Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp638394pxb; Tue, 5 Apr 2022 16:53:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyioUuIZSoqdO2UQuIdPTm54pKgqciqJR+mLbmMo0VHRyKzz0PFUrOG+YFiUI7LzpWtp+60 X-Received: by 2002:a63:2b4f:0:b0:398:49ba:a268 with SMTP id r76-20020a632b4f000000b0039849baa268mr4868483pgr.546.1649202802026; Tue, 05 Apr 2022 16:53:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649202802; cv=none; d=google.com; s=arc-20160816; b=YYuVelgpZ+TVCjMD3iSOGglY24hNtZqxvjoDzvLoPefIpr/k9JG1g6Ekk0xAprZgcy CDM/BBal/xSnmR/Dk6EeEqJr4m7sIwkeOWHIM3FKeS0l0nlaLUA7bPAd5+qEe8bPNJB8 QsbigF2tM6kxLOKL0CuidTtJTc1FkzfazNGoJByq7iQDebDHD6PNH82mHo5IOeHnd4QX G0AmmQEiaKZaq49iyR/xHXfCInnGLO9dLWR+Wzw33Ae/+Ao3S02lgLy7aTEMBKC+Ulnl zM8lpZuieIPlmG+fY6lvl0m3VCNKUJPhJc7XJKWIfh4mQE6o/pl+TKmryM5dHGUsL8d6 2YPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Ya7A94869/y43VCocGY3jiWRenm9ExL4CIkk0GadMdk=; b=t6xoElAAFYv1C7bIhNUpRTxTozjgyJxCNBS6QrSVJ7PKnzk3q0U1ENjuDElRUYkQYE Xy7udPDTp6M1iURSNx3Is5SOuWulgFgz7eFdNJbOaiCn45ZgkpagY0xgdje45yw+SdnA WOlb59Piic0HjF71f0R8J2xdlNOVm/J1AzJw8mUutZfuHcZMWwzjyvwIDAiL6ThxQDDN 0LyQXdR0a1niT4Awbw/ym3J5CjNsRJUMnWtzXlcrsOKSN/w/iHIaocmDO7zvbzacmzDB 1k0yDEfcEVti+r5QRFdAAo3uA4Ba+jbjCAlMneaKy0Rwk93Hpje1pR9nCKycS4BOQBEg aWBA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=M9woBp0B; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id bj20-20020a17090b089400b001c9e1e7acc8si3246544pjb.22.2022.04.05.16.53.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Apr 2022 16:53:22 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=M9woBp0B; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 8AC1B275444; Tue, 5 Apr 2022 16:39:17 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344119AbiDEOF5 (ORCPT + 99 others); Tue, 5 Apr 2022 10:05:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58978 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236143AbiDEJbN (ORCPT ); Tue, 5 Apr 2022 05:31:13 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BCE0EBE0; Tue, 5 Apr 2022 02:18:34 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 72308B81B14; Tue, 5 Apr 2022 09:18:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DDFF7C385A0; Tue, 5 Apr 2022 09:18:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649150312; bh=1g8eCzgu/OGociPE2sozsSHPP9L8Oqh9mcIymAC8SkM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=M9woBp0Bgl/HerPTvQv7v2O5JC6B/ZLp2y60IAVy/d40Wd+0yyRYPmykLhoe9VIcW CScBCBS4ZsCz6djRTAgzHwGyZd1uPopzw7/OSlm206cNXshZPbJY0tpjSreUgPvOao cQaRQhoGOp5VJp36H1BWUaiXPfwR/+0CbsFYTjNY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Si-Wei Liu , "Michael S. Tsirkin" , Eli Cohen , Jason Wang , Sasha Levin Subject: [PATCH 5.15 013/913] vdpa/mlx5: should verify CTRL_VQ feature exists for MQ Date: Tue, 5 Apr 2022 09:17:55 +0200 Message-Id: <20220405070340.212037135@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070339.801210740@linuxfoundation.org> References: <20220405070339.801210740@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Si-Wei Liu [ Upstream commit 30c22f3816ffef8aa21a000e93c4ee1402a6ea65 ] Per VIRTIO v1.1 specification, section 5.1.3.1 Feature bit requirements: "VIRTIO_NET_F_MQ Requires VIRTIO_NET_F_CTRL_VQ". There's assumption in the mlx5_vdpa multiqueue code that MQ must come together with CTRL_VQ. However, there's nowhere in the upper layer to guarantee this assumption would hold. Were there an untrusted driver sending down MQ without CTRL_VQ, it would compromise various spots for e.g. is_index_valid() and is_ctrl_vq_idx(). Although this doesn't end up with immediate panic or security loophole as of today's code, the chance for this to be taken advantage of due to future code change is not zero. Harden the crispy assumption by failing the set_driver_features() call when seeing (MQ && !CTRL_VQ). For that end, verify_min_features() is renamed to verify_driver_features() to reflect the fact that it now does more than just validate the minimum features. verify_driver_features() is now used to accommodate various checks against the driver features for set_driver_features(). Signed-off-by: Si-Wei Liu Link: https://lore.kernel.org/r/1642206481-30721-3-git-send-email-si-wei.liu@oracle.com Signed-off-by: Michael S. Tsirkin Reviewed-by: Eli Cohen Acked-by: Jason Wang Signed-off-by: Sasha Levin --- drivers/vdpa/mlx5/net/mlx5_vnet.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c index 902aad29456f..f77a611f592f 100644 --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c @@ -1873,11 +1873,25 @@ static u64 mlx5_vdpa_get_features(struct vdpa_device *vdev) return ndev->mvdev.mlx_features; } -static int verify_min_features(struct mlx5_vdpa_dev *mvdev, u64 features) +static int verify_driver_features(struct mlx5_vdpa_dev *mvdev, u64 features) { + /* Minimum features to expect */ if (!(features & BIT_ULL(VIRTIO_F_ACCESS_PLATFORM))) return -EOPNOTSUPP; + /* Double check features combination sent down by the driver. + * Fail invalid features due to absence of the depended feature. + * + * Per VIRTIO v1.1 specification, section 5.1.3.1 Feature bit + * requirements: "VIRTIO_NET_F_MQ Requires VIRTIO_NET_F_CTRL_VQ". + * By failing the invalid features sent down by untrusted drivers, + * we're assured the assumption made upon is_index_valid() and + * is_ctrl_vq_idx() will not be compromised. + */ + if ((features & (BIT_ULL(VIRTIO_NET_F_MQ) | BIT_ULL(VIRTIO_NET_F_CTRL_VQ))) == + BIT_ULL(VIRTIO_NET_F_MQ)) + return -EINVAL; + return 0; } @@ -1953,7 +1967,7 @@ static int mlx5_vdpa_set_features(struct vdpa_device *vdev, u64 features) print_features(mvdev, features, true); - err = verify_min_features(mvdev, features); + err = verify_driver_features(mvdev, features); if (err) return err; -- 2.34.1