vdpa/mlx5: should verify CTRL_VQ feature exists for MQ

stable inclusion from stable-v5.10.110 commit 6d98dc2369b1d93e24a7f12e2ebf0754a8255cdd bugzilla: https://gitee.com/openeuler/kernel/issues/I574AL Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6d98dc2369b1d93e24a7f12e2ebf0754a8255cdd -------------------------------- [ Upstream commit 30c22f38 ] Per VIRTIO v1.1 specification, section 5.1.3.1 Feature bit requirements: "VIRTIO_NET_F_MQ Requires VIRTIO_NET_F_CTRL_VQ". There's assumption in the mlx5_vdpa multiqueue code that MQ must come together with CTRL_VQ. However, there's nowhere in the upper layer to guarantee this assumption would hold. Were there an untrusted driver sending down MQ without CTRL_VQ, it would compromise various spots for e.g. is_index_valid() and is_ctrl_vq_idx(). Although this doesn't end up with immediate panic or security loophole as of today's code, the chance for this to be taken advantage of due to future code change is not zero. Harden the crispy assumption by failing the set_driver_features() call when seeing (MQ && !CTRL_VQ). For that end, verify_min_features() is renamed to verify_driver_features() to reflect the fact that it now does more than just validate the minimum features. verify_driver_features() is now used to accommodate various checks against the driver features for set_driver_features(). Signed-off-by: N Si-Wei Liu <si-wei.liu@oracle.com> Link: https://lore.kernel.org/r/1642206481-30721-3-git-send-email-si-wei.liu@oracle.comSigned-off-by: N Michael S. Tsirkin <mst@redhat.com> Reviewed-by: N Eli Cohen <elic@nvidia.com> Acked-by: N Jason Wang <jasowang@redhat.com> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Yu Liao <liaoyu15@huawei.com> Reviewed-by: N Wei Li <liwei391@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

vdpa/mlx5: should verify CTRL_VQ feature exists for MQ
stable inclusion from stable-v5.10.110 commit 6d98dc2369b1d93e24a7f12e2ebf0754a8255cdd bugzilla: https://gitee.com/openeuler/kernel/issues/I574AL Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6d98dc2369b1d93e24a7f12e2ebf0754a8255cdd -------------------------------- [ Upstream commit 30c22f38 ] Per VIRTIO v1.1 specification, section 5.1.3.1 Feature bit requirements: "VIRTIO_NET_F_MQ Requires VIRTIO_NET_F_CTRL_VQ". There's assumption in the mlx5_vdpa multiqueue code that MQ must come together with CTRL_VQ. However, there's nowhere in the upper layer to guarantee this assumption would hold. Were there an untrusted driver sending down MQ without CTRL_VQ, it would compromise various spots for e.g. is_index_valid() and is_ctrl_vq_idx(). Although this doesn't end up with immediate panic or security loophole as of today's code, the chance for this to be taken advantage of due to future code change is not zero. Harden the crispy assumption by failing the set_driver_features() call when seeing (MQ && !CTRL_VQ). For that end, verify_min_features() is renamed to verify_driver_features() to reflect the fact that it now does more than just validate the minimum features. verify_driver_features() is now used to accommodate various checks against the driver features for set_driver_features(). Signed-off-by: N Si-Wei Liu <si-wei.liu@oracle.com> Link: https://lore.kernel.org/r/1642206481-30721-3-git-send-email-si-wei.liu@oracle.comSigned-off-by: N Michael S. Tsirkin <mst@redhat.com> Reviewed-by: N Eli Cohen <elic@nvidia.com> Acked-by: N Jason Wang <jasowang@redhat.com> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Yu Liao <liaoyu15@huawei.com> Reviewed-by: N Wei Li <liwei391@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
44113af2 · Si-Wei Liu · Zheng Zengkai · ccad479f · 44113af2
隐藏空白更改
内联并排

Showing with 16 addition and 2 deletion

drivers/vdpa/mlx5/net/mlx5_vnet.c drivers/vdpa/mlx5/net/mlx5_vnet.c +16 -2

未找到文件。
--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
+++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
@@ -1482,11 +1482,25 @@ static u64 mlx5_vdpa_get_features(struct vdpa_device *vdev)
 	return ndev->mvdev.mlx_features;
 }

-static int verify_min_features(struct mlx5_vdpa_dev *mvdev, u64 features)
+static int verify_driver_features(struct mlx5_vdpa_dev *mvdev, u64 features)
 {
+	/* Minimum features to expect */
 	if (!(features & BIT_ULL(VIRTIO_F_ACCESS_PLATFORM)))
 		return -EOPNOTSUPP;

+	/* Double check features combination sent down by the driver.
+	 * Fail invalid features due to absence of the depended feature.
+	 *
+	 * Per VIRTIO v1.1 specification, section 5.1.3.1 Feature bit
+	 * requirements: "VIRTIO_NET_F_MQ Requires VIRTIO_NET_F_CTRL_VQ".
+	 * By failing the invalid features sent down by untrusted drivers,
+	 * we're assured the assumption made upon is_index_valid() and
+	 * is_ctrl_vq_idx() will not be compromised.
+	 */
+	if ((features & (BIT_ULL(VIRTIO_NET_F_MQ) | BIT_ULL(VIRTIO_NET_F_CTRL_VQ))) ==
+            BIT_ULL(VIRTIO_NET_F_MQ))
+		return -EINVAL;
+
 	return 0;
 }

@@ -1544,7 +1558,7 @@ static int mlx5_vdpa_set_features(struct vdpa_device *vdev, u64 features)

 	print_features(mvdev, features, true);

-	err = verify_min_features(mvdev, features);
+	err = verify_driver_features(mvdev, features);
 	if (err)
 		return err;