Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp36680pxp; Tue, 15 Mar 2022 23:03:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzgGY21BpHncuz+W+JrF4IxfStGPFZnsAvpdvxK48y2wZsyFb3TrHIxg6UA4Ouw+pM5XaZF X-Received: by 2002:a63:ec46:0:b0:381:81c4:ebbd with SMTP id r6-20020a63ec46000000b0038181c4ebbdmr2458838pgj.534.1647410593767; Tue, 15 Mar 2022 23:03:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647410593; cv=none; d=google.com; s=arc-20160816; b=D8/LHdIy6/lKovfU6S0+yDg8S9kmGaN6Hb0yc4AjS6Cc6eXcX+aV5znv1H3OCCr7NY YfOsP9c5TE9wEA4+AnkO43JCRrRhdO75m25dULnDH39/DqE9pmx+DPHG6H4GMF9eUsHd +hoDVeMhrElpjWeKzbKDEbr//MV7SYQ89hZJ0ExBWBiWKsTIDf03XViJ2xNPSpEbrwN9 ADrmCLYtApehrsHL6FETezLsZflJ7b+d26E6qLeqLE5nrDjUJBac8GKOQQ8W1OHp5WwT aCGQwimbFAGzFRAEstl2wqF05q7aV26/+l4r3LO43cyzx83pQszTne5czZ5i3mYQV+7O kGww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6ZbJAD1q/om1gi993UPZUOnaleUjP2AaVXx2snBeWaQ=; b=doBNlosBXbluAe8E1quk4fwWrK7MCJfPjeybtBzlQm+nUD+W3ufsxGLg4UNOdsA8yI LB0pcqiT/W8n9LaiOveOppiF58/7VAXQJiz4HsH/b7+aEmehweS3niMPV55M20Bemkc0 LovWzWu4o80EFQa1S/Q7B/zKpz01NhP5XLgnbSNO1j5fN+XKNJQfXMVXSemVCTLR/XTr lMhZ9OM4lVd2HOcwC1241TmR991yLXts+3x7dpsneMlhdl/Rzh8fXtxvDUv5fkh9cU0P 3BVm7Fzd3ahK4G0VTaNTFkbpLFNNTBnS5GDVX3/QF/+iSrV4ekWSUt0kUOqK4vcDqPfx FMAQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="d//OdAmP"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u11-20020a6540cb000000b00380b9e1afebsi1167411pgp.753.2022.03.15.23.03.00; Tue, 15 Mar 2022 23:03:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="d//OdAmP"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241288AbiCNMYg (ORCPT + 99 others); Mon, 14 Mar 2022 08:24:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60148 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241303AbiCNMRL (ORCPT ); Mon, 14 Mar 2022 08:17:11 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0194B369E0; Mon, 14 Mar 2022 05:12:18 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 70F7261315; Mon, 14 Mar 2022 12:12:17 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3190EC340E9; Mon, 14 Mar 2022 12:12:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647259936; bh=YGDCMuwrUahh+Ocfj5rpl5YvgAJSu76Qii8l0ri9tGM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=d//OdAmPBZxCsmJU3n5/oZBVmHI+r39mlt3qpnxFi2kDFETQpGJgO2Qmaq+up7I1N TkjW+zqkqM9FWWF8uV7X5AUcBY9GYwBO/7Cs/dpMHVHTl8V2YrQZNhIJXBMEZvm8gP pIgLy3wxxaHpT7IbC5ZIq8Ewwv7fI6aP03s4J5vE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Si-Wei Liu , "Michael S. Tsirkin" , Eli Cohen , Jason Wang , Sasha Levin Subject: [PATCH 5.16 013/121] vdpa/mlx5: add validation for VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command Date: Mon, 14 Mar 2022 12:53:16 +0100 Message-Id: <20220314112744.496974287@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220314112744.120491875@linuxfoundation.org> References: <20220314112744.120491875@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-8.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Si-Wei Liu [ Upstream commit ed0f849fc3a63ed2ddf5e72cdb1de3bdbbb0f8eb ] When control vq receives a VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command request from the driver, presently there is no validation against the number of queue pairs to configure, or even if multiqueue had been negotiated or not is unverified. This may lead to kernel panic due to uninitialized resource for the queues were there any bogus request sent down by untrusted driver. Tie up the loose ends there. Fixes: 52893733f2c5 ("vdpa/mlx5: Add multiqueue support") Signed-off-by: Si-Wei Liu Link: https://lore.kernel.org/r/1642206481-30721-4-git-send-email-si-wei.liu@oracle.com Signed-off-by: Michael S. Tsirkin Reviewed-by: Eli Cohen Acked-by: Jason Wang Signed-off-by: Sasha Levin --- drivers/vdpa/mlx5/net/mlx5_vnet.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c index ef6da39ccb3f..7b4ab7cfc359 100644 --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c @@ -1571,11 +1571,27 @@ static virtio_net_ctrl_ack handle_ctrl_mq(struct mlx5_vdpa_dev *mvdev, u8 cmd) switch (cmd) { case VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET: + /* This mq feature check aligns with pre-existing userspace + * implementation. + * + * Without it, an untrusted driver could fake a multiqueue config + * request down to a non-mq device that may cause kernel to + * panic due to uninitialized resources for extra vqs. Even with + * a well behaving guest driver, it is not expected to allow + * changing the number of vqs on a non-mq device. + */ + if (!MLX5_FEATURE(mvdev, VIRTIO_NET_F_MQ)) + break; + read = vringh_iov_pull_iotlb(&cvq->vring, &cvq->riov, (void *)&mq, sizeof(mq)); if (read != sizeof(mq)) break; newqps = mlx5vdpa16_to_cpu(mvdev, mq.virtqueue_pairs); + if (newqps < VIRTIO_NET_CTRL_MQ_VQ_PAIRS_MIN || + newqps > mlx5_vdpa_max_qps(mvdev->max_vqs)) + break; + if (ndev->cur_num_vqs == 2 * newqps) { status = VIRTIO_NET_OK; break; -- 2.34.1