Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp916958pxb; Wed, 6 Apr 2022 04:12:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxbI/5Cn9MBsuUQ1FOE8gLZCHaeVMqBUyE325oAHV9oXOHBFE0A++wVEe5bJeuDrSfOZtLF X-Received: by 2002:a65:538f:0:b0:382:b4d:bdd8 with SMTP id x15-20020a65538f000000b003820b4dbdd8mr6643613pgq.262.1649243564353; Wed, 06 Apr 2022 04:12:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649243564; cv=none; d=google.com; s=arc-20160816; b=x39txbxSyqE5SoJdukfBQ56hV2NTxv9qUcnR3R0qhmXBE9UMV55XBG4T65IevzOaNF yvjel1ekuGbHaOLZPsnrHSylJSNPLGeTzr09BUrSMOWQl9G/g8rJxPZHOfeCKRsFqejg BzEJlLcuo7l1pKqW/2d7TJpawPYZh6zW/NFqWaMrQJPQaT8gTrTtF+MU3OXelvO7AgBB zXAzzE8uPlfNnNC8pXTFdN92m3frJRqbc/096qchWFFaLyNaTJ7bDV5S/u4Pi/WxFyBs age7DqdICv2j71neGCGGGfa7F6tkJWwZHVKr9qG3at9qraAdHFFyV4tk7w9q1uy3f5iV Uy5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=qbQ5RhpLtsV/hrAlQ+htEcPnXZP1xPDzfp8Y8gMDJGA=; b=n4CfuRxMZxzDikpI6SOFr4gQLuMwNItTuMsu9YFxQBgOgbuTRZ8eNPi95/efhVeie8 eh5GIeFCgjrZzkumM7yJf8mX2byqWgKos+Y9yR0qrlTcmvqBSS34ZihTFDIrv960/xIo Cy1tQBN1wdBSYjD9QW+Y6hPM1TjCx7UpwpIl8Ux7iwU0sHCa9qVVjFDqvTE6iEHuxJkX 4v1v2leZgXvUw7WPTY+TY93gnf6FGOQrfuzd7p6EEfIr3faaMBMEYuQRuaNN+TxnUstG c0HkqJlAWH4FOH+1Ez1L0DMfc0wGBydKrJQjP0uDZ4DGoKqt4Ds5ofW84Lo9Zy8TgeeP bS4w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ZMDYfB+a; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id t187-20020a632dc4000000b003816043f111si18792838pgt.774.2022.04.06.04.12.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Apr 2022 04:12:44 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ZMDYfB+a; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 79CD04DC594; Wed, 6 Apr 2022 02:38:02 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1579320AbiDEX1A (ORCPT + 99 others); Tue, 5 Apr 2022 19:27:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45598 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1354492AbiDEKOU (ORCPT ); Tue, 5 Apr 2022 06:14:20 -0400 Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B29B16B0B1; Tue, 5 Apr 2022 03:00:47 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 205BBCE1B5F; Tue, 5 Apr 2022 10:00:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2C57FC385A3; Tue, 5 Apr 2022 10:00:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649152844; bh=6zLz/9Zh1RR3ggBa17qzUrw7ZSDAunI0M98e6yogLJc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZMDYfB+asUD/GJiAvL4y+B4utqK9afahq6DRQssUV9xHSwLr+debeFS/kjT1XBkPJ 7NMqG1xaSJACTkxBmJ6o1QRPQgzY3RivCOfh35g+FuklIkk53A3/g4RuHlKw3ediaK aKbJJmU68So65hNLFwdDLStDsfQZscpJd5m/T53I= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Si-Wei Liu , "Michael S. Tsirkin" , Eli Cohen , Jason Wang , Sasha Levin Subject: [PATCH 5.10 010/599] vdpa/mlx5: should verify CTRL_VQ feature exists for MQ Date: Tue, 5 Apr 2022 09:25:04 +0200 Message-Id: <20220405070259.121425630@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070258.802373272@linuxfoundation.org> References: <20220405070258.802373272@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Si-Wei Liu [ Upstream commit 30c22f3816ffef8aa21a000e93c4ee1402a6ea65 ] Per VIRTIO v1.1 specification, section 5.1.3.1 Feature bit requirements: "VIRTIO_NET_F_MQ Requires VIRTIO_NET_F_CTRL_VQ". There's assumption in the mlx5_vdpa multiqueue code that MQ must come together with CTRL_VQ. However, there's nowhere in the upper layer to guarantee this assumption would hold. Were there an untrusted driver sending down MQ without CTRL_VQ, it would compromise various spots for e.g. is_index_valid() and is_ctrl_vq_idx(). Although this doesn't end up with immediate panic or security loophole as of today's code, the chance for this to be taken advantage of due to future code change is not zero. Harden the crispy assumption by failing the set_driver_features() call when seeing (MQ && !CTRL_VQ). For that end, verify_min_features() is renamed to verify_driver_features() to reflect the fact that it now does more than just validate the minimum features. verify_driver_features() is now used to accommodate various checks against the driver features for set_driver_features(). Signed-off-by: Si-Wei Liu Link: https://lore.kernel.org/r/1642206481-30721-3-git-send-email-si-wei.liu@oracle.com Signed-off-by: Michael S. Tsirkin Reviewed-by: Eli Cohen Acked-by: Jason Wang Signed-off-by: Sasha Levin --- drivers/vdpa/mlx5/net/mlx5_vnet.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c index 65d6f8fd81e7..577ff786f11b 100644 --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c @@ -1482,11 +1482,25 @@ static u64 mlx5_vdpa_get_features(struct vdpa_device *vdev) return ndev->mvdev.mlx_features; } -static int verify_min_features(struct mlx5_vdpa_dev *mvdev, u64 features) +static int verify_driver_features(struct mlx5_vdpa_dev *mvdev, u64 features) { + /* Minimum features to expect */ if (!(features & BIT_ULL(VIRTIO_F_ACCESS_PLATFORM))) return -EOPNOTSUPP; + /* Double check features combination sent down by the driver. + * Fail invalid features due to absence of the depended feature. + * + * Per VIRTIO v1.1 specification, section 5.1.3.1 Feature bit + * requirements: "VIRTIO_NET_F_MQ Requires VIRTIO_NET_F_CTRL_VQ". + * By failing the invalid features sent down by untrusted drivers, + * we're assured the assumption made upon is_index_valid() and + * is_ctrl_vq_idx() will not be compromised. + */ + if ((features & (BIT_ULL(VIRTIO_NET_F_MQ) | BIT_ULL(VIRTIO_NET_F_CTRL_VQ))) == + BIT_ULL(VIRTIO_NET_F_MQ)) + return -EINVAL; + return 0; } @@ -1544,7 +1558,7 @@ static int mlx5_vdpa_set_features(struct vdpa_device *vdev, u64 features) print_features(mvdev, features, true); - err = verify_min_features(mvdev, features); + err = verify_driver_features(mvdev, features); if (err) return err; -- 2.34.1