZMGQPqG31a+nBYCpruO1q9wQruDX5igPBwkFMFpzosFFBIfBt9xvwhZj2Mu6v
         uAalxlihwnwiprn7mQKdYvxBA0/IjVckgzcH224gTgjc/OG9HSoYGhg7MWiHXx/DYC+E
         qKfQGIcFJzWMtjvoFkgAYkDcdBCWZd+3H1rr67XvnTguk/ZMrfSe7csX30uExtNhIOXs
         u8yKivoBu6fv4ME1tFv+lH0JNv3w2hwrHYGTyWGzIGtQFnbEKHiSfGvpTMZLoWGoFrG4
         AUuQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=X1QBQmni;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d64si6599733pfa.40.2018.02.12.09.57.40;
        Mon, 12 Feb 2018 09:57:55 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=X1QBQmni;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932195AbeBLR5C (ORCPT <rfc822;yxhlfx@gmail.com> + 99 others);
        Mon, 12 Feb 2018 12:57:02 -0500
Received: from mail-qt0-f182.google.com ([209.85.216.182]:36805 "EHLO
        mail-qt0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751386AbeBLR5A (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Feb 2018 12:57:00 -0500
Received: by mail-qt0-f182.google.com with SMTP id q18so582864qtl.3;
        Mon, 12 Feb 2018 09:56:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=0q89QBviKetRZFPizfQMI/Wh6eTsRapr7AmsnQoiJps=;
        b=X1QBQmnis0nHxuxYsgcPstSNZTKlfO3WJRNdhHPLE+RSDiiC9U94cA35tvxbOnzDdG
         c1Fyh80+vQsRSflMOfQ0cf1DZndB5uiGH62W+8o52+lbcWykGCVdA3XzWSv9cgtxhqfC
         l2t48b94HMGLw3LiSVYYTcPkLk/6Pe4/8/TlUZA4uVLhGgM7SjaLhaGYMzbxWC3HSr61
         k568+PGzZey1SxOC8hGmBEK0a//4LPgYEgHltMyuWIhTJl6qu74l3/Eom2wRs8/SKreA
         fN72DXcswX2zo5D/5BByMiAkHbwMfiYC3G4JP0VCDWIPWdDWX40NVto9mBzkh+cnu9IX
         TfBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=0q89QBviKetRZFPizfQMI/Wh6eTsRapr7AmsnQoiJps=;
        b=O5vjgyCdc50Z7Plfe4MTAifnQqf4MGBYj1Q0OuQ+insopwJRF5Tkd8SMDGU8CWPLF4
         09/nT4ip5guSw/rw1IBspix3OB1UrTNenlESbt1DSBBtIophwJAzxlBSvYXlc97ElnLq
         GOtobKM+ZaeNM5KUdBRrbB7yraiL67DsprgE8BcM32mtu9RMXNZY7XgWPKGb/HruzOTQ
         EvZ9VoY+xbY6cvplybC7iXUjctsmfiN3xkduGvYp3EJNpbPNeMN4H6GVP0OL5iNloyZ4
         Ed853M5nQhZsZHoTp8Y9UG9fd1vgdxAPaKBMZe4/GRq/WexMoLNV7o4BaUPtQ8tf2AE/
         cTkg==
X-Gm-Message-State: APf1xPCu5FBwpxi04aZIlIoTVW+urLBy/QEH4EGparQkVpdH9d+JDhiq
        sq77bt0JGNoXbIdw9DKcaWsLz5rtpVWfEuQDcp8=
X-Received: by 10.200.1.77 with SMTP id f13mr19978714qtg.177.1518458219098;
 Mon, 12 Feb 2018 09:56:59 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.104.143 with HTTP; Mon, 12 Feb 2018 09:56:58 -0800 (PST)
In-Reply-To: <20180212174341.GC75542@bhelgaas-glaptop.roam.corp.google.com>
References: <1516710549-26660-1-git-send-email-arjun@chelsio.com> <20180212174341.GC75542@bhelgaas-glaptop.roam.corp.google.com>
From:   Alexander Duyck <alexander.duyck@gmail.com>
Date:   Mon, 12 Feb 2018 09:56:58 -0800
Message-ID: <CAKgT0Ucr7SZURefYtCSziNhPF_cc66tT7GzSp0u43-2tJ=Lt_A@mail.gmail.com>
Subject: Re: [REGRESSION, bisect] pci: cxgb4 probe fails after commit
 104daa71b3961434 ("PCI: Determine actual VPD size on first access")
To:     Bjorn Helgaas <helgaas@kernel.org>
Cc:     Arjun Vynipadath <arjun@chelsio.com>,
        Bjorn Helgaas <bhelgaas@google.com>, linux-pci@vger.kernel.org,
        linux-kernel@vger.kernel.org, David Miller <davem@davemloft.net>,
        Netdev <netdev@vger.kernel.org>,
        Casey Leedom <leedom@chelsio.com>,
        Santosh Raspatur <santosh@chelsio.com>,
        Ganesh Goudar <ganeshgr@chelsio.com>, nirranjan@chelsio.com,
        kumaras@chelsio.com, swise@opengridcomputing.com,
        Hannes Reinecke <hare@suse.de>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Feb 12, 2018 at 9:43 AM, Bjorn Helgaas <helgaas@kernel.org> wrote:
> On Tue, Jan 23, 2018 at 05:59:09PM +0530, Arjun Vynipadath wrote:
>> Sending on behalf of "Casey Leedom <leedom@chelsio.com>"
>>
>> Way back on April 11, 2016 we reported a regression in Linux kernel 4.6-rc2
>> brought on by kernel.org commit 104daa71b396. This commit calculates the
>> size of a PCI Device's VPD area by parsing the VPD Structure at offset 0x000,
>> and restricts accesses to the VPD to that computed size.
>>
>> Our devices have a second VPD structure which is located starting at offset
>> 0x400 which is the "real" VPD[1].  The 104daa71b396 commit (plus a follow on
>> commit 408641e93aa5) caused efforts to read past the end of that computed
>> length of the VPD to return silently without error leaving stack junk in the
>> VPD read buffers.
>>
>> We introduced kernel.org commit cb92148b to allow a driver to tell the
>> kernel how large the VPD area really is, introducing a new API
>> pci_set_vpd_size() for this purpose.
>>
>> Now we've discovered a new subtlety to the problem.
>>
>> We have a KVM Hypervisor running a 4.9.70 kernel.  So it has all of the
>> above commits.  When we attach our Physical Function 4 to a Virtual Machine
>> and attempt to run cxgb4 in that VM, we see the problem again.  The issue is
>> that all of the VM Guest OS's efforts to access the PCIe VPD Capability are
>> trapped into the KVM 4.9.70 kernel and executed there, with the results
>> routed back to the VM Guest OS.  The cxgb4 driver in the VM Guest OS uses
>> the new pci_set_vpd_size() to notify the OS of the true size of the VPD, but
>> that information of course is never sent to the KVM 4.9.70 Hypervisor.
>> (And, truth be told, if the Guest OS were older than 4.6, it wouldn't even
>> know that it needed to do this.)  The result is that again we get silent VPD
>> read failures with random stack garbage in the VPD read buffers. (sigh)
>
> Let me pull out one tiny piece of this problem: If the VPD read
> returns failure, the caller should not look at the read buffer.  But
> we should *never* copy random stack garbage into the read buffer, no
> matter what the VPD read returns.
>
> I guess it's the 4.9.70 kernel that's putting garbage into the VPD
> read buffer?  Is this something that needs to be fixed in the current
> upstream kernel?

My guess would be that it is not random stack garbage that is being
put in the read. If the read buffer was not initialized it will
contain random data. I suspect that is what we are likely seeing is
the use of uninitialized memory for the read buffer.

There should already be a fix for this that was added in commit
1c7de2b4ff88 "PCI: Enable access to non-standard VPD for Chelsio
devices (cxgb3)". If you are missing device IDs you need to add them
to the existing quirk in order to make certain all your devices are
covered. Just adding the quirk to your driver won't fix the issue.
Adding a workaround to KVM that allows for you to circumvent this
would just make for a huge security hole since as I recall one of the
reasons why we were putting the limits on this in the first place was
because access to uninitialized VPD memory on some devices was causing
some pretty serious issues.

- Alex