2019-06-04 08:11:33 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2012-07-31 14:16:24 +00:00
|
|
|
/*
|
|
|
|
|
* Copyright (C) 2012 Red Hat, Inc. All rights reserved.
|
|
|
|
|
* Author: Alex Williamson <alex.williamson@redhat.com>
|
|
|
|
|
*
|
|
|
|
|
* Derived from original vfio:
|
|
|
|
|
* Copyright 2010 Cisco Systems, Inc. All rights reserved.
|
|
|
|
|
* Author: Tom Lyon, pugs@cisco.com
|
|
|
|
|
*/
|
|
|
|
|
|
2021-08-26 10:39:12 +00:00
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
|
|
2012-07-31 14:16:24 +00:00
|
|
|
#include <linux/device.h>
|
|
|
|
|
#include <linux/eventfd.h>
|
2013-09-04 17:28:04 +00:00
|
|
|
#include <linux/file.h>
|
2012-07-31 14:16:24 +00:00
|
|
|
#include <linux/interrupt.h>
|
|
|
|
|
#include <linux/iommu.h>
|
|
|
|
|
#include <linux/module.h>
|
|
|
|
|
#include <linux/mutex.h>
|
|
|
|
|
#include <linux/notifier.h>
|
|
|
|
|
#include <linux/pci.h>
|
|
|
|
|
#include <linux/pm_runtime.h>
|
|
|
|
|
#include <linux/slab.h>
|
|
|
|
|
#include <linux/types.h>
|
|
|
|
|
#include <linux/uaccess.h>
|
2015-04-07 17:14:41 +00:00
|
|
|
#include <linux/vgaarb.h>
|
2018-07-17 17:39:00 +00:00
|
|
|
#include <linux/nospec.h>
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
#include <linux/sched/mm.h>
|
2012-07-31 14:16:24 +00:00
|
|
|
|
2021-08-26 10:39:12 +00:00
|
|
|
#include <linux/vfio_pci_core.h>
|
|
|
|
|
|
|
|
|
|
#define DRIVER_AUTHOR "Alex Williamson <alex.williamson@redhat.com>"
|
|
|
|
|
#define DRIVER_DESC "core driver for VFIO based PCI devices"
|
2012-07-31 14:16:24 +00:00
|
|
|
|
|
|
|
|
static bool nointxmask;
|
2015-04-07 17:14:40 +00:00
|
|
|
static bool disable_vga;
|
2015-04-07 17:14:46 +00:00
|
|
|
static bool disable_idle_d3;
|
|
|
|
|
|
2015-04-07 17:14:40 +00:00
|
|
|
static inline bool vfio_vga_disabled(void)
|
|
|
|
|
{
|
|
|
|
|
#ifdef CONFIG_VFIO_PCI_VGA
|
|
|
|
|
return disable_vga;
|
|
|
|
|
#else
|
|
|
|
|
return true;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-07 17:14:41 +00:00
|
|
|
/*
|
|
|
|
|
* Our VGA arbiter participation is limited since we don't know anything
|
|
|
|
|
* about the device itself. However, if the device is the only VGA device
|
|
|
|
|
* downstream of a bridge and VFIO VGA support is disabled, then we can
|
|
|
|
|
* safely return legacy VGA IO and memory as not decoded since the user
|
|
|
|
|
* has no way to get to it and routing can be disabled externally at the
|
|
|
|
|
* bridge.
|
|
|
|
|
*/
|
VFIO update for v5.15-rc1
- Fix dma-valid return WAITED implementation (Anthony Yznaga)
- SPDX license cleanups (Cai Huoqing)
- Split vfio-pci-core from vfio-pci and enhance PCI driver matching
to support future vendor provided vfio-pci variants (Yishai Hadas,
Max Gurtovoy, Jason Gunthorpe)
- Replace duplicated reflck with core support for managing first
open, last close, and device sets (Jason Gunthorpe, Max Gurtovoy,
Yishai Hadas)
- Fix non-modular mdev support and don't nag about request callback
support (Christoph Hellwig)
- Add semaphore to protect instruction intercept handler and replace
open-coded locks in vfio-ap driver (Tony Krowiak)
- Convert vfio-ap to vfio_register_group_dev() API (Jason Gunthorpe)
-----BEGIN PGP SIGNATURE-----
iQJPBAABCAA5FiEEQvbATlQL0amee4qQI5ubbjuwiyIFAmEvwWkbHGFsZXgud2ls
bGlhbXNvbkByZWRoYXQuY29tAAoJECObm247sIsi+1UP/3CRizghroINVYR+cJ99
Tjz7lB/wlzxmRfX+SL4NAVe1SSB2VeCgU4B0PF6kywELLS8OhCO3HXYXVsz244fW
Gk5UIns86+TFTrfCOMpwYBV0P86zuaa1ZnvCnkhMK1i2pTZ+oX8hUH1Yj5clHuU+
YgC7JfEuTIAX73q2bC/llLvNE9ke1QCoDX3+HAH87ttqutnRWcnnq56PTEqwe+EW
eMA+glB1UG6JAqXxoJET4155arNOny1/ZMprfBr3YXZTiXDF/lSzuMyUtbp526Sf
hsvlnqtE6TCdfKbog0Lxckl+8E9NCq8jzFBKiZhbccrQv3vVaoP6dOsPWcT35Kp1
IjzMLiHIbl4wXOL+Xap/biz3LCM5BMdT/OhW5LUC007zggK71ndRvb9F8ptW83Bv
0Uh9DNv7YIQ0su3JHZEsJ3qPFXQXceP199UiADOGSeV8U1Qig3YKsHUDMuALfFvN
t+NleeJ4qCWao+W4VCfyDfKurVnMj/cThXiDEWEeq5gMOO+6YKBIFWJVKFxUYDbf
MgGdg0nQTUECuXKXxLD4c1HAWH9xi207OnLvhW1Icywp20MsYqOWt0vhg+PRdMBT
DK6STxP18aQxCaOuQN9Vf81LjhXNTeg+xt3mMyViOZPcKfX6/wAC9qLt4MucJDdw
FBfOz2UL2F56dhAYT+1vHoUM
=nzK7
-----END PGP SIGNATURE-----
Merge tag 'vfio-v5.15-rc1' of git://github.com/awilliam/linux-vfio
Pull VFIO updates from Alex Williamson:
- Fix dma-valid return WAITED implementation (Anthony Yznaga)
- SPDX license cleanups (Cai Huoqing)
- Split vfio-pci-core from vfio-pci and enhance PCI driver matching to
support future vendor provided vfio-pci variants (Yishai Hadas, Max
Gurtovoy, Jason Gunthorpe)
- Replace duplicated reflck with core support for managing first open,
last close, and device sets (Jason Gunthorpe, Max Gurtovoy, Yishai
Hadas)
- Fix non-modular mdev support and don't nag about request callback
support (Christoph Hellwig)
- Add semaphore to protect instruction intercept handler and replace
open-coded locks in vfio-ap driver (Tony Krowiak)
- Convert vfio-ap to vfio_register_group_dev() API (Jason Gunthorpe)
* tag 'vfio-v5.15-rc1' of git://github.com/awilliam/linux-vfio: (37 commits)
vfio/pci: Introduce vfio_pci_core.ko
vfio: Use kconfig if XX/endif blocks instead of repeating 'depends on'
vfio: Use select for eventfd
PCI / VFIO: Add 'override_only' support for VFIO PCI sub system
PCI: Add 'override_only' field to struct pci_device_id
vfio/pci: Move module parameters to vfio_pci.c
vfio/pci: Move igd initialization to vfio_pci.c
vfio/pci: Split the pci_driver code out of vfio_pci_core.c
vfio/pci: Include vfio header in vfio_pci_core.h
vfio/pci: Rename ops functions to fit core namings
vfio/pci: Rename vfio_pci_device to vfio_pci_core_device
vfio/pci: Rename vfio_pci_private.h to vfio_pci_core.h
vfio/pci: Rename vfio_pci.c to vfio_pci_core.c
vfio/ap_ops: Convert to use vfio_register_group_dev()
s390/vfio-ap: replace open coded locks for VFIO_GROUP_NOTIFY_SET_KVM notification
s390/vfio-ap: r/w lock for PQAP interception handler function pointer
vfio/type1: Fix vfio_find_dma_valid return
vfio-pci/zdev: Remove repeated verbose license text
vfio: platform: reset: Convert to SPDX identifier
vfio: Remove struct vfio_device_ops open/release
...
2021-09-02 20:41:33 +00:00
|
|
|
static unsigned int vfio_pci_set_decode(struct pci_dev *pdev, bool single_vga)
|
2015-04-07 17:14:41 +00:00
|
|
|
{
|
VFIO update for v5.15-rc1
- Fix dma-valid return WAITED implementation (Anthony Yznaga)
- SPDX license cleanups (Cai Huoqing)
- Split vfio-pci-core from vfio-pci and enhance PCI driver matching
to support future vendor provided vfio-pci variants (Yishai Hadas,
Max Gurtovoy, Jason Gunthorpe)
- Replace duplicated reflck with core support for managing first
open, last close, and device sets (Jason Gunthorpe, Max Gurtovoy,
Yishai Hadas)
- Fix non-modular mdev support and don't nag about request callback
support (Christoph Hellwig)
- Add semaphore to protect instruction intercept handler and replace
open-coded locks in vfio-ap driver (Tony Krowiak)
- Convert vfio-ap to vfio_register_group_dev() API (Jason Gunthorpe)
-----BEGIN PGP SIGNATURE-----
iQJPBAABCAA5FiEEQvbATlQL0amee4qQI5ubbjuwiyIFAmEvwWkbHGFsZXgud2ls
bGlhbXNvbkByZWRoYXQuY29tAAoJECObm247sIsi+1UP/3CRizghroINVYR+cJ99
Tjz7lB/wlzxmRfX+SL4NAVe1SSB2VeCgU4B0PF6kywELLS8OhCO3HXYXVsz244fW
Gk5UIns86+TFTrfCOMpwYBV0P86zuaa1ZnvCnkhMK1i2pTZ+oX8hUH1Yj5clHuU+
YgC7JfEuTIAX73q2bC/llLvNE9ke1QCoDX3+HAH87ttqutnRWcnnq56PTEqwe+EW
eMA+glB1UG6JAqXxoJET4155arNOny1/ZMprfBr3YXZTiXDF/lSzuMyUtbp526Sf
hsvlnqtE6TCdfKbog0Lxckl+8E9NCq8jzFBKiZhbccrQv3vVaoP6dOsPWcT35Kp1
IjzMLiHIbl4wXOL+Xap/biz3LCM5BMdT/OhW5LUC007zggK71ndRvb9F8ptW83Bv
0Uh9DNv7YIQ0su3JHZEsJ3qPFXQXceP199UiADOGSeV8U1Qig3YKsHUDMuALfFvN
t+NleeJ4qCWao+W4VCfyDfKurVnMj/cThXiDEWEeq5gMOO+6YKBIFWJVKFxUYDbf
MgGdg0nQTUECuXKXxLD4c1HAWH9xi207OnLvhW1Icywp20MsYqOWt0vhg+PRdMBT
DK6STxP18aQxCaOuQN9Vf81LjhXNTeg+xt3mMyViOZPcKfX6/wAC9qLt4MucJDdw
FBfOz2UL2F56dhAYT+1vHoUM
=nzK7
-----END PGP SIGNATURE-----
Merge tag 'vfio-v5.15-rc1' of git://github.com/awilliam/linux-vfio
Pull VFIO updates from Alex Williamson:
- Fix dma-valid return WAITED implementation (Anthony Yznaga)
- SPDX license cleanups (Cai Huoqing)
- Split vfio-pci-core from vfio-pci and enhance PCI driver matching to
support future vendor provided vfio-pci variants (Yishai Hadas, Max
Gurtovoy, Jason Gunthorpe)
- Replace duplicated reflck with core support for managing first open,
last close, and device sets (Jason Gunthorpe, Max Gurtovoy, Yishai
Hadas)
- Fix non-modular mdev support and don't nag about request callback
support (Christoph Hellwig)
- Add semaphore to protect instruction intercept handler and replace
open-coded locks in vfio-ap driver (Tony Krowiak)
- Convert vfio-ap to vfio_register_group_dev() API (Jason Gunthorpe)
* tag 'vfio-v5.15-rc1' of git://github.com/awilliam/linux-vfio: (37 commits)
vfio/pci: Introduce vfio_pci_core.ko
vfio: Use kconfig if XX/endif blocks instead of repeating 'depends on'
vfio: Use select for eventfd
PCI / VFIO: Add 'override_only' support for VFIO PCI sub system
PCI: Add 'override_only' field to struct pci_device_id
vfio/pci: Move module parameters to vfio_pci.c
vfio/pci: Move igd initialization to vfio_pci.c
vfio/pci: Split the pci_driver code out of vfio_pci_core.c
vfio/pci: Include vfio header in vfio_pci_core.h
vfio/pci: Rename ops functions to fit core namings
vfio/pci: Rename vfio_pci_device to vfio_pci_core_device
vfio/pci: Rename vfio_pci_private.h to vfio_pci_core.h
vfio/pci: Rename vfio_pci.c to vfio_pci_core.c
vfio/ap_ops: Convert to use vfio_register_group_dev()
s390/vfio-ap: replace open coded locks for VFIO_GROUP_NOTIFY_SET_KVM notification
s390/vfio-ap: r/w lock for PQAP interception handler function pointer
vfio/type1: Fix vfio_find_dma_valid return
vfio-pci/zdev: Remove repeated verbose license text
vfio: platform: reset: Convert to SPDX identifier
vfio: Remove struct vfio_device_ops open/release
...
2021-09-02 20:41:33 +00:00
|
|
|
struct pci_dev *tmp = NULL;
|
2015-04-07 17:14:41 +00:00
|
|
|
unsigned char max_busnr;
|
|
|
|
|
unsigned int decodes;
|
|
|
|
|
|
|
|
|
|
if (single_vga || !vfio_vga_disabled() || pci_is_root_bus(pdev->bus))
|
|
|
|
|
return VGA_RSRC_NORMAL_IO | VGA_RSRC_NORMAL_MEM |
|
|
|
|
|
VGA_RSRC_LEGACY_IO | VGA_RSRC_LEGACY_MEM;
|
|
|
|
|
|
|
|
|
|
max_busnr = pci_bus_max_busnr(pdev->bus);
|
|
|
|
|
decodes = VGA_RSRC_NORMAL_IO | VGA_RSRC_NORMAL_MEM;
|
|
|
|
|
|
|
|
|
|
while ((tmp = pci_get_class(PCI_CLASS_DISPLAY_VGA << 8, tmp)) != NULL) {
|
|
|
|
|
if (tmp == pdev ||
|
|
|
|
|
pci_domain_nr(tmp->bus) != pci_domain_nr(pdev->bus) ||
|
|
|
|
|
pci_is_root_bus(tmp->bus))
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
if (tmp->bus->number >= pdev->bus->number &&
|
|
|
|
|
tmp->bus->number <= max_busnr) {
|
|
|
|
|
pci_dev_put(tmp);
|
|
|
|
|
decodes |= VGA_RSRC_LEGACY_IO | VGA_RSRC_LEGACY_MEM;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return decodes;
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-26 10:39:02 +00:00
|
|
|
static void vfio_pci_probe_mmaps(struct vfio_pci_core_device *vdev)
|
2016-06-30 07:21:24 +00:00
|
|
|
{
|
|
|
|
|
struct resource *res;
|
2019-09-27 23:43:08 +00:00
|
|
|
int i;
|
2016-06-30 07:21:24 +00:00
|
|
|
struct vfio_pci_dummy_resource *dummy_res;
|
|
|
|
|
|
2019-09-27 23:43:08 +00:00
|
|
|
for (i = 0; i < PCI_STD_NUM_BARS; i++) {
|
|
|
|
|
int bar = i + PCI_STD_RESOURCES;
|
|
|
|
|
|
|
|
|
|
res = &vdev->pdev->resource[bar];
|
2016-06-30 07:21:24 +00:00
|
|
|
|
|
|
|
|
if (!IS_ENABLED(CONFIG_VFIO_PCI_MMAP))
|
|
|
|
|
goto no_mmap;
|
|
|
|
|
|
|
|
|
|
if (!(res->flags & IORESOURCE_MEM))
|
|
|
|
|
goto no_mmap;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The PCI core shouldn't set up a resource with a
|
|
|
|
|
* type but zero size. But there may be bugs that
|
|
|
|
|
* cause us to do that.
|
|
|
|
|
*/
|
|
|
|
|
if (!resource_size(res))
|
|
|
|
|
goto no_mmap;
|
|
|
|
|
|
|
|
|
|
if (resource_size(res) >= PAGE_SIZE) {
|
|
|
|
|
vdev->bar_mmap_supported[bar] = true;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!(res->start & ~PAGE_MASK)) {
|
|
|
|
|
/*
|
|
|
|
|
* Add a dummy resource to reserve the remainder
|
|
|
|
|
* of the exclusive page in case that hot-add
|
|
|
|
|
* device's bar is assigned into it.
|
|
|
|
|
*/
|
|
|
|
|
dummy_res = kzalloc(sizeof(*dummy_res), GFP_KERNEL);
|
|
|
|
|
if (dummy_res == NULL)
|
|
|
|
|
goto no_mmap;
|
|
|
|
|
|
|
|
|
|
dummy_res->resource.name = "vfio sub-page reserved";
|
|
|
|
|
dummy_res->resource.start = res->end + 1;
|
|
|
|
|
dummy_res->resource.end = res->start + PAGE_SIZE - 1;
|
|
|
|
|
dummy_res->resource.flags = res->flags;
|
|
|
|
|
if (request_resource(res->parent,
|
|
|
|
|
&dummy_res->resource)) {
|
|
|
|
|
kfree(dummy_res);
|
|
|
|
|
goto no_mmap;
|
|
|
|
|
}
|
|
|
|
|
dummy_res->index = bar;
|
|
|
|
|
list_add(&dummy_res->res_next,
|
|
|
|
|
&vdev->dummy_resources_list);
|
|
|
|
|
vdev->bar_mmap_supported[bar] = true;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* Here we don't handle the case when the BAR is not page
|
|
|
|
|
* aligned because we can't expect the BAR will be
|
|
|
|
|
* assigned into the same location in a page in guest
|
|
|
|
|
* when we passthrough the BAR. And it's hard to access
|
|
|
|
|
* this BAR in userspace because we have no way to get
|
|
|
|
|
* the BAR's location in a page.
|
|
|
|
|
*/
|
|
|
|
|
no_mmap:
|
|
|
|
|
vdev->bar_mmap_supported[bar] = false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-06 01:19:06 +00:00
|
|
|
struct vfio_pci_group_info;
|
2021-08-06 01:19:05 +00:00
|
|
|
static bool vfio_pci_dev_set_try_reset(struct vfio_device_set *dev_set);
|
2021-08-06 01:19:06 +00:00
|
|
|
static int vfio_pci_dev_set_hot_reset(struct vfio_device_set *dev_set,
|
|
|
|
|
struct vfio_pci_group_info *groups);
|
2014-08-07 17:12:07 +00:00
|
|
|
|
vfio/pci: Hide broken INTx support from user
INTx masking has two components, the first is that we need the ability
to prevent the device from continuing to assert INTx. This is
provided via the DisINTx bit in the command register and is the only
thing we can really probe for when testing if INTx masking is
supported. The second component is that the device needs to indicate
if INTx is asserted via the interrupt status bit in the device status
register. With these two features we can generically determine if one
of the devices we own is asserting INTx, signal the user, and mask the
interrupt while the user services the device.
Generally if one or both of these components is broken we resort to
APIC level interrupt masking, which requires an exclusive interrupt
since we have no way to determine the source of the interrupt in a
shared configuration. This often makes it difficult or impossible to
configure the system for userspace use of the device, for an interrupt
mode that the user may not need.
One possible configuration of broken INTx masking is that the DisINTx
support is fully functional, but the interrupt status bit never
signals interrupt assertion. In this case we do have the ability to
prevent the device from asserting INTx, but lack the ability to
identify the interrupt source. For this case we can simply pretend
that the device lacks INTx support entirely, keeping DisINTx set on
the physical device, virtualizing this bit for the user, and
virtualizing the interrupt pin register to indicate no INTx support.
We already support virtualization of the DisINTx bit and already
virtualize the interrupt pin for platforms without INTx support. By
tying these components together, setting DisINTx on open and reset,
and identifying devices broken in this particular way, we can provide
support for them w/o the handicap of APIC level INTx masking.
Intel i40e (XL710/X710) 10/20/40GbE NICs have been identified as being
broken in this specific way. We leave the vfio-pci.nointxmask option
as a mechanism to bypass this support, enabling INTx on the device
with all the requirements of APIC level masking.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Cc: John Ronciak <john.ronciak@intel.com>
Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
2016-03-24 19:05:18 +00:00
|
|
|
/*
|
|
|
|
|
* INTx masking requires the ability to disable INTx signaling via PCI_COMMAND
|
|
|
|
|
* _and_ the ability detect when the device is asserting INTx via PCI_STATUS.
|
|
|
|
|
* If a device implements the former but not the latter we would typically
|
|
|
|
|
* expect broken_intx_masking be set and require an exclusive interrupt.
|
|
|
|
|
* However since we do have control of the device's ability to assert INTx,
|
|
|
|
|
* we can instead pretend that the device does not implement INTx, virtualizing
|
|
|
|
|
* the pin register to report zero and maintaining DisINTx set on the host.
|
|
|
|
|
*/
|
|
|
|
|
static bool vfio_pci_nointx(struct pci_dev *pdev)
|
|
|
|
|
{
|
|
|
|
|
switch (pdev->vendor) {
|
|
|
|
|
case PCI_VENDOR_ID_INTEL:
|
|
|
|
|
switch (pdev->device) {
|
2017-06-13 15:22:57 +00:00
|
|
|
/* All i40e (XL710/X710/XXV710) 10/20/25/40GbE NICs */
|
vfio/pci: Hide broken INTx support from user
INTx masking has two components, the first is that we need the ability
to prevent the device from continuing to assert INTx. This is
provided via the DisINTx bit in the command register and is the only
thing we can really probe for when testing if INTx masking is
supported. The second component is that the device needs to indicate
if INTx is asserted via the interrupt status bit in the device status
register. With these two features we can generically determine if one
of the devices we own is asserting INTx, signal the user, and mask the
interrupt while the user services the device.
Generally if one or both of these components is broken we resort to
APIC level interrupt masking, which requires an exclusive interrupt
since we have no way to determine the source of the interrupt in a
shared configuration. This often makes it difficult or impossible to
configure the system for userspace use of the device, for an interrupt
mode that the user may not need.
One possible configuration of broken INTx masking is that the DisINTx
support is fully functional, but the interrupt status bit never
signals interrupt assertion. In this case we do have the ability to
prevent the device from asserting INTx, but lack the ability to
identify the interrupt source. For this case we can simply pretend
that the device lacks INTx support entirely, keeping DisINTx set on
the physical device, virtualizing this bit for the user, and
virtualizing the interrupt pin register to indicate no INTx support.
We already support virtualization of the DisINTx bit and already
virtualize the interrupt pin for platforms without INTx support. By
tying these components together, setting DisINTx on open and reset,
and identifying devices broken in this particular way, we can provide
support for them w/o the handicap of APIC level INTx masking.
Intel i40e (XL710/X710) 10/20/40GbE NICs have been identified as being
broken in this specific way. We leave the vfio-pci.nointxmask option
as a mechanism to bypass this support, enabling INTx on the device
with all the requirements of APIC level masking.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Cc: John Ronciak <john.ronciak@intel.com>
Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
2016-03-24 19:05:18 +00:00
|
|
|
case 0x1572:
|
|
|
|
|
case 0x1574:
|
|
|
|
|
case 0x1580 ... 0x1581:
|
2017-06-13 15:22:57 +00:00
|
|
|
case 0x1583 ... 0x158b:
|
vfio/pci: Hide broken INTx support from user
INTx masking has two components, the first is that we need the ability
to prevent the device from continuing to assert INTx. This is
provided via the DisINTx bit in the command register and is the only
thing we can really probe for when testing if INTx masking is
supported. The second component is that the device needs to indicate
if INTx is asserted via the interrupt status bit in the device status
register. With these two features we can generically determine if one
of the devices we own is asserting INTx, signal the user, and mask the
interrupt while the user services the device.
Generally if one or both of these components is broken we resort to
APIC level interrupt masking, which requires an exclusive interrupt
since we have no way to determine the source of the interrupt in a
shared configuration. This often makes it difficult or impossible to
configure the system for userspace use of the device, for an interrupt
mode that the user may not need.
One possible configuration of broken INTx masking is that the DisINTx
support is fully functional, but the interrupt status bit never
signals interrupt assertion. In this case we do have the ability to
prevent the device from asserting INTx, but lack the ability to
identify the interrupt source. For this case we can simply pretend
that the device lacks INTx support entirely, keeping DisINTx set on
the physical device, virtualizing this bit for the user, and
virtualizing the interrupt pin register to indicate no INTx support.
We already support virtualization of the DisINTx bit and already
virtualize the interrupt pin for platforms without INTx support. By
tying these components together, setting DisINTx on open and reset,
and identifying devices broken in this particular way, we can provide
support for them w/o the handicap of APIC level INTx masking.
Intel i40e (XL710/X710) 10/20/40GbE NICs have been identified as being
broken in this specific way. We leave the vfio-pci.nointxmask option
as a mechanism to bypass this support, enabling INTx on the device
with all the requirements of APIC level masking.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Cc: John Ronciak <john.ronciak@intel.com>
Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
2016-03-24 19:05:18 +00:00
|
|
|
case 0x37d0 ... 0x37d2:
|
2020-07-27 19:43:37 +00:00
|
|
|
/* X550 */
|
|
|
|
|
case 0x1563:
|
vfio/pci: Hide broken INTx support from user
INTx masking has two components, the first is that we need the ability
to prevent the device from continuing to assert INTx. This is
provided via the DisINTx bit in the command register and is the only
thing we can really probe for when testing if INTx masking is
supported. The second component is that the device needs to indicate
if INTx is asserted via the interrupt status bit in the device status
register. With these two features we can generically determine if one
of the devices we own is asserting INTx, signal the user, and mask the
interrupt while the user services the device.
Generally if one or both of these components is broken we resort to
APIC level interrupt masking, which requires an exclusive interrupt
since we have no way to determine the source of the interrupt in a
shared configuration. This often makes it difficult or impossible to
configure the system for userspace use of the device, for an interrupt
mode that the user may not need.
One possible configuration of broken INTx masking is that the DisINTx
support is fully functional, but the interrupt status bit never
signals interrupt assertion. In this case we do have the ability to
prevent the device from asserting INTx, but lack the ability to
identify the interrupt source. For this case we can simply pretend
that the device lacks INTx support entirely, keeping DisINTx set on
the physical device, virtualizing this bit for the user, and
virtualizing the interrupt pin register to indicate no INTx support.
We already support virtualization of the DisINTx bit and already
virtualize the interrupt pin for platforms without INTx support. By
tying these components together, setting DisINTx on open and reset,
and identifying devices broken in this particular way, we can provide
support for them w/o the handicap of APIC level INTx masking.
Intel i40e (XL710/X710) 10/20/40GbE NICs have been identified as being
broken in this specific way. We leave the vfio-pci.nointxmask option
as a mechanism to bypass this support, enabling INTx on the device
with all the requirements of APIC level masking.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Cc: John Ronciak <john.ronciak@intel.com>
Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
2016-03-24 19:05:18 +00:00
|
|
|
return true;
|
|
|
|
|
default:
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-26 10:39:02 +00:00
|
|
|
static void vfio_pci_probe_power_state(struct vfio_pci_core_device *vdev)
|
2019-02-09 20:43:30 +00:00
|
|
|
{
|
|
|
|
|
struct pci_dev *pdev = vdev->pdev;
|
|
|
|
|
u16 pmcsr;
|
|
|
|
|
|
|
|
|
|
if (!pdev->pm_cap)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
pci_read_config_word(pdev, pdev->pm_cap + PCI_PM_CTRL, &pmcsr);
|
|
|
|
|
|
|
|
|
|
vdev->needs_pm_restore = !(pmcsr & PCI_PM_CTRL_NO_SOFT_RESET);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* pci_set_power_state() wrapper handling devices which perform a soft reset on
|
|
|
|
|
* D3->D0 transition. Save state prior to D0/1/2->D3, stash it on the vdev,
|
|
|
|
|
* restore when returned to D0. Saved separately from pci_saved_state for use
|
|
|
|
|
* by PM capability emulation and separately from pci_dev internal saved state
|
|
|
|
|
* to avoid it being overwritten and consumed around other resets.
|
|
|
|
|
*/
|
2021-08-26 10:39:02 +00:00
|
|
|
int vfio_pci_set_power_state(struct vfio_pci_core_device *vdev, pci_power_t state)
|
2019-02-09 20:43:30 +00:00
|
|
|
{
|
|
|
|
|
struct pci_dev *pdev = vdev->pdev;
|
|
|
|
|
bool needs_restore = false, needs_save = false;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
if (vdev->needs_pm_restore) {
|
|
|
|
|
if (pdev->current_state < PCI_D3hot && state >= PCI_D3hot) {
|
|
|
|
|
pci_save_state(pdev);
|
|
|
|
|
needs_save = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (pdev->current_state >= PCI_D3hot && state <= PCI_D0)
|
|
|
|
|
needs_restore = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = pci_set_power_state(pdev, state);
|
|
|
|
|
|
|
|
|
|
if (!ret) {
|
|
|
|
|
/* D3 might be unsupported via quirk, skip unless in D3 */
|
|
|
|
|
if (needs_save && pdev->current_state >= PCI_D3hot) {
|
|
|
|
|
vdev->pm_save = pci_store_saved_state(pdev);
|
|
|
|
|
} else if (needs_restore) {
|
|
|
|
|
pci_load_and_free_saved_state(pdev, &vdev->pm_save);
|
|
|
|
|
pci_restore_state(pdev);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-26 10:39:06 +00:00
|
|
|
int vfio_pci_core_enable(struct vfio_pci_core_device *vdev)
|
2012-07-31 14:16:24 +00:00
|
|
|
{
|
|
|
|
|
struct pci_dev *pdev = vdev->pdev;
|
|
|
|
|
int ret;
|
|
|
|
|
u16 cmd;
|
|
|
|
|
u8 msix_pos;
|
|
|
|
|
|
2019-02-09 20:43:30 +00:00
|
|
|
vfio_pci_set_power_state(vdev, PCI_D0);
|
2015-04-07 17:14:46 +00:00
|
|
|
|
2014-08-07 17:12:02 +00:00
|
|
|
/* Don't allow our initial saved state to include busmaster */
|
|
|
|
|
pci_clear_master(pdev);
|
|
|
|
|
|
2012-12-07 20:43:51 +00:00
|
|
|
ret = pci_enable_device(pdev);
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
|
2017-07-26 20:33:15 +00:00
|
|
|
/* If reset fails because of the device lock, fail this path entirely */
|
|
|
|
|
ret = pci_try_reset_function(pdev);
|
|
|
|
|
if (ret == -EAGAIN) {
|
|
|
|
|
pci_disable_device(pdev);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
vdev->reset_works = !ret;
|
2012-07-31 14:16:24 +00:00
|
|
|
pci_save_state(pdev);
|
|
|
|
|
vdev->pci_saved_state = pci_store_saved_state(pdev);
|
|
|
|
|
if (!vdev->pci_saved_state)
|
2019-03-30 14:41:35 +00:00
|
|
|
pci_dbg(pdev, "%s: Couldn't store saved state\n", __func__);
|
2012-07-31 14:16:24 +00:00
|
|
|
|
vfio/pci: Hide broken INTx support from user
INTx masking has two components, the first is that we need the ability
to prevent the device from continuing to assert INTx. This is
provided via the DisINTx bit in the command register and is the only
thing we can really probe for when testing if INTx masking is
supported. The second component is that the device needs to indicate
if INTx is asserted via the interrupt status bit in the device status
register. With these two features we can generically determine if one
of the devices we own is asserting INTx, signal the user, and mask the
interrupt while the user services the device.
Generally if one or both of these components is broken we resort to
APIC level interrupt masking, which requires an exclusive interrupt
since we have no way to determine the source of the interrupt in a
shared configuration. This often makes it difficult or impossible to
configure the system for userspace use of the device, for an interrupt
mode that the user may not need.
One possible configuration of broken INTx masking is that the DisINTx
support is fully functional, but the interrupt status bit never
signals interrupt assertion. In this case we do have the ability to
prevent the device from asserting INTx, but lack the ability to
identify the interrupt source. For this case we can simply pretend
that the device lacks INTx support entirely, keeping DisINTx set on
the physical device, virtualizing this bit for the user, and
virtualizing the interrupt pin register to indicate no INTx support.
We already support virtualization of the DisINTx bit and already
virtualize the interrupt pin for platforms without INTx support. By
tying these components together, setting DisINTx on open and reset,
and identifying devices broken in this particular way, we can provide
support for them w/o the handicap of APIC level INTx masking.
Intel i40e (XL710/X710) 10/20/40GbE NICs have been identified as being
broken in this specific way. We leave the vfio-pci.nointxmask option
as a mechanism to bypass this support, enabling INTx on the device
with all the requirements of APIC level masking.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Cc: John Ronciak <john.ronciak@intel.com>
Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
2016-03-24 19:05:18 +00:00
|
|
|
if (likely(!nointxmask)) {
|
|
|
|
|
if (vfio_pci_nointx(pdev)) {
|
2019-03-30 14:41:35 +00:00
|
|
|
pci_info(pdev, "Masking broken INTx support\n");
|
vfio/pci: Hide broken INTx support from user
INTx masking has two components, the first is that we need the ability
to prevent the device from continuing to assert INTx. This is
provided via the DisINTx bit in the command register and is the only
thing we can really probe for when testing if INTx masking is
supported. The second component is that the device needs to indicate
if INTx is asserted via the interrupt status bit in the device status
register. With these two features we can generically determine if one
of the devices we own is asserting INTx, signal the user, and mask the
interrupt while the user services the device.
Generally if one or both of these components is broken we resort to
APIC level interrupt masking, which requires an exclusive interrupt
since we have no way to determine the source of the interrupt in a
shared configuration. This often makes it difficult or impossible to
configure the system for userspace use of the device, for an interrupt
mode that the user may not need.
One possible configuration of broken INTx masking is that the DisINTx
support is fully functional, but the interrupt status bit never
signals interrupt assertion. In this case we do have the ability to
prevent the device from asserting INTx, but lack the ability to
identify the interrupt source. For this case we can simply pretend
that the device lacks INTx support entirely, keeping DisINTx set on
the physical device, virtualizing this bit for the user, and
virtualizing the interrupt pin register to indicate no INTx support.
We already support virtualization of the DisINTx bit and already
virtualize the interrupt pin for platforms without INTx support. By
tying these components together, setting DisINTx on open and reset,
and identifying devices broken in this particular way, we can provide
support for them w/o the handicap of APIC level INTx masking.
Intel i40e (XL710/X710) 10/20/40GbE NICs have been identified as being
broken in this specific way. We leave the vfio-pci.nointxmask option
as a mechanism to bypass this support, enabling INTx on the device
with all the requirements of APIC level masking.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Cc: John Ronciak <john.ronciak@intel.com>
Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
2016-03-24 19:05:18 +00:00
|
|
|
vdev->nointx = true;
|
|
|
|
|
pci_intx(pdev, 0);
|
|
|
|
|
} else
|
|
|
|
|
vdev->pci_2_3 = pci_intx_mask_supported(pdev);
|
2012-12-07 20:43:51 +00:00
|
|
|
}
|
2012-07-31 14:16:24 +00:00
|
|
|
|
|
|
|
|
pci_read_config_word(pdev, PCI_COMMAND, &cmd);
|
|
|
|
|
if (vdev->pci_2_3 && (cmd & PCI_COMMAND_INTX_DISABLE)) {
|
|
|
|
|
cmd &= ~PCI_COMMAND_INTX_DISABLE;
|
|
|
|
|
pci_write_config_word(pdev, PCI_COMMAND, cmd);
|
|
|
|
|
}
|
|
|
|
|
|
vfio/pci: Hide broken INTx support from user
INTx masking has two components, the first is that we need the ability
to prevent the device from continuing to assert INTx. This is
provided via the DisINTx bit in the command register and is the only
thing we can really probe for when testing if INTx masking is
supported. The second component is that the device needs to indicate
if INTx is asserted via the interrupt status bit in the device status
register. With these two features we can generically determine if one
of the devices we own is asserting INTx, signal the user, and mask the
interrupt while the user services the device.
Generally if one or both of these components is broken we resort to
APIC level interrupt masking, which requires an exclusive interrupt
since we have no way to determine the source of the interrupt in a
shared configuration. This often makes it difficult or impossible to
configure the system for userspace use of the device, for an interrupt
mode that the user may not need.
One possible configuration of broken INTx masking is that the DisINTx
support is fully functional, but the interrupt status bit never
signals interrupt assertion. In this case we do have the ability to
prevent the device from asserting INTx, but lack the ability to
identify the interrupt source. For this case we can simply pretend
that the device lacks INTx support entirely, keeping DisINTx set on
the physical device, virtualizing this bit for the user, and
virtualizing the interrupt pin register to indicate no INTx support.
We already support virtualization of the DisINTx bit and already
virtualize the interrupt pin for platforms without INTx support. By
tying these components together, setting DisINTx on open and reset,
and identifying devices broken in this particular way, we can provide
support for them w/o the handicap of APIC level INTx masking.
Intel i40e (XL710/X710) 10/20/40GbE NICs have been identified as being
broken in this specific way. We leave the vfio-pci.nointxmask option
as a mechanism to bypass this support, enabling INTx on the device
with all the requirements of APIC level masking.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Cc: John Ronciak <john.ronciak@intel.com>
Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
2016-03-24 19:05:18 +00:00
|
|
|
ret = vfio_config_init(vdev);
|
|
|
|
|
if (ret) {
|
|
|
|
|
kfree(vdev->pci_saved_state);
|
|
|
|
|
vdev->pci_saved_state = NULL;
|
|
|
|
|
pci_disable_device(pdev);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2013-04-18 21:12:58 +00:00
|
|
|
msix_pos = pdev->msix_cap;
|
2012-07-31 14:16:24 +00:00
|
|
|
if (msix_pos) {
|
|
|
|
|
u16 flags;
|
|
|
|
|
u32 table;
|
|
|
|
|
|
|
|
|
|
pci_read_config_word(pdev, msix_pos + PCI_MSIX_FLAGS, &flags);
|
|
|
|
|
pci_read_config_dword(pdev, msix_pos + PCI_MSIX_TABLE, &table);
|
|
|
|
|
|
2013-04-18 18:42:58 +00:00
|
|
|
vdev->msix_bar = table & PCI_MSIX_TABLE_BIR;
|
|
|
|
|
vdev->msix_offset = table & PCI_MSIX_TABLE_OFFSET;
|
2012-07-31 14:16:24 +00:00
|
|
|
vdev->msix_size = ((flags & PCI_MSIX_FLAGS_QSIZE) + 1) * 16;
|
|
|
|
|
} else
|
|
|
|
|
vdev->msix_bar = 0xFF;
|
|
|
|
|
|
2015-04-07 17:14:41 +00:00
|
|
|
if (!vfio_vga_disabled() && vfio_pci_is_vga(pdev))
|
2013-02-18 17:11:13 +00:00
|
|
|
vdev->has_vga = true;
|
|
|
|
|
|
2016-06-30 07:21:24 +00:00
|
|
|
|
2012-12-07 20:43:51 +00:00
|
|
|
return 0;
|
2012-07-31 14:16:24 +00:00
|
|
|
}
|
2021-08-26 10:39:12 +00:00
|
|
|
EXPORT_SYMBOL_GPL(vfio_pci_core_enable);
|
2012-07-31 14:16:24 +00:00
|
|
|
|
2021-08-26 10:39:06 +00:00
|
|
|
void vfio_pci_core_disable(struct vfio_pci_core_device *vdev)
|
2012-07-31 14:16:24 +00:00
|
|
|
{
|
2012-12-07 20:43:50 +00:00
|
|
|
struct pci_dev *pdev = vdev->pdev;
|
2016-06-30 07:21:24 +00:00
|
|
|
struct vfio_pci_dummy_resource *dummy_res, *tmp;
|
2018-03-21 18:46:21 +00:00
|
|
|
struct vfio_pci_ioeventfd *ioeventfd, *ioeventfd_tmp;
|
2016-02-22 23:02:39 +00:00
|
|
|
int i, bar;
|
2012-07-31 14:16:24 +00:00
|
|
|
|
2021-08-06 01:19:05 +00:00
|
|
|
/* For needs_reset */
|
|
|
|
|
lockdep_assert_held(&vdev->vdev.dev_set->lock);
|
|
|
|
|
|
2014-08-07 17:12:02 +00:00
|
|
|
/* Stop the device from further DMA */
|
|
|
|
|
pci_clear_master(pdev);
|
2012-07-31 14:16:24 +00:00
|
|
|
|
|
|
|
|
vfio_pci_set_irqs_ioctl(vdev, VFIO_IRQ_SET_DATA_NONE |
|
|
|
|
|
VFIO_IRQ_SET_ACTION_TRIGGER,
|
|
|
|
|
vdev->irq_type, 0, 0, NULL);
|
|
|
|
|
|
2018-03-21 18:46:21 +00:00
|
|
|
/* Device closed, don't need mutex here */
|
|
|
|
|
list_for_each_entry_safe(ioeventfd, ioeventfd_tmp,
|
|
|
|
|
&vdev->ioeventfds_list, next) {
|
|
|
|
|
vfio_virqfd_disable(&ioeventfd->virqfd);
|
|
|
|
|
list_del(&ioeventfd->next);
|
|
|
|
|
kfree(ioeventfd);
|
|
|
|
|
}
|
|
|
|
|
vdev->ioeventfds_nr = 0;
|
|
|
|
|
|
2012-07-31 14:16:24 +00:00
|
|
|
vdev->virq_disabled = false;
|
|
|
|
|
|
2016-02-22 23:02:39 +00:00
|
|
|
for (i = 0; i < vdev->num_regions; i++)
|
|
|
|
|
vdev->region[i].ops->release(vdev, &vdev->region[i]);
|
|
|
|
|
|
|
|
|
|
vdev->num_regions = 0;
|
|
|
|
|
kfree(vdev->region);
|
|
|
|
|
vdev->region = NULL; /* don't krealloc a freed pointer */
|
|
|
|
|
|
2012-07-31 14:16:24 +00:00
|
|
|
vfio_config_free(vdev);
|
|
|
|
|
|
2019-09-27 23:43:08 +00:00
|
|
|
for (i = 0; i < PCI_STD_NUM_BARS; i++) {
|
|
|
|
|
bar = i + PCI_STD_RESOURCES;
|
2012-07-31 14:16:24 +00:00
|
|
|
if (!vdev->barmap[bar])
|
|
|
|
|
continue;
|
2012-12-07 20:43:50 +00:00
|
|
|
pci_iounmap(pdev, vdev->barmap[bar]);
|
|
|
|
|
pci_release_selected_regions(pdev, 1 << bar);
|
2012-07-31 14:16:24 +00:00
|
|
|
vdev->barmap[bar] = NULL;
|
|
|
|
|
}
|
2012-12-07 20:43:50 +00:00
|
|
|
|
2016-06-30 07:21:24 +00:00
|
|
|
list_for_each_entry_safe(dummy_res, tmp,
|
|
|
|
|
&vdev->dummy_resources_list, res_next) {
|
|
|
|
|
list_del(&dummy_res->res_next);
|
|
|
|
|
release_resource(&dummy_res->resource);
|
|
|
|
|
kfree(dummy_res);
|
|
|
|
|
}
|
|
|
|
|
|
2014-08-07 17:12:07 +00:00
|
|
|
vdev->needs_reset = true;
|
|
|
|
|
|
2012-12-07 20:43:50 +00:00
|
|
|
/*
|
|
|
|
|
* If we have saved state, restore it. If we can reset the device,
|
|
|
|
|
* even better. Resetting with current state seems better than
|
|
|
|
|
* nothing, but saving and restoring current state without reset
|
|
|
|
|
* is just busy work.
|
|
|
|
|
*/
|
|
|
|
|
if (pci_load_and_free_saved_state(pdev, &vdev->pci_saved_state)) {
|
2019-03-30 14:41:35 +00:00
|
|
|
pci_info(pdev, "%s: Couldn't reload saved state\n", __func__);
|
2012-12-07 20:43:50 +00:00
|
|
|
|
|
|
|
|
if (!vdev->reset_works)
|
2014-08-07 17:12:02 +00:00
|
|
|
goto out;
|
2012-12-07 20:43:50 +00:00
|
|
|
|
|
|
|
|
pci_save_state(pdev);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Disable INTx and MSI, presumably to avoid spurious interrupts
|
|
|
|
|
* during reset. Stolen from pci_reset_function()
|
|
|
|
|
*/
|
|
|
|
|
pci_write_config_word(pdev, PCI_COMMAND, PCI_COMMAND_INTX_DISABLE);
|
|
|
|
|
|
2013-06-10 22:40:57 +00:00
|
|
|
/*
|
2019-08-22 03:35:19 +00:00
|
|
|
* Try to get the locks ourselves to prevent a deadlock. The
|
|
|
|
|
* success of this is dependent on being able to lock the device,
|
|
|
|
|
* which is not always possible.
|
|
|
|
|
* We can not use the "try" reset interface here, which will
|
|
|
|
|
* overwrite the previously restored configuration information.
|
2013-06-10 22:40:57 +00:00
|
|
|
*/
|
2021-06-23 02:28:24 +00:00
|
|
|
if (vdev->reset_works && pci_dev_trylock(pdev)) {
|
|
|
|
|
if (!__pci_reset_function_locked(pdev))
|
|
|
|
|
vdev->needs_reset = false;
|
|
|
|
|
pci_dev_unlock(pdev);
|
2019-08-22 03:35:19 +00:00
|
|
|
}
|
2012-12-07 20:43:50 +00:00
|
|
|
|
|
|
|
|
pci_restore_state(pdev);
|
2014-08-07 17:12:02 +00:00
|
|
|
out:
|
|
|
|
|
pci_disable_device(pdev);
|
2014-08-07 17:12:07 +00:00
|
|
|
|
2021-08-06 01:19:05 +00:00
|
|
|
if (!vfio_pci_dev_set_try_reset(vdev->vdev.dev_set) && !disable_idle_d3)
|
2019-02-09 20:43:30 +00:00
|
|
|
vfio_pci_set_power_state(vdev, PCI_D3hot);
|
2012-07-31 14:16:24 +00:00
|
|
|
}
|
2021-08-26 10:39:12 +00:00
|
|
|
EXPORT_SYMBOL_GPL(vfio_pci_core_disable);
|
2012-07-31 14:16:24 +00:00
|
|
|
|
2021-08-26 10:39:02 +00:00
|
|
|
static struct vfio_pci_core_device *get_pf_vdev(struct vfio_pci_core_device *vdev)
|
vfio/pci: Introduce VF token
If we enable SR-IOV on a vfio-pci owned PF, the resulting VFs are not
fully isolated from the PF. The PF can always cause a denial of service
to the VF, even if by simply resetting itself. The degree to which a PF
can access the data passed through a VF or interfere with its operation
is dependent on a given SR-IOV implementation. Therefore we want to
avoid a scenario where an existing vfio-pci based userspace driver might
assume the PF driver is trusted, for example assigning a PF to one VM
and VF to another with some expectation of isolation. IOMMU grouping
could be a solution to this, but imposes an unnecessarily strong
relationship between PF and VF drivers if they need to operate with the
same IOMMU context. Instead we introduce a "VF token", which is
essentially just a shared secret between PF and VF drivers, implemented
as a UUID.
The VF token can be set by a vfio-pci based PF driver and must be known
by the vfio-pci based VF driver in order to gain access to the device.
This allows the degree to which this VF token is considered secret to be
determined by the applications and environment. For example a VM might
generate a random UUID known only internally to the hypervisor while a
userspace networking appliance might use a shared, or even well know,
UUID among the application drivers.
To incorporate this VF token, the VFIO_GROUP_GET_DEVICE_FD interface is
extended to accept key=value pairs in addition to the device name. This
allows us to most easily deny user access to the device without risk
that existing userspace drivers assume region offsets, IRQs, and other
device features, leading to more elaborate error paths. The format of
these options are expected to take the form:
"$DEVICE_NAME $OPTION1=$VALUE1 $OPTION2=$VALUE2"
Where the device name is always provided first for compatibility and
additional options are specified in a space separated list. The
relation between and requirements for the additional options will be
vfio bus driver dependent, however unknown or unused option within this
schema should return error. This allow for future use of unknown
options as well as a positive indication to the user that an option is
used.
An example VF token option would take this form:
"0000:03:00.0 vf_token=2ab74924-c335-45f4-9b16-8569e5b08258"
When accessing a VF where the PF is making use of vfio-pci, the user
MUST provide the current vf_token. When accessing a PF, the user MUST
provide the current vf_token IF there are active VF users or MAY provide
a vf_token in order to set the current VF token when no VF users are
active. The former requirement assures VF users that an unassociated
driver cannot usurp the PF device. These semantics also imply that a
VF token MUST be set by a PF driver before VF drivers can access their
device, the default token is random and mechanisms to read the token are
not provided in order to protect the VF token of previous users. Use of
the vf_token option outside of these cases will return an error, as
discussed above.
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-03-24 15:28:27 +00:00
|
|
|
{
|
|
|
|
|
struct pci_dev *physfn = pci_physfn(vdev->pdev);
|
2021-03-30 15:53:08 +00:00
|
|
|
struct vfio_device *pf_dev;
|
vfio/pci: Introduce VF token
If we enable SR-IOV on a vfio-pci owned PF, the resulting VFs are not
fully isolated from the PF. The PF can always cause a denial of service
to the VF, even if by simply resetting itself. The degree to which a PF
can access the data passed through a VF or interfere with its operation
is dependent on a given SR-IOV implementation. Therefore we want to
avoid a scenario where an existing vfio-pci based userspace driver might
assume the PF driver is trusted, for example assigning a PF to one VM
and VF to another with some expectation of isolation. IOMMU grouping
could be a solution to this, but imposes an unnecessarily strong
relationship between PF and VF drivers if they need to operate with the
same IOMMU context. Instead we introduce a "VF token", which is
essentially just a shared secret between PF and VF drivers, implemented
as a UUID.
The VF token can be set by a vfio-pci based PF driver and must be known
by the vfio-pci based VF driver in order to gain access to the device.
This allows the degree to which this VF token is considered secret to be
determined by the applications and environment. For example a VM might
generate a random UUID known only internally to the hypervisor while a
userspace networking appliance might use a shared, or even well know,
UUID among the application drivers.
To incorporate this VF token, the VFIO_GROUP_GET_DEVICE_FD interface is
extended to accept key=value pairs in addition to the device name. This
allows us to most easily deny user access to the device without risk
that existing userspace drivers assume region offsets, IRQs, and other
device features, leading to more elaborate error paths. The format of
these options are expected to take the form:
"$DEVICE_NAME $OPTION1=$VALUE1 $OPTION2=$VALUE2"
Where the device name is always provided first for compatibility and
additional options are specified in a space separated list. The
relation between and requirements for the additional options will be
vfio bus driver dependent, however unknown or unused option within this
schema should return error. This allow for future use of unknown
options as well as a positive indication to the user that an option is
used.
An example VF token option would take this form:
"0000:03:00.0 vf_token=2ab74924-c335-45f4-9b16-8569e5b08258"
When accessing a VF where the PF is making use of vfio-pci, the user
MUST provide the current vf_token. When accessing a PF, the user MUST
provide the current vf_token IF there are active VF users or MAY provide
a vf_token in order to set the current VF token when no VF users are
active. The former requirement assures VF users that an unassociated
driver cannot usurp the PF device. These semantics also imply that a
VF token MUST be set by a PF driver before VF drivers can access their
device, the default token is random and mechanisms to read the token are
not provided in order to protect the VF token of previous users. Use of
the vf_token option outside of these cases will return an error, as
discussed above.
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-03-24 15:28:27 +00:00
|
|
|
|
|
|
|
|
if (!vdev->pdev->is_virtfn)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
2021-03-30 15:53:08 +00:00
|
|
|
pf_dev = vfio_device_get_from_dev(&physfn->dev);
|
|
|
|
|
if (!pf_dev)
|
vfio/pci: Introduce VF token
If we enable SR-IOV on a vfio-pci owned PF, the resulting VFs are not
fully isolated from the PF. The PF can always cause a denial of service
to the VF, even if by simply resetting itself. The degree to which a PF
can access the data passed through a VF or interfere with its operation
is dependent on a given SR-IOV implementation. Therefore we want to
avoid a scenario where an existing vfio-pci based userspace driver might
assume the PF driver is trusted, for example assigning a PF to one VM
and VF to another with some expectation of isolation. IOMMU grouping
could be a solution to this, but imposes an unnecessarily strong
relationship between PF and VF drivers if they need to operate with the
same IOMMU context. Instead we introduce a "VF token", which is
essentially just a shared secret between PF and VF drivers, implemented
as a UUID.
The VF token can be set by a vfio-pci based PF driver and must be known
by the vfio-pci based VF driver in order to gain access to the device.
This allows the degree to which this VF token is considered secret to be
determined by the applications and environment. For example a VM might
generate a random UUID known only internally to the hypervisor while a
userspace networking appliance might use a shared, or even well know,
UUID among the application drivers.
To incorporate this VF token, the VFIO_GROUP_GET_DEVICE_FD interface is
extended to accept key=value pairs in addition to the device name. This
allows us to most easily deny user access to the device without risk
that existing userspace drivers assume region offsets, IRQs, and other
device features, leading to more elaborate error paths. The format of
these options are expected to take the form:
"$DEVICE_NAME $OPTION1=$VALUE1 $OPTION2=$VALUE2"
Where the device name is always provided first for compatibility and
additional options are specified in a space separated list. The
relation between and requirements for the additional options will be
vfio bus driver dependent, however unknown or unused option within this
schema should return error. This allow for future use of unknown
options as well as a positive indication to the user that an option is
used.
An example VF token option would take this form:
"0000:03:00.0 vf_token=2ab74924-c335-45f4-9b16-8569e5b08258"
When accessing a VF where the PF is making use of vfio-pci, the user
MUST provide the current vf_token. When accessing a PF, the user MUST
provide the current vf_token IF there are active VF users or MAY provide
a vf_token in order to set the current VF token when no VF users are
active. The former requirement assures VF users that an unassociated
driver cannot usurp the PF device. These semantics also imply that a
VF token MUST be set by a PF driver before VF drivers can access their
device, the default token is random and mechanisms to read the token are
not provided in order to protect the VF token of previous users. Use of
the vf_token option outside of these cases will return an error, as
discussed above.
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-03-24 15:28:27 +00:00
|
|
|
return NULL;
|
|
|
|
|
|
2021-08-26 10:39:05 +00:00
|
|
|
if (pci_dev_driver(physfn) != pci_dev_driver(vdev->pdev)) {
|
2021-03-30 15:53:08 +00:00
|
|
|
vfio_device_put(pf_dev);
|
vfio/pci: Introduce VF token
If we enable SR-IOV on a vfio-pci owned PF, the resulting VFs are not
fully isolated from the PF. The PF can always cause a denial of service
to the VF, even if by simply resetting itself. The degree to which a PF
can access the data passed through a VF or interfere with its operation
is dependent on a given SR-IOV implementation. Therefore we want to
avoid a scenario where an existing vfio-pci based userspace driver might
assume the PF driver is trusted, for example assigning a PF to one VM
and VF to another with some expectation of isolation. IOMMU grouping
could be a solution to this, but imposes an unnecessarily strong
relationship between PF and VF drivers if they need to operate with the
same IOMMU context. Instead we introduce a "VF token", which is
essentially just a shared secret between PF and VF drivers, implemented
as a UUID.
The VF token can be set by a vfio-pci based PF driver and must be known
by the vfio-pci based VF driver in order to gain access to the device.
This allows the degree to which this VF token is considered secret to be
determined by the applications and environment. For example a VM might
generate a random UUID known only internally to the hypervisor while a
userspace networking appliance might use a shared, or even well know,
UUID among the application drivers.
To incorporate this VF token, the VFIO_GROUP_GET_DEVICE_FD interface is
extended to accept key=value pairs in addition to the device name. This
allows us to most easily deny user access to the device without risk
that existing userspace drivers assume region offsets, IRQs, and other
device features, leading to more elaborate error paths. The format of
these options are expected to take the form:
"$DEVICE_NAME $OPTION1=$VALUE1 $OPTION2=$VALUE2"
Where the device name is always provided first for compatibility and
additional options are specified in a space separated list. The
relation between and requirements for the additional options will be
vfio bus driver dependent, however unknown or unused option within this
schema should return error. This allow for future use of unknown
options as well as a positive indication to the user that an option is
used.
An example VF token option would take this form:
"0000:03:00.0 vf_token=2ab74924-c335-45f4-9b16-8569e5b08258"
When accessing a VF where the PF is making use of vfio-pci, the user
MUST provide the current vf_token. When accessing a PF, the user MUST
provide the current vf_token IF there are active VF users or MAY provide
a vf_token in order to set the current VF token when no VF users are
active. The former requirement assures VF users that an unassociated
driver cannot usurp the PF device. These semantics also imply that a
VF token MUST be set by a PF driver before VF drivers can access their
device, the default token is random and mechanisms to read the token are
not provided in order to protect the VF token of previous users. Use of
the vf_token option outside of these cases will return an error, as
discussed above.
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-03-24 15:28:27 +00:00
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-26 10:39:02 +00:00
|
|
|
return container_of(pf_dev, struct vfio_pci_core_device, vdev);
|
vfio/pci: Introduce VF token
If we enable SR-IOV on a vfio-pci owned PF, the resulting VFs are not
fully isolated from the PF. The PF can always cause a denial of service
to the VF, even if by simply resetting itself. The degree to which a PF
can access the data passed through a VF or interfere with its operation
is dependent on a given SR-IOV implementation. Therefore we want to
avoid a scenario where an existing vfio-pci based userspace driver might
assume the PF driver is trusted, for example assigning a PF to one VM
and VF to another with some expectation of isolation. IOMMU grouping
could be a solution to this, but imposes an unnecessarily strong
relationship between PF and VF drivers if they need to operate with the
same IOMMU context. Instead we introduce a "VF token", which is
essentially just a shared secret between PF and VF drivers, implemented
as a UUID.
The VF token can be set by a vfio-pci based PF driver and must be known
by the vfio-pci based VF driver in order to gain access to the device.
This allows the degree to which this VF token is considered secret to be
determined by the applications and environment. For example a VM might
generate a random UUID known only internally to the hypervisor while a
userspace networking appliance might use a shared, or even well know,
UUID among the application drivers.
To incorporate this VF token, the VFIO_GROUP_GET_DEVICE_FD interface is
extended to accept key=value pairs in addition to the device name. This
allows us to most easily deny user access to the device without risk
that existing userspace drivers assume region offsets, IRQs, and other
device features, leading to more elaborate error paths. The format of
these options are expected to take the form:
"$DEVICE_NAME $OPTION1=$VALUE1 $OPTION2=$VALUE2"
Where the device name is always provided first for compatibility and
additional options are specified in a space separated list. The
relation between and requirements for the additional options will be
vfio bus driver dependent, however unknown or unused option within this
schema should return error. This allow for future use of unknown
options as well as a positive indication to the user that an option is
used.
An example VF token option would take this form:
"0000:03:00.0 vf_token=2ab74924-c335-45f4-9b16-8569e5b08258"
When accessing a VF where the PF is making use of vfio-pci, the user
MUST provide the current vf_token. When accessing a PF, the user MUST
provide the current vf_token IF there are active VF users or MAY provide
a vf_token in order to set the current VF token when no VF users are
active. The former requirement assures VF users that an unassociated
driver cannot usurp the PF device. These semantics also imply that a
VF token MUST be set by a PF driver before VF drivers can access their
device, the default token is random and mechanisms to read the token are
not provided in order to protect the VF token of previous users. Use of
the vf_token option outside of these cases will return an error, as
discussed above.
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-03-24 15:28:27 +00:00
|
|
|
}
|
|
|
|
|
|
2021-08-26 10:39:02 +00:00
|
|
|
static void vfio_pci_vf_token_user_add(struct vfio_pci_core_device *vdev, int val)
|
vfio/pci: Introduce VF token
If we enable SR-IOV on a vfio-pci owned PF, the resulting VFs are not
fully isolated from the PF. The PF can always cause a denial of service
to the VF, even if by simply resetting itself. The degree to which a PF
can access the data passed through a VF or interfere with its operation
is dependent on a given SR-IOV implementation. Therefore we want to
avoid a scenario where an existing vfio-pci based userspace driver might
assume the PF driver is trusted, for example assigning a PF to one VM
and VF to another with some expectation of isolation. IOMMU grouping
could be a solution to this, but imposes an unnecessarily strong
relationship between PF and VF drivers if they need to operate with the
same IOMMU context. Instead we introduce a "VF token", which is
essentially just a shared secret between PF and VF drivers, implemented
as a UUID.
The VF token can be set by a vfio-pci based PF driver and must be known
by the vfio-pci based VF driver in order to gain access to the device.
This allows the degree to which this VF token is considered secret to be
determined by the applications and environment. For example a VM might
generate a random UUID known only internally to the hypervisor while a
userspace networking appliance might use a shared, or even well know,
UUID among the application drivers.
To incorporate this VF token, the VFIO_GROUP_GET_DEVICE_FD interface is
extended to accept key=value pairs in addition to the device name. This
allows us to most easily deny user access to the device without risk
that existing userspace drivers assume region offsets, IRQs, and other
device features, leading to more elaborate error paths. The format of
these options are expected to take the form:
"$DEVICE_NAME $OPTION1=$VALUE1 $OPTION2=$VALUE2"
Where the device name is always provided first for compatibility and
additional options are specified in a space separated list. The
relation between and requirements for the additional options will be
vfio bus driver dependent, however unknown or unused option within this
schema should return error. This allow for future use of unknown
options as well as a positive indication to the user that an option is
used.
An example VF token option would take this form:
"0000:03:00.0 vf_token=2ab74924-c335-45f4-9b16-8569e5b08258"
When accessing a VF where the PF is making use of vfio-pci, the user
MUST provide the current vf_token. When accessing a PF, the user MUST
provide the current vf_token IF there are active VF users or MAY provide
a vf_token in order to set the current VF token when no VF users are
active. The former requirement assures VF users that an unassociated
driver cannot usurp the PF device. These semantics also imply that a
VF token MUST be set by a PF driver before VF drivers can access their
device, the default token is random and mechanisms to read the token are
not provided in order to protect the VF token of previous users. Use of
the vf_token option outside of these cases will return an error, as
discussed above.
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-03-24 15:28:27 +00:00
|
|
|
{
|
2021-08-26 10:39:02 +00:00
|
|
|
struct vfio_pci_core_device *pf_vdev = get_pf_vdev(vdev);
|
vfio/pci: Introduce VF token
If we enable SR-IOV on a vfio-pci owned PF, the resulting VFs are not
fully isolated from the PF. The PF can always cause a denial of service
to the VF, even if by simply resetting itself. The degree to which a PF
can access the data passed through a VF or interfere with its operation
is dependent on a given SR-IOV implementation. Therefore we want to
avoid a scenario where an existing vfio-pci based userspace driver might
assume the PF driver is trusted, for example assigning a PF to one VM
and VF to another with some expectation of isolation. IOMMU grouping
could be a solution to this, but imposes an unnecessarily strong
relationship between PF and VF drivers if they need to operate with the
same IOMMU context. Instead we introduce a "VF token", which is
essentially just a shared secret between PF and VF drivers, implemented
as a UUID.
The VF token can be set by a vfio-pci based PF driver and must be known
by the vfio-pci based VF driver in order to gain access to the device.
This allows the degree to which this VF token is considered secret to be
determined by the applications and environment. For example a VM might
generate a random UUID known only internally to the hypervisor while a
userspace networking appliance might use a shared, or even well know,
UUID among the application drivers.
To incorporate this VF token, the VFIO_GROUP_GET_DEVICE_FD interface is
extended to accept key=value pairs in addition to the device name. This
allows us to most easily deny user access to the device without risk
that existing userspace drivers assume region offsets, IRQs, and other
device features, leading to more elaborate error paths. The format of
these options are expected to take the form:
"$DEVICE_NAME $OPTION1=$VALUE1 $OPTION2=$VALUE2"
Where the device name is always provided first for compatibility and
additional options are specified in a space separated list. The
relation between and requirements for the additional options will be
vfio bus driver dependent, however unknown or unused option within this
schema should return error. This allow for future use of unknown
options as well as a positive indication to the user that an option is
used.
An example VF token option would take this form:
"0000:03:00.0 vf_token=2ab74924-c335-45f4-9b16-8569e5b08258"
When accessing a VF where the PF is making use of vfio-pci, the user
MUST provide the current vf_token. When accessing a PF, the user MUST
provide the current vf_token IF there are active VF users or MAY provide
a vf_token in order to set the current VF token when no VF users are
active. The former requirement assures VF users that an unassociated
driver cannot usurp the PF device. These semantics also imply that a
VF token MUST be set by a PF driver before VF drivers can access their
device, the default token is random and mechanisms to read the token are
not provided in order to protect the VF token of previous users. Use of
the vf_token option outside of these cases will return an error, as
discussed above.
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-03-24 15:28:27 +00:00
|
|
|
|
|
|
|
|
if (!pf_vdev)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
mutex_lock(&pf_vdev->vf_token->lock);
|
|
|
|
|
pf_vdev->vf_token->users += val;
|
|
|
|
|
WARN_ON(pf_vdev->vf_token->users < 0);
|
|
|
|
|
mutex_unlock(&pf_vdev->vf_token->lock);
|
|
|
|
|
|
2021-03-30 15:53:08 +00:00
|
|
|
vfio_device_put(&pf_vdev->vdev);
|
vfio/pci: Introduce VF token
If we enable SR-IOV on a vfio-pci owned PF, the resulting VFs are not
fully isolated from the PF. The PF can always cause a denial of service
to the VF, even if by simply resetting itself. The degree to which a PF
can access the data passed through a VF or interfere with its operation
is dependent on a given SR-IOV implementation. Therefore we want to
avoid a scenario where an existing vfio-pci based userspace driver might
assume the PF driver is trusted, for example assigning a PF to one VM
and VF to another with some expectation of isolation. IOMMU grouping
could be a solution to this, but imposes an unnecessarily strong
relationship between PF and VF drivers if they need to operate with the
same IOMMU context. Instead we introduce a "VF token", which is
essentially just a shared secret between PF and VF drivers, implemented
as a UUID.
The VF token can be set by a vfio-pci based PF driver and must be known
by the vfio-pci based VF driver in order to gain access to the device.
This allows the degree to which this VF token is considered secret to be
determined by the applications and environment. For example a VM might
generate a random UUID known only internally to the hypervisor while a
userspace networking appliance might use a shared, or even well know,
UUID among the application drivers.
To incorporate this VF token, the VFIO_GROUP_GET_DEVICE_FD interface is
extended to accept key=value pairs in addition to the device name. This
allows us to most easily deny user access to the device without risk
that existing userspace drivers assume region offsets, IRQs, and other
device features, leading to more elaborate error paths. The format of
these options are expected to take the form:
"$DEVICE_NAME $OPTION1=$VALUE1 $OPTION2=$VALUE2"
Where the device name is always provided first for compatibility and
additional options are specified in a space separated list. The
relation between and requirements for the additional options will be
vfio bus driver dependent, however unknown or unused option within this
schema should return error. This allow for future use of unknown
options as well as a positive indication to the user that an option is
used.
An example VF token option would take this form:
"0000:03:00.0 vf_token=2ab74924-c335-45f4-9b16-8569e5b08258"
When accessing a VF where the PF is making use of vfio-pci, the user
MUST provide the current vf_token. When accessing a PF, the user MUST
provide the current vf_token IF there are active VF users or MAY provide
a vf_token in order to set the current VF token when no VF users are
active. The former requirement assures VF users that an unassociated
driver cannot usurp the PF device. These semantics also imply that a
VF token MUST be set by a PF driver before VF drivers can access their
device, the default token is random and mechanisms to read the token are
not provided in order to protect the VF token of previous users. Use of
the vf_token option outside of these cases will return an error, as
discussed above.
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-03-24 15:28:27 +00:00
|
|
|
}
|
|
|
|
|
|
2021-08-26 10:39:05 +00:00
|
|
|
void vfio_pci_core_close_device(struct vfio_device *core_vdev)
|
2012-07-31 14:16:24 +00:00
|
|
|
{
|
2021-08-26 10:39:02 +00:00
|
|
|
struct vfio_pci_core_device *vdev =
|
|
|
|
|
container_of(core_vdev, struct vfio_pci_core_device, vdev);
|
2012-07-31 14:16:24 +00:00
|
|
|
|
2021-08-06 01:19:04 +00:00
|
|
|
vfio_pci_vf_token_user_add(vdev, -1);
|
|
|
|
|
vfio_spapr_pci_eeh_release(vdev->pdev);
|
2021-08-26 10:39:06 +00:00
|
|
|
vfio_pci_core_disable(vdev);
|
2020-07-27 19:43:38 +00:00
|
|
|
|
2021-08-06 01:19:04 +00:00
|
|
|
mutex_lock(&vdev->igate);
|
|
|
|
|
if (vdev->err_trigger) {
|
|
|
|
|
eventfd_ctx_put(vdev->err_trigger);
|
|
|
|
|
vdev->err_trigger = NULL;
|
2014-06-10 01:41:57 +00:00
|
|
|
}
|
2021-08-06 01:19:04 +00:00
|
|
|
if (vdev->req_trigger) {
|
|
|
|
|
eventfd_ctx_put(vdev->req_trigger);
|
|
|
|
|
vdev->req_trigger = NULL;
|
|
|
|
|
}
|
|
|
|
|
mutex_unlock(&vdev->igate);
|
2012-07-31 14:16:24 +00:00
|
|
|
}
|
2021-08-26 10:39:12 +00:00
|
|
|
EXPORT_SYMBOL_GPL(vfio_pci_core_close_device);
|
2012-07-31 14:16:24 +00:00
|
|
|
|
2021-08-26 10:39:06 +00:00
|
|
|
void vfio_pci_core_finish_enable(struct vfio_pci_core_device *vdev)
|
2012-07-31 14:16:24 +00:00
|
|
|
{
|
2021-08-26 10:39:06 +00:00
|
|
|
vfio_pci_probe_mmaps(vdev);
|
2021-08-06 01:19:04 +00:00
|
|
|
vfio_spapr_pci_eeh_open(vdev->pdev);
|
|
|
|
|
vfio_pci_vf_token_user_add(vdev, 1);
|
2012-07-31 14:16:24 +00:00
|
|
|
}
|
2021-08-26 10:39:12 +00:00
|
|
|
EXPORT_SYMBOL_GPL(vfio_pci_core_finish_enable);
|
2012-07-31 14:16:24 +00:00
|
|
|
|
2021-08-26 10:39:02 +00:00
|
|
|
static int vfio_pci_get_irq_count(struct vfio_pci_core_device *vdev, int irq_type)
|
2012-07-31 14:16:24 +00:00
|
|
|
{
|
|
|
|
|
if (irq_type == VFIO_PCI_INTX_IRQ_INDEX) {
|
|
|
|
|
u8 pin;
|
2018-09-25 19:01:27 +00:00
|
|
|
|
|
|
|
|
if (!IS_ENABLED(CONFIG_VFIO_PCI_INTX) ||
|
|
|
|
|
vdev->nointx || vdev->pdev->is_virtfn)
|
|
|
|
|
return 0;
|
|
|
|
|
|
2012-07-31 14:16:24 +00:00
|
|
|
pci_read_config_byte(vdev->pdev, PCI_INTERRUPT_PIN, &pin);
|
|
|
|
|
|
2018-09-25 19:01:27 +00:00
|
|
|
return pin ? 1 : 0;
|
2012-07-31 14:16:24 +00:00
|
|
|
} else if (irq_type == VFIO_PCI_MSI_IRQ_INDEX) {
|
|
|
|
|
u8 pos;
|
|
|
|
|
u16 flags;
|
|
|
|
|
|
2013-04-18 21:12:58 +00:00
|
|
|
pos = vdev->pdev->msi_cap;
|
2012-07-31 14:16:24 +00:00
|
|
|
if (pos) {
|
|
|
|
|
pci_read_config_word(vdev->pdev,
|
|
|
|
|
pos + PCI_MSI_FLAGS, &flags);
|
2014-05-30 17:35:54 +00:00
|
|
|
return 1 << ((flags & PCI_MSI_FLAGS_QMASK) >> 1);
|
2012-07-31 14:16:24 +00:00
|
|
|
}
|
|
|
|
|
} else if (irq_type == VFIO_PCI_MSIX_IRQ_INDEX) {
|
|
|
|
|
u8 pos;
|
|
|
|
|
u16 flags;
|
|
|
|
|
|
2013-04-18 21:12:58 +00:00
|
|
|
pos = vdev->pdev->msix_cap;
|
2012-07-31 14:16:24 +00:00
|
|
|
if (pos) {
|
|
|
|
|
pci_read_config_word(vdev->pdev,
|
|
|
|
|
pos + PCI_MSIX_FLAGS, &flags);
|
|
|
|
|
|
|
|
|
|
return (flags & PCI_MSIX_FLAGS_QSIZE) + 1;
|
|
|
|
|
}
|
2015-02-06 22:05:08 +00:00
|
|
|
} else if (irq_type == VFIO_PCI_ERR_IRQ_INDEX) {
|
2013-03-11 15:31:22 +00:00
|
|
|
if (pci_is_pcie(vdev->pdev))
|
|
|
|
|
return 1;
|
2015-02-06 22:05:08 +00:00
|
|
|
} else if (irq_type == VFIO_PCI_REQ_IRQ_INDEX) {
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
2012-07-31 14:16:24 +00:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2013-09-04 17:28:04 +00:00
|
|
|
static int vfio_pci_count_devs(struct pci_dev *pdev, void *data)
|
|
|
|
|
{
|
|
|
|
|
(*(int *)data)++;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct vfio_pci_fill_info {
|
|
|
|
|
int max;
|
|
|
|
|
int cur;
|
|
|
|
|
struct vfio_pci_dependent_device *devices;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int vfio_pci_fill_devs(struct pci_dev *pdev, void *data)
|
|
|
|
|
{
|
|
|
|
|
struct vfio_pci_fill_info *fill = data;
|
|
|
|
|
struct iommu_group *iommu_group;
|
|
|
|
|
|
|
|
|
|
if (fill->cur == fill->max)
|
|
|
|
|
return -EAGAIN; /* Something changed, try again */
|
|
|
|
|
|
|
|
|
|
iommu_group = iommu_group_get(&pdev->dev);
|
|
|
|
|
if (!iommu_group)
|
|
|
|
|
return -EPERM; /* Cannot reset non-isolated devices */
|
|
|
|
|
|
|
|
|
|
fill->devices[fill->cur].group_id = iommu_group_id(iommu_group);
|
|
|
|
|
fill->devices[fill->cur].segment = pci_domain_nr(pdev->bus);
|
|
|
|
|
fill->devices[fill->cur].bus = pdev->bus->number;
|
|
|
|
|
fill->devices[fill->cur].devfn = pdev->devfn;
|
|
|
|
|
fill->cur++;
|
|
|
|
|
iommu_group_put(iommu_group);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct vfio_pci_group_info {
|
|
|
|
|
int count;
|
2021-08-06 01:19:06 +00:00
|
|
|
struct vfio_group **groups;
|
2013-09-04 17:28:04 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static bool vfio_pci_dev_below_slot(struct pci_dev *pdev, struct pci_slot *slot)
|
|
|
|
|
{
|
|
|
|
|
for (; pdev; pdev = pdev->bus->self)
|
|
|
|
|
if (pdev->bus == slot->bus)
|
|
|
|
|
return (pdev->slot == slot);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct vfio_pci_walk_info {
|
2021-09-02 21:26:31 +00:00
|
|
|
int (*fn)(struct pci_dev *pdev, void *data);
|
2013-09-04 17:28:04 +00:00
|
|
|
void *data;
|
|
|
|
|
struct pci_dev *pdev;
|
|
|
|
|
bool slot;
|
|
|
|
|
int ret;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int vfio_pci_walk_wrapper(struct pci_dev *pdev, void *data)
|
|
|
|
|
{
|
|
|
|
|
struct vfio_pci_walk_info *walk = data;
|
|
|
|
|
|
|
|
|
|
if (!walk->slot || vfio_pci_dev_below_slot(pdev, walk->pdev->slot))
|
|
|
|
|
walk->ret = walk->fn(pdev, walk->data);
|
|
|
|
|
|
|
|
|
|
return walk->ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int vfio_pci_for_each_slot_or_bus(struct pci_dev *pdev,
|
|
|
|
|
int (*fn)(struct pci_dev *,
|
|
|
|
|
void *data), void *data,
|
|
|
|
|
bool slot)
|
|
|
|
|
{
|
|
|
|
|
struct vfio_pci_walk_info walk = {
|
|
|
|
|
.fn = fn, .data = data, .pdev = pdev, .slot = slot, .ret = 0,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
pci_walk_bus(pdev->bus, vfio_pci_walk_wrapper, &walk);
|
|
|
|
|
|
|
|
|
|
return walk.ret;
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-26 10:39:02 +00:00
|
|
|
static int msix_mmappable_cap(struct vfio_pci_core_device *vdev,
|
2017-12-13 02:31:31 +00:00
|
|
|
struct vfio_info_cap *caps)
|
2016-02-22 23:02:36 +00:00
|
|
|
{
|
2017-12-13 02:31:31 +00:00
|
|
|
struct vfio_info_cap_header header = {
|
|
|
|
|
.id = VFIO_REGION_INFO_CAP_MSIX_MAPPABLE,
|
|
|
|
|
.version = 1
|
|
|
|
|
};
|
2016-02-22 23:02:39 +00:00
|
|
|
|
2017-12-13 02:31:31 +00:00
|
|
|
return vfio_info_add_capability(caps, &header, sizeof(header));
|
2016-02-22 23:02:39 +00:00
|
|
|
}
|
|
|
|
|
|
2021-08-26 10:39:02 +00:00
|
|
|
int vfio_pci_register_dev_region(struct vfio_pci_core_device *vdev,
|
2016-02-22 23:02:39 +00:00
|
|
|
unsigned int type, unsigned int subtype,
|
|
|
|
|
const struct vfio_pci_regops *ops,
|
|
|
|
|
size_t size, u32 flags, void *data)
|
|
|
|
|
{
|
|
|
|
|
struct vfio_pci_region *region;
|
|
|
|
|
|
|
|
|
|
region = krealloc(vdev->region,
|
|
|
|
|
(vdev->num_regions + 1) * sizeof(*region),
|
|
|
|
|
GFP_KERNEL);
|
|
|
|
|
if (!region)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
vdev->region = region;
|
|
|
|
|
vdev->region[vdev->num_regions].type = type;
|
|
|
|
|
vdev->region[vdev->num_regions].subtype = subtype;
|
|
|
|
|
vdev->region[vdev->num_regions].ops = ops;
|
|
|
|
|
vdev->region[vdev->num_regions].size = size;
|
|
|
|
|
vdev->region[vdev->num_regions].flags = flags;
|
|
|
|
|
vdev->region[vdev->num_regions].data = data;
|
|
|
|
|
|
|
|
|
|
vdev->num_regions++;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2021-08-26 10:39:12 +00:00
|
|
|
EXPORT_SYMBOL_GPL(vfio_pci_register_dev_region);
|
2016-02-22 23:02:39 +00:00
|
|
|
|
2021-08-26 10:39:05 +00:00
|
|
|
long vfio_pci_core_ioctl(struct vfio_device *core_vdev, unsigned int cmd,
|
|
|
|
|
unsigned long arg)
|
2012-07-31 14:16:24 +00:00
|
|
|
{
|
2021-08-26 10:39:02 +00:00
|
|
|
struct vfio_pci_core_device *vdev =
|
|
|
|
|
container_of(core_vdev, struct vfio_pci_core_device, vdev);
|
2012-07-31 14:16:24 +00:00
|
|
|
unsigned long minsz;
|
|
|
|
|
|
|
|
|
|
if (cmd == VFIO_DEVICE_GET_INFO) {
|
|
|
|
|
struct vfio_device_info info;
|
2020-10-07 18:56:23 +00:00
|
|
|
struct vfio_info_cap caps = { .buf = NULL, .size = 0 };
|
|
|
|
|
unsigned long capsz;
|
2021-02-18 10:44:35 +00:00
|
|
|
int ret;
|
2012-07-31 14:16:24 +00:00
|
|
|
|
|
|
|
|
minsz = offsetofend(struct vfio_device_info, num_irqs);
|
|
|
|
|
|
2020-10-07 18:56:23 +00:00
|
|
|
/* For backward compatibility, cannot require this */
|
|
|
|
|
capsz = offsetofend(struct vfio_iommu_type1_info, cap_offset);
|
|
|
|
|
|
2012-07-31 14:16:24 +00:00
|
|
|
if (copy_from_user(&info, (void __user *)arg, minsz))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
|
|
if (info.argsz < minsz)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
2020-10-07 18:56:23 +00:00
|
|
|
if (info.argsz >= capsz) {
|
|
|
|
|
minsz = capsz;
|
|
|
|
|
info.cap_offset = 0;
|
|
|
|
|
}
|
|
|
|
|
|
2012-07-31 14:16:24 +00:00
|
|
|
info.flags = VFIO_DEVICE_FLAGS_PCI;
|
|
|
|
|
|
|
|
|
|
if (vdev->reset_works)
|
|
|
|
|
info.flags |= VFIO_DEVICE_FLAGS_RESET;
|
|
|
|
|
|
2016-02-22 23:02:39 +00:00
|
|
|
info.num_regions = VFIO_PCI_NUM_REGIONS + vdev->num_regions;
|
2012-07-31 14:16:24 +00:00
|
|
|
info.num_irqs = VFIO_PCI_NUM_IRQS;
|
|
|
|
|
|
2021-02-18 10:44:35 +00:00
|
|
|
ret = vfio_pci_info_zdev_add_caps(vdev, &caps);
|
|
|
|
|
if (ret && ret != -ENODEV) {
|
|
|
|
|
pci_warn(vdev->pdev, "Failed to setup zPCI info capabilities\n");
|
|
|
|
|
return ret;
|
2020-10-07 18:56:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (caps.size) {
|
|
|
|
|
info.flags |= VFIO_DEVICE_FLAGS_CAPS;
|
|
|
|
|
if (info.argsz < sizeof(info) + caps.size) {
|
|
|
|
|
info.argsz = sizeof(info) + caps.size;
|
|
|
|
|
} else {
|
|
|
|
|
vfio_info_cap_shift(&caps, sizeof(info));
|
|
|
|
|
if (copy_to_user((void __user *)arg +
|
|
|
|
|
sizeof(info), caps.buf,
|
|
|
|
|
caps.size)) {
|
|
|
|
|
kfree(caps.buf);
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
}
|
|
|
|
|
info.cap_offset = sizeof(info);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
kfree(caps.buf);
|
|
|
|
|
}
|
|
|
|
|
|
2016-02-28 14:31:39 +00:00
|
|
|
return copy_to_user((void __user *)arg, &info, minsz) ?
|
|
|
|
|
-EFAULT : 0;
|
2012-07-31 14:16:24 +00:00
|
|
|
|
|
|
|
|
} else if (cmd == VFIO_DEVICE_GET_REGION_INFO) {
|
|
|
|
|
struct pci_dev *pdev = vdev->pdev;
|
|
|
|
|
struct vfio_region_info info;
|
2016-02-22 23:02:36 +00:00
|
|
|
struct vfio_info_cap caps = { .buf = NULL, .size = 0 };
|
2016-02-22 23:02:39 +00:00
|
|
|
int i, ret;
|
2012-07-31 14:16:24 +00:00
|
|
|
|
|
|
|
|
minsz = offsetofend(struct vfio_region_info, offset);
|
|
|
|
|
|
|
|
|
|
if (copy_from_user(&info, (void __user *)arg, minsz))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
|
|
if (info.argsz < minsz)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
switch (info.index) {
|
|
|
|
|
case VFIO_PCI_CONFIG_REGION_INDEX:
|
|
|
|
|
info.offset = VFIO_PCI_INDEX_TO_OFFSET(info.index);
|
|
|
|
|
info.size = pdev->cfg_size;
|
|
|
|
|
info.flags = VFIO_REGION_INFO_FLAG_READ |
|
|
|
|
|
VFIO_REGION_INFO_FLAG_WRITE;
|
|
|
|
|
break;
|
|
|
|
|
case VFIO_PCI_BAR0_REGION_INDEX ... VFIO_PCI_BAR5_REGION_INDEX:
|
|
|
|
|
info.offset = VFIO_PCI_INDEX_TO_OFFSET(info.index);
|
|
|
|
|
info.size = pci_resource_len(pdev, info.index);
|
|
|
|
|
if (!info.size) {
|
|
|
|
|
info.flags = 0;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
info.flags = VFIO_REGION_INFO_FLAG_READ |
|
|
|
|
|
VFIO_REGION_INFO_FLAG_WRITE;
|
2016-06-30 07:21:24 +00:00
|
|
|
if (vdev->bar_mmap_supported[info.index]) {
|
2012-07-31 14:16:24 +00:00
|
|
|
info.flags |= VFIO_REGION_INFO_FLAG_MMAP;
|
2016-02-22 23:02:36 +00:00
|
|
|
if (info.index == vdev->msix_bar) {
|
2017-12-13 02:31:31 +00:00
|
|
|
ret = msix_mmappable_cap(vdev, &caps);
|
2016-02-22 23:02:36 +00:00
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-07-31 14:16:24 +00:00
|
|
|
break;
|
|
|
|
|
case VFIO_PCI_ROM_REGION_INDEX:
|
|
|
|
|
{
|
|
|
|
|
void __iomem *io;
|
|
|
|
|
size_t size;
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
u16 cmd;
|
2012-07-31 14:16:24 +00:00
|
|
|
|
|
|
|
|
info.offset = VFIO_PCI_INDEX_TO_OFFSET(info.index);
|
|
|
|
|
info.flags = 0;
|
|
|
|
|
|
|
|
|
|
/* Report the BAR size, not the ROM size */
|
|
|
|
|
info.size = pci_resource_len(pdev, info.index);
|
2016-02-22 23:02:46 +00:00
|
|
|
if (!info.size) {
|
|
|
|
|
/* Shadow ROMs appear as PCI option ROMs */
|
|
|
|
|
if (pdev->resource[PCI_ROM_RESOURCE].flags &
|
|
|
|
|
IORESOURCE_ROM_SHADOW)
|
|
|
|
|
info.size = 0x20000;
|
|
|
|
|
else
|
|
|
|
|
break;
|
|
|
|
|
}
|
2012-07-31 14:16:24 +00:00
|
|
|
|
2019-02-15 16:16:06 +00:00
|
|
|
/*
|
|
|
|
|
* Is it really there? Enable memory decode for
|
|
|
|
|
* implicit access in pci_map_rom().
|
|
|
|
|
*/
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
cmd = vfio_pci_memory_lock_and_enable(vdev);
|
2012-07-31 14:16:24 +00:00
|
|
|
io = pci_map_rom(pdev, &size);
|
2019-02-15 16:16:06 +00:00
|
|
|
if (io) {
|
|
|
|
|
info.flags = VFIO_REGION_INFO_FLAG_READ;
|
|
|
|
|
pci_unmap_rom(pdev, io);
|
|
|
|
|
} else {
|
2012-07-31 14:16:24 +00:00
|
|
|
info.size = 0;
|
|
|
|
|
}
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
vfio_pci_memory_unlock_and_restore(vdev, cmd);
|
2012-07-31 14:16:24 +00:00
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
}
|
2013-02-18 17:11:13 +00:00
|
|
|
case VFIO_PCI_VGA_REGION_INDEX:
|
|
|
|
|
if (!vdev->has_vga)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
info.offset = VFIO_PCI_INDEX_TO_OFFSET(info.index);
|
|
|
|
|
info.size = 0xc0000;
|
|
|
|
|
info.flags = VFIO_REGION_INFO_FLAG_READ |
|
|
|
|
|
VFIO_REGION_INFO_FLAG_WRITE;
|
|
|
|
|
|
|
|
|
|
break;
|
2012-07-31 14:16:24 +00:00
|
|
|
default:
|
2016-11-16 20:46:26 +00:00
|
|
|
{
|
2017-12-12 19:59:39 +00:00
|
|
|
struct vfio_region_info_cap_type cap_type = {
|
|
|
|
|
.header.id = VFIO_REGION_INFO_CAP_TYPE,
|
|
|
|
|
.header.version = 1 };
|
2016-11-16 20:46:26 +00:00
|
|
|
|
2016-02-22 23:02:39 +00:00
|
|
|
if (info.index >=
|
|
|
|
|
VFIO_PCI_NUM_REGIONS + vdev->num_regions)
|
|
|
|
|
return -EINVAL;
|
2018-07-17 17:39:00 +00:00
|
|
|
info.index = array_index_nospec(info.index,
|
|
|
|
|
VFIO_PCI_NUM_REGIONS +
|
|
|
|
|
vdev->num_regions);
|
2016-02-22 23:02:39 +00:00
|
|
|
|
|
|
|
|
i = info.index - VFIO_PCI_NUM_REGIONS;
|
|
|
|
|
|
|
|
|
|
info.offset = VFIO_PCI_INDEX_TO_OFFSET(info.index);
|
|
|
|
|
info.size = vdev->region[i].size;
|
|
|
|
|
info.flags = vdev->region[i].flags;
|
|
|
|
|
|
2016-11-16 20:46:26 +00:00
|
|
|
cap_type.type = vdev->region[i].type;
|
|
|
|
|
cap_type.subtype = vdev->region[i].subtype;
|
|
|
|
|
|
2017-12-12 19:59:39 +00:00
|
|
|
ret = vfio_info_add_capability(&caps, &cap_type.header,
|
|
|
|
|
sizeof(cap_type));
|
2016-02-22 23:02:39 +00:00
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
2016-11-16 20:46:26 +00:00
|
|
|
|
2018-12-19 08:52:31 +00:00
|
|
|
if (vdev->region[i].ops->add_capability) {
|
|
|
|
|
ret = vdev->region[i].ops->add_capability(vdev,
|
|
|
|
|
&vdev->region[i], &caps);
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
2016-11-16 20:46:26 +00:00
|
|
|
}
|
2012-07-31 14:16:24 +00:00
|
|
|
}
|
|
|
|
|
|
2016-02-22 23:02:36 +00:00
|
|
|
if (caps.size) {
|
|
|
|
|
info.flags |= VFIO_REGION_INFO_FLAG_CAPS;
|
|
|
|
|
if (info.argsz < sizeof(info) + caps.size) {
|
|
|
|
|
info.argsz = sizeof(info) + caps.size;
|
|
|
|
|
info.cap_offset = 0;
|
|
|
|
|
} else {
|
|
|
|
|
vfio_info_cap_shift(&caps, sizeof(info));
|
2016-02-25 07:52:12 +00:00
|
|
|
if (copy_to_user((void __user *)arg +
|
|
|
|
|
sizeof(info), caps.buf,
|
|
|
|
|
caps.size)) {
|
2016-02-22 23:02:36 +00:00
|
|
|
kfree(caps.buf);
|
2016-02-25 07:52:12 +00:00
|
|
|
return -EFAULT;
|
2016-02-22 23:02:36 +00:00
|
|
|
}
|
|
|
|
|
info.cap_offset = sizeof(info);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
kfree(caps.buf);
|
2012-07-31 14:16:24 +00:00
|
|
|
}
|
|
|
|
|
|
2016-02-28 14:31:39 +00:00
|
|
|
return copy_to_user((void __user *)arg, &info, minsz) ?
|
|
|
|
|
-EFAULT : 0;
|
2012-07-31 14:16:24 +00:00
|
|
|
|
|
|
|
|
} else if (cmd == VFIO_DEVICE_GET_IRQ_INFO) {
|
|
|
|
|
struct vfio_irq_info info;
|
|
|
|
|
|
|
|
|
|
minsz = offsetofend(struct vfio_irq_info, count);
|
|
|
|
|
|
|
|
|
|
if (copy_from_user(&info, (void __user *)arg, minsz))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
|
|
if (info.argsz < minsz || info.index >= VFIO_PCI_NUM_IRQS)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
2013-03-11 15:31:22 +00:00
|
|
|
switch (info.index) {
|
|
|
|
|
case VFIO_PCI_INTX_IRQ_INDEX ... VFIO_PCI_MSIX_IRQ_INDEX:
|
2015-02-06 22:05:08 +00:00
|
|
|
case VFIO_PCI_REQ_IRQ_INDEX:
|
2013-03-11 15:31:22 +00:00
|
|
|
break;
|
|
|
|
|
case VFIO_PCI_ERR_IRQ_INDEX:
|
|
|
|
|
if (pci_is_pcie(vdev->pdev))
|
|
|
|
|
break;
|
2020-08-23 22:36:59 +00:00
|
|
|
fallthrough;
|
2013-03-11 15:31:22 +00:00
|
|
|
default:
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
2012-07-31 14:16:24 +00:00
|
|
|
info.flags = VFIO_IRQ_INFO_EVENTFD;
|
|
|
|
|
|
|
|
|
|
info.count = vfio_pci_get_irq_count(vdev, info.index);
|
|
|
|
|
|
|
|
|
|
if (info.index == VFIO_PCI_INTX_IRQ_INDEX)
|
|
|
|
|
info.flags |= (VFIO_IRQ_INFO_MASKABLE |
|
|
|
|
|
VFIO_IRQ_INFO_AUTOMASKED);
|
|
|
|
|
else
|
|
|
|
|
info.flags |= VFIO_IRQ_INFO_NORESIZE;
|
|
|
|
|
|
2016-02-28 14:31:39 +00:00
|
|
|
return copy_to_user((void __user *)arg, &info, minsz) ?
|
|
|
|
|
-EFAULT : 0;
|
2012-07-31 14:16:24 +00:00
|
|
|
|
|
|
|
|
} else if (cmd == VFIO_DEVICE_SET_IRQS) {
|
|
|
|
|
struct vfio_irq_set hdr;
|
|
|
|
|
u8 *data = NULL;
|
2016-10-12 16:51:24 +00:00
|
|
|
int max, ret = 0;
|
2016-11-16 20:46:28 +00:00
|
|
|
size_t data_size = 0;
|
2012-07-31 14:16:24 +00:00
|
|
|
|
|
|
|
|
minsz = offsetofend(struct vfio_irq_set, count);
|
|
|
|
|
|
|
|
|
|
if (copy_from_user(&hdr, (void __user *)arg, minsz))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
2016-10-12 16:51:24 +00:00
|
|
|
max = vfio_pci_get_irq_count(vdev, hdr.index);
|
2012-07-31 14:16:24 +00:00
|
|
|
|
2016-11-16 20:46:28 +00:00
|
|
|
ret = vfio_set_irqs_validate_and_prepare(&hdr, max,
|
|
|
|
|
VFIO_PCI_NUM_IRQS, &data_size);
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
2012-07-31 14:16:24 +00:00
|
|
|
|
2016-11-16 20:46:28 +00:00
|
|
|
if (data_size) {
|
2012-12-07 20:43:49 +00:00
|
|
|
data = memdup_user((void __user *)(arg + minsz),
|
2016-11-16 20:46:28 +00:00
|
|
|
data_size);
|
2012-12-07 20:43:49 +00:00
|
|
|
if (IS_ERR(data))
|
|
|
|
|
return PTR_ERR(data);
|
2012-07-31 14:16:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
mutex_lock(&vdev->igate);
|
|
|
|
|
|
|
|
|
|
ret = vfio_pci_set_irqs_ioctl(vdev, hdr.flags, hdr.index,
|
|
|
|
|
hdr.start, hdr.count, data);
|
|
|
|
|
|
|
|
|
|
mutex_unlock(&vdev->igate);
|
|
|
|
|
kfree(data);
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
|
2013-09-04 17:28:04 +00:00
|
|
|
} else if (cmd == VFIO_DEVICE_RESET) {
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
if (!vdev->reset_works)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
vfio_pci_zap_and_down_write_memory_lock(vdev);
|
|
|
|
|
ret = pci_try_reset_function(vdev->pdev);
|
|
|
|
|
up_write(&vdev->memory_lock);
|
|
|
|
|
|
|
|
|
|
return ret;
|
2012-07-31 14:16:24 +00:00
|
|
|
|
2013-09-04 17:28:04 +00:00
|
|
|
} else if (cmd == VFIO_DEVICE_GET_PCI_HOT_RESET_INFO) {
|
|
|
|
|
struct vfio_pci_hot_reset_info hdr;
|
|
|
|
|
struct vfio_pci_fill_info fill = { 0 };
|
|
|
|
|
struct vfio_pci_dependent_device *devices = NULL;
|
|
|
|
|
bool slot = false;
|
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
|
|
minsz = offsetofend(struct vfio_pci_hot_reset_info, count);
|
|
|
|
|
|
|
|
|
|
if (copy_from_user(&hdr, (void __user *)arg, minsz))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
|
|
if (hdr.argsz < minsz)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
hdr.flags = 0;
|
|
|
|
|
|
|
|
|
|
/* Can we do a slot or bus reset or neither? */
|
|
|
|
|
if (!pci_probe_reset_slot(vdev->pdev->slot))
|
|
|
|
|
slot = true;
|
|
|
|
|
else if (pci_probe_reset_bus(vdev->pdev->bus))
|
|
|
|
|
return -ENODEV;
|
|
|
|
|
|
|
|
|
|
/* How many devices are affected? */
|
|
|
|
|
ret = vfio_pci_for_each_slot_or_bus(vdev->pdev,
|
|
|
|
|
vfio_pci_count_devs,
|
|
|
|
|
&fill.max, slot);
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
WARN_ON(!fill.max); /* Should always be at least one */
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If there's enough space, fill it now, otherwise return
|
|
|
|
|
* -ENOSPC and the number of devices affected.
|
|
|
|
|
*/
|
|
|
|
|
if (hdr.argsz < sizeof(hdr) + (fill.max * sizeof(*devices))) {
|
|
|
|
|
ret = -ENOSPC;
|
|
|
|
|
hdr.count = fill.max;
|
|
|
|
|
goto reset_info_exit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
devices = kcalloc(fill.max, sizeof(*devices), GFP_KERNEL);
|
|
|
|
|
if (!devices)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
fill.devices = devices;
|
|
|
|
|
|
|
|
|
|
ret = vfio_pci_for_each_slot_or_bus(vdev->pdev,
|
|
|
|
|
vfio_pci_fill_devs,
|
|
|
|
|
&fill, slot);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If a device was removed between counting and filling,
|
|
|
|
|
* we may come up short of fill.max. If a device was
|
|
|
|
|
* added, we'll have a return of -EAGAIN above.
|
|
|
|
|
*/
|
|
|
|
|
if (!ret)
|
|
|
|
|
hdr.count = fill.cur;
|
|
|
|
|
|
|
|
|
|
reset_info_exit:
|
|
|
|
|
if (copy_to_user((void __user *)arg, &hdr, minsz))
|
|
|
|
|
ret = -EFAULT;
|
|
|
|
|
|
|
|
|
|
if (!ret) {
|
|
|
|
|
if (copy_to_user((void __user *)(arg + minsz), devices,
|
|
|
|
|
hdr.count * sizeof(*devices)))
|
|
|
|
|
ret = -EFAULT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
kfree(devices);
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
} else if (cmd == VFIO_DEVICE_PCI_HOT_RESET) {
|
|
|
|
|
struct vfio_pci_hot_reset hdr;
|
|
|
|
|
int32_t *group_fds;
|
2021-08-06 01:19:06 +00:00
|
|
|
struct vfio_group **groups;
|
2013-09-04 17:28:04 +00:00
|
|
|
struct vfio_pci_group_info info;
|
|
|
|
|
bool slot = false;
|
2021-08-06 01:19:06 +00:00
|
|
|
int group_idx, count = 0, ret = 0;
|
2013-09-04 17:28:04 +00:00
|
|
|
|
|
|
|
|
minsz = offsetofend(struct vfio_pci_hot_reset, count);
|
|
|
|
|
|
|
|
|
|
if (copy_from_user(&hdr, (void __user *)arg, minsz))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
|
|
if (hdr.argsz < minsz || hdr.flags)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
/* Can we do a slot or bus reset or neither? */
|
|
|
|
|
if (!pci_probe_reset_slot(vdev->pdev->slot))
|
|
|
|
|
slot = true;
|
|
|
|
|
else if (pci_probe_reset_bus(vdev->pdev->bus))
|
|
|
|
|
return -ENODEV;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We can't let userspace give us an arbitrarily large
|
|
|
|
|
* buffer to copy, so verify how many we think there
|
|
|
|
|
* could be. Note groups can have multiple devices so
|
|
|
|
|
* one group per device is the max.
|
|
|
|
|
*/
|
|
|
|
|
ret = vfio_pci_for_each_slot_or_bus(vdev->pdev,
|
|
|
|
|
vfio_pci_count_devs,
|
|
|
|
|
&count, slot);
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
/* Somewhere between 1 and count is OK */
|
|
|
|
|
if (!hdr.count || hdr.count > count)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
group_fds = kcalloc(hdr.count, sizeof(*group_fds), GFP_KERNEL);
|
|
|
|
|
groups = kcalloc(hdr.count, sizeof(*groups), GFP_KERNEL);
|
|
|
|
|
if (!group_fds || !groups) {
|
|
|
|
|
kfree(group_fds);
|
|
|
|
|
kfree(groups);
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (copy_from_user(group_fds, (void __user *)(arg + minsz),
|
|
|
|
|
hdr.count * sizeof(*group_fds))) {
|
|
|
|
|
kfree(group_fds);
|
|
|
|
|
kfree(groups);
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* For each group_fd, get the group through the vfio external
|
|
|
|
|
* user interface and store the group and iommu ID. This
|
|
|
|
|
* ensures the group is held across the reset.
|
|
|
|
|
*/
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
for (group_idx = 0; group_idx < hdr.count; group_idx++) {
|
2013-09-04 17:28:04 +00:00
|
|
|
struct vfio_group *group;
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
struct fd f = fdget(group_fds[group_idx]);
|
2013-09-04 17:28:04 +00:00
|
|
|
if (!f.file) {
|
|
|
|
|
ret = -EBADF;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
group = vfio_group_get_external_user(f.file);
|
|
|
|
|
fdput(f);
|
|
|
|
|
if (IS_ERR(group)) {
|
|
|
|
|
ret = PTR_ERR(group);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-06 01:19:06 +00:00
|
|
|
groups[group_idx] = group;
|
2013-09-04 17:28:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
kfree(group_fds);
|
|
|
|
|
|
|
|
|
|
/* release reference to groups on error */
|
|
|
|
|
if (ret)
|
|
|
|
|
goto hot_reset_release;
|
|
|
|
|
|
|
|
|
|
info.count = hdr.count;
|
|
|
|
|
info.groups = groups;
|
|
|
|
|
|
2021-08-06 01:19:06 +00:00
|
|
|
ret = vfio_pci_dev_set_hot_reset(vdev->vdev.dev_set, &info);
|
2013-09-04 17:28:04 +00:00
|
|
|
|
|
|
|
|
hot_reset_release:
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
for (group_idx--; group_idx >= 0; group_idx--)
|
2021-08-06 01:19:06 +00:00
|
|
|
vfio_group_put_external_user(groups[group_idx]);
|
2013-09-04 17:28:04 +00:00
|
|
|
|
|
|
|
|
kfree(groups);
|
|
|
|
|
return ret;
|
2018-03-21 18:46:21 +00:00
|
|
|
} else if (cmd == VFIO_DEVICE_IOEVENTFD) {
|
|
|
|
|
struct vfio_device_ioeventfd ioeventfd;
|
|
|
|
|
int count;
|
|
|
|
|
|
|
|
|
|
minsz = offsetofend(struct vfio_device_ioeventfd, fd);
|
|
|
|
|
|
|
|
|
|
if (copy_from_user(&ioeventfd, (void __user *)arg, minsz))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
|
|
if (ioeventfd.argsz < minsz)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
if (ioeventfd.flags & ~VFIO_DEVICE_IOEVENTFD_SIZE_MASK)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
count = ioeventfd.flags & VFIO_DEVICE_IOEVENTFD_SIZE_MASK;
|
|
|
|
|
|
|
|
|
|
if (hweight8(count) != 1 || ioeventfd.fd < -1)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
return vfio_pci_ioeventfd(vdev, ioeventfd.offset,
|
|
|
|
|
ioeventfd.data, count, ioeventfd.fd);
|
2022-02-24 14:20:17 +00:00
|
|
|
}
|
|
|
|
|
return -ENOTTY;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(vfio_pci_core_ioctl);
|
2020-03-24 15:28:27 +00:00
|
|
|
|
2022-02-24 14:20:17 +00:00
|
|
|
static int vfio_pci_core_feature_token(struct vfio_device *device, u32 flags,
|
|
|
|
|
void __user *arg, size_t argsz)
|
|
|
|
|
{
|
|
|
|
|
struct vfio_pci_core_device *vdev =
|
|
|
|
|
container_of(device, struct vfio_pci_core_device, vdev);
|
|
|
|
|
uuid_t uuid;
|
|
|
|
|
int ret;
|
2020-03-24 15:28:27 +00:00
|
|
|
|
2022-02-24 14:20:17 +00:00
|
|
|
if (!vdev->vf_token)
|
|
|
|
|
return -ENOTTY;
|
|
|
|
|
/*
|
|
|
|
|
* We do not support GET of the VF Token UUID as this could
|
|
|
|
|
* expose the token of the previous device user.
|
|
|
|
|
*/
|
|
|
|
|
ret = vfio_check_feature(flags, argsz, VFIO_DEVICE_FEATURE_SET,
|
|
|
|
|
sizeof(uuid));
|
|
|
|
|
if (ret != 1)
|
|
|
|
|
return ret;
|
2020-03-24 15:28:27 +00:00
|
|
|
|
2022-02-24 14:20:17 +00:00
|
|
|
if (copy_from_user(&uuid, arg, sizeof(uuid)))
|
|
|
|
|
return -EFAULT;
|
2020-03-24 15:28:27 +00:00
|
|
|
|
2022-02-24 14:20:17 +00:00
|
|
|
mutex_lock(&vdev->vf_token->lock);
|
|
|
|
|
uuid_copy(&vdev->vf_token->uuid, &uuid);
|
|
|
|
|
mutex_unlock(&vdev->vf_token->lock);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2020-03-24 15:28:27 +00:00
|
|
|
|
2022-02-24 14:20:17 +00:00
|
|
|
int vfio_pci_core_ioctl_feature(struct vfio_device *device, u32 flags,
|
|
|
|
|
void __user *arg, size_t argsz)
|
|
|
|
|
{
|
|
|
|
|
switch (flags & VFIO_DEVICE_FEATURE_MASK) {
|
|
|
|
|
case VFIO_DEVICE_FEATURE_PCI_VF_TOKEN:
|
|
|
|
|
return vfio_pci_core_feature_token(device, flags, arg, argsz);
|
|
|
|
|
default:
|
|
|
|
|
return -ENOTTY;
|
2013-09-04 17:28:04 +00:00
|
|
|
}
|
2012-07-31 14:16:24 +00:00
|
|
|
}
|
2022-02-24 14:20:17 +00:00
|
|
|
EXPORT_SYMBOL_GPL(vfio_pci_core_ioctl_feature);
|
2012-07-31 14:16:24 +00:00
|
|
|
|
2021-08-26 10:39:02 +00:00
|
|
|
static ssize_t vfio_pci_rw(struct vfio_pci_core_device *vdev, char __user *buf,
|
2013-02-14 21:02:12 +00:00
|
|
|
size_t count, loff_t *ppos, bool iswrite)
|
2012-07-31 14:16:24 +00:00
|
|
|
{
|
|
|
|
|
unsigned int index = VFIO_PCI_OFFSET_TO_INDEX(*ppos);
|
|
|
|
|
|
2016-02-22 23:02:39 +00:00
|
|
|
if (index >= VFIO_PCI_NUM_REGIONS + vdev->num_regions)
|
2012-07-31 14:16:24 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
2013-02-14 21:02:12 +00:00
|
|
|
switch (index) {
|
|
|
|
|
case VFIO_PCI_CONFIG_REGION_INDEX:
|
2013-02-14 21:02:12 +00:00
|
|
|
return vfio_pci_config_rw(vdev, buf, count, ppos, iswrite);
|
|
|
|
|
|
2013-02-14 21:02:12 +00:00
|
|
|
case VFIO_PCI_ROM_REGION_INDEX:
|
|
|
|
|
if (iswrite)
|
|
|
|
|
return -EINVAL;
|
2013-02-14 21:02:12 +00:00
|
|
|
return vfio_pci_bar_rw(vdev, buf, count, ppos, false);
|
2012-07-31 14:16:24 +00:00
|
|
|
|
2013-02-14 21:02:12 +00:00
|
|
|
case VFIO_PCI_BAR0_REGION_INDEX ... VFIO_PCI_BAR5_REGION_INDEX:
|
2013-02-14 21:02:12 +00:00
|
|
|
return vfio_pci_bar_rw(vdev, buf, count, ppos, iswrite);
|
2013-02-18 17:11:13 +00:00
|
|
|
|
|
|
|
|
case VFIO_PCI_VGA_REGION_INDEX:
|
|
|
|
|
return vfio_pci_vga_rw(vdev, buf, count, ppos, iswrite);
|
2016-02-22 23:02:39 +00:00
|
|
|
default:
|
|
|
|
|
index -= VFIO_PCI_NUM_REGIONS;
|
|
|
|
|
return vdev->region[index].ops->rw(vdev, buf,
|
|
|
|
|
count, ppos, iswrite);
|
2013-02-14 21:02:12 +00:00
|
|
|
}
|
|
|
|
|
|
2012-07-31 14:16:24 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-26 10:39:05 +00:00
|
|
|
ssize_t vfio_pci_core_read(struct vfio_device *core_vdev, char __user *buf,
|
|
|
|
|
size_t count, loff_t *ppos)
|
2013-02-14 21:02:12 +00:00
|
|
|
{
|
2021-08-26 10:39:02 +00:00
|
|
|
struct vfio_pci_core_device *vdev =
|
|
|
|
|
container_of(core_vdev, struct vfio_pci_core_device, vdev);
|
2021-03-30 15:53:08 +00:00
|
|
|
|
2013-02-14 21:02:12 +00:00
|
|
|
if (!count)
|
|
|
|
|
return 0;
|
|
|
|
|
|
2021-03-30 15:53:08 +00:00
|
|
|
return vfio_pci_rw(vdev, buf, count, ppos, false);
|
2013-02-14 21:02:12 +00:00
|
|
|
}
|
2021-08-26 10:39:12 +00:00
|
|
|
EXPORT_SYMBOL_GPL(vfio_pci_core_read);
|
2013-02-14 21:02:12 +00:00
|
|
|
|
2021-08-26 10:39:05 +00:00
|
|
|
ssize_t vfio_pci_core_write(struct vfio_device *core_vdev, const char __user *buf,
|
|
|
|
|
size_t count, loff_t *ppos)
|
2012-07-31 14:16:24 +00:00
|
|
|
{
|
2021-08-26 10:39:02 +00:00
|
|
|
struct vfio_pci_core_device *vdev =
|
|
|
|
|
container_of(core_vdev, struct vfio_pci_core_device, vdev);
|
2021-03-30 15:53:08 +00:00
|
|
|
|
2013-02-14 21:02:12 +00:00
|
|
|
if (!count)
|
|
|
|
|
return 0;
|
|
|
|
|
|
2021-03-30 15:53:08 +00:00
|
|
|
return vfio_pci_rw(vdev, (char __user *)buf, count, ppos, true);
|
2012-07-31 14:16:24 +00:00
|
|
|
}
|
2021-08-26 10:39:12 +00:00
|
|
|
EXPORT_SYMBOL_GPL(vfio_pci_core_write);
|
2012-07-31 14:16:24 +00:00
|
|
|
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
/* Return 1 on zap and vma_lock acquired, 0 on contention (only with @try) */
|
2021-08-26 10:39:02 +00:00
|
|
|
static int vfio_pci_zap_and_vma_lock(struct vfio_pci_core_device *vdev, bool try)
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
{
|
|
|
|
|
struct vfio_pci_mmap_vma *mmap_vma, *tmp;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Lock ordering:
|
2020-06-09 04:33:54 +00:00
|
|
|
* vma_lock is nested under mmap_lock for vm_ops callback paths.
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
* The memory_lock semaphore is used by both code paths calling
|
|
|
|
|
* into this function to zap vmas and the vm_ops.fault callback
|
|
|
|
|
* to protect the memory enable state of the device.
|
|
|
|
|
*
|
2020-06-09 04:33:54 +00:00
|
|
|
* When zapping vmas we need to maintain the mmap_lock => vma_lock
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
* ordering, which requires using vma_lock to walk vma_list to
|
2020-06-09 04:33:54 +00:00
|
|
|
* acquire an mm, then dropping vma_lock to get the mmap_lock and
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
* reacquiring vma_lock. This logic is derived from similar
|
|
|
|
|
* requirements in uverbs_user_mmap_disassociate().
|
|
|
|
|
*
|
2020-06-09 04:33:54 +00:00
|
|
|
* mmap_lock must always be the top-level lock when it is taken.
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
* Therefore we can only hold the memory_lock write lock when
|
2020-06-09 04:33:54 +00:00
|
|
|
* vma_list is empty, as we'd need to take mmap_lock to clear
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
* entries. vma_list can only be guaranteed empty when holding
|
|
|
|
|
* vma_lock, thus memory_lock is nested under vma_lock.
|
|
|
|
|
*
|
|
|
|
|
* This enables the vm_ops.fault callback to acquire vma_lock,
|
|
|
|
|
* followed by memory_lock read lock, while already holding
|
2020-06-09 04:33:54 +00:00
|
|
|
* mmap_lock without risk of deadlock.
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
*/
|
|
|
|
|
while (1) {
|
|
|
|
|
struct mm_struct *mm = NULL;
|
|
|
|
|
|
|
|
|
|
if (try) {
|
|
|
|
|
if (!mutex_trylock(&vdev->vma_lock))
|
|
|
|
|
return 0;
|
|
|
|
|
} else {
|
|
|
|
|
mutex_lock(&vdev->vma_lock);
|
|
|
|
|
}
|
|
|
|
|
while (!list_empty(&vdev->vma_list)) {
|
|
|
|
|
mmap_vma = list_first_entry(&vdev->vma_list,
|
|
|
|
|
struct vfio_pci_mmap_vma,
|
|
|
|
|
vma_next);
|
|
|
|
|
mm = mmap_vma->vma->vm_mm;
|
|
|
|
|
if (mmget_not_zero(mm))
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
list_del(&mmap_vma->vma_next);
|
|
|
|
|
kfree(mmap_vma);
|
|
|
|
|
mm = NULL;
|
|
|
|
|
}
|
|
|
|
|
if (!mm)
|
|
|
|
|
return 1;
|
|
|
|
|
mutex_unlock(&vdev->vma_lock);
|
|
|
|
|
|
|
|
|
|
if (try) {
|
2020-06-09 04:33:29 +00:00
|
|
|
if (!mmap_read_trylock(mm)) {
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
mmput(mm);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2020-06-09 04:33:29 +00:00
|
|
|
mmap_read_lock(mm);
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
}
|
2020-10-16 03:13:00 +00:00
|
|
|
if (try) {
|
|
|
|
|
if (!mutex_trylock(&vdev->vma_lock)) {
|
|
|
|
|
mmap_read_unlock(mm);
|
|
|
|
|
mmput(mm);
|
|
|
|
|
return 0;
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
}
|
2020-10-16 03:13:00 +00:00
|
|
|
} else {
|
|
|
|
|
mutex_lock(&vdev->vma_lock);
|
|
|
|
|
}
|
|
|
|
|
list_for_each_entry_safe(mmap_vma, tmp,
|
|
|
|
|
&vdev->vma_list, vma_next) {
|
|
|
|
|
struct vm_area_struct *vma = mmap_vma->vma;
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
|
2020-10-16 03:13:00 +00:00
|
|
|
if (vma->vm_mm != mm)
|
|
|
|
|
continue;
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
|
2020-10-16 03:13:00 +00:00
|
|
|
list_del(&mmap_vma->vma_next);
|
|
|
|
|
kfree(mmap_vma);
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
|
2020-10-16 03:13:00 +00:00
|
|
|
zap_vma_ptes(vma, vma->vm_start,
|
|
|
|
|
vma->vm_end - vma->vm_start);
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
}
|
2020-10-16 03:13:00 +00:00
|
|
|
mutex_unlock(&vdev->vma_lock);
|
2020-06-09 04:33:29 +00:00
|
|
|
mmap_read_unlock(mm);
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
mmput(mm);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-26 10:39:02 +00:00
|
|
|
void vfio_pci_zap_and_down_write_memory_lock(struct vfio_pci_core_device *vdev)
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
{
|
|
|
|
|
vfio_pci_zap_and_vma_lock(vdev, false);
|
|
|
|
|
down_write(&vdev->memory_lock);
|
|
|
|
|
mutex_unlock(&vdev->vma_lock);
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-26 10:39:02 +00:00
|
|
|
u16 vfio_pci_memory_lock_and_enable(struct vfio_pci_core_device *vdev)
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
{
|
|
|
|
|
u16 cmd;
|
|
|
|
|
|
|
|
|
|
down_write(&vdev->memory_lock);
|
|
|
|
|
pci_read_config_word(vdev->pdev, PCI_COMMAND, &cmd);
|
|
|
|
|
if (!(cmd & PCI_COMMAND_MEMORY))
|
|
|
|
|
pci_write_config_word(vdev->pdev, PCI_COMMAND,
|
|
|
|
|
cmd | PCI_COMMAND_MEMORY);
|
|
|
|
|
|
|
|
|
|
return cmd;
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-26 10:39:02 +00:00
|
|
|
void vfio_pci_memory_unlock_and_restore(struct vfio_pci_core_device *vdev, u16 cmd)
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
{
|
|
|
|
|
pci_write_config_word(vdev->pdev, PCI_COMMAND, cmd);
|
|
|
|
|
up_write(&vdev->memory_lock);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Caller holds vma_lock */
|
2021-08-26 10:39:02 +00:00
|
|
|
static int __vfio_pci_add_vma(struct vfio_pci_core_device *vdev,
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
struct vm_area_struct *vma)
|
2020-04-28 19:12:20 +00:00
|
|
|
{
|
|
|
|
|
struct vfio_pci_mmap_vma *mmap_vma;
|
|
|
|
|
|
|
|
|
|
mmap_vma = kmalloc(sizeof(*mmap_vma), GFP_KERNEL);
|
|
|
|
|
if (!mmap_vma)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
mmap_vma->vma = vma;
|
|
|
|
|
list_add(&mmap_vma->vma_next, &vdev->vma_list);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Zap mmaps on open so that we can fault them in on access and therefore
|
|
|
|
|
* our vma_list only tracks mappings accessed since last zap.
|
|
|
|
|
*/
|
|
|
|
|
static void vfio_pci_mmap_open(struct vm_area_struct *vma)
|
|
|
|
|
{
|
|
|
|
|
zap_vma_ptes(vma, vma->vm_start, vma->vm_end - vma->vm_start);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void vfio_pci_mmap_close(struct vm_area_struct *vma)
|
|
|
|
|
{
|
2021-08-26 10:39:02 +00:00
|
|
|
struct vfio_pci_core_device *vdev = vma->vm_private_data;
|
2020-04-28 19:12:20 +00:00
|
|
|
struct vfio_pci_mmap_vma *mmap_vma;
|
|
|
|
|
|
|
|
|
|
mutex_lock(&vdev->vma_lock);
|
|
|
|
|
list_for_each_entry(mmap_vma, &vdev->vma_list, vma_next) {
|
|
|
|
|
if (mmap_vma->vma == vma) {
|
|
|
|
|
list_del(&mmap_vma->vma_next);
|
|
|
|
|
kfree(mmap_vma);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
mutex_unlock(&vdev->vma_lock);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static vm_fault_t vfio_pci_mmap_fault(struct vm_fault *vmf)
|
|
|
|
|
{
|
|
|
|
|
struct vm_area_struct *vma = vmf->vma;
|
2021-08-26 10:39:02 +00:00
|
|
|
struct vfio_pci_core_device *vdev = vma->vm_private_data;
|
2021-06-28 20:08:12 +00:00
|
|
|
struct vfio_pci_mmap_vma *mmap_vma;
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
vm_fault_t ret = VM_FAULT_NOPAGE;
|
|
|
|
|
|
|
|
|
|
mutex_lock(&vdev->vma_lock);
|
|
|
|
|
down_read(&vdev->memory_lock);
|
|
|
|
|
|
|
|
|
|
if (!__vfio_pci_memory_enabled(vdev)) {
|
|
|
|
|
ret = VM_FAULT_SIGBUS;
|
|
|
|
|
goto up_out;
|
|
|
|
|
}
|
2020-04-28 19:12:20 +00:00
|
|
|
|
2021-06-28 20:08:12 +00:00
|
|
|
/*
|
|
|
|
|
* We populate the whole vma on fault, so we need to test whether
|
|
|
|
|
* the vma has already been mapped, such as for concurrent faults
|
|
|
|
|
* to the same vma. io_remap_pfn_range() will trigger a BUG_ON if
|
|
|
|
|
* we ask it to fill the same range again.
|
|
|
|
|
*/
|
|
|
|
|
list_for_each_entry(mmap_vma, &vdev->vma_list, vma_next) {
|
|
|
|
|
if (mmap_vma->vma == vma)
|
|
|
|
|
goto up_out;
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
}
|
|
|
|
|
|
2020-11-05 16:34:58 +00:00
|
|
|
if (io_remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff,
|
2021-06-28 20:08:12 +00:00
|
|
|
vma->vm_end - vma->vm_start,
|
|
|
|
|
vma->vm_page_prot)) {
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
ret = VM_FAULT_SIGBUS;
|
2021-06-28 20:08:12 +00:00
|
|
|
zap_vma_ptes(vma, vma->vm_start, vma->vm_end - vma->vm_start);
|
|
|
|
|
goto up_out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (__vfio_pci_add_vma(vdev, vma)) {
|
|
|
|
|
ret = VM_FAULT_OOM;
|
|
|
|
|
zap_vma_ptes(vma, vma->vm_start, vma->vm_end - vma->vm_start);
|
|
|
|
|
}
|
2020-04-28 19:12:20 +00:00
|
|
|
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
up_out:
|
|
|
|
|
up_read(&vdev->memory_lock);
|
2021-06-28 20:08:12 +00:00
|
|
|
mutex_unlock(&vdev->vma_lock);
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
return ret;
|
2020-04-28 19:12:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static const struct vm_operations_struct vfio_pci_mmap_ops = {
|
|
|
|
|
.open = vfio_pci_mmap_open,
|
|
|
|
|
.close = vfio_pci_mmap_close,
|
|
|
|
|
.fault = vfio_pci_mmap_fault,
|
|
|
|
|
};
|
|
|
|
|
|
2021-08-26 10:39:05 +00:00
|
|
|
int vfio_pci_core_mmap(struct vfio_device *core_vdev, struct vm_area_struct *vma)
|
2012-07-31 14:16:24 +00:00
|
|
|
{
|
2021-08-26 10:39:02 +00:00
|
|
|
struct vfio_pci_core_device *vdev =
|
|
|
|
|
container_of(core_vdev, struct vfio_pci_core_device, vdev);
|
2012-07-31 14:16:24 +00:00
|
|
|
struct pci_dev *pdev = vdev->pdev;
|
|
|
|
|
unsigned int index;
|
2012-10-10 15:10:31 +00:00
|
|
|
u64 phys_len, req_len, pgoff, req_start;
|
2012-07-31 14:16:24 +00:00
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
index = vma->vm_pgoff >> (VFIO_PCI_OFFSET_SHIFT - PAGE_SHIFT);
|
|
|
|
|
|
2021-04-12 21:41:24 +00:00
|
|
|
if (index >= VFIO_PCI_NUM_REGIONS + vdev->num_regions)
|
|
|
|
|
return -EINVAL;
|
2012-07-31 14:16:24 +00:00
|
|
|
if (vma->vm_end < vma->vm_start)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
if ((vma->vm_flags & VM_SHARED) == 0)
|
|
|
|
|
return -EINVAL;
|
2018-12-19 08:52:30 +00:00
|
|
|
if (index >= VFIO_PCI_NUM_REGIONS) {
|
|
|
|
|
int regnum = index - VFIO_PCI_NUM_REGIONS;
|
|
|
|
|
struct vfio_pci_region *region = vdev->region + regnum;
|
|
|
|
|
|
2021-04-12 21:41:24 +00:00
|
|
|
if (region->ops && region->ops->mmap &&
|
2018-12-19 08:52:30 +00:00
|
|
|
(region->flags & VFIO_REGION_INFO_FLAG_MMAP))
|
|
|
|
|
return region->ops->mmap(vdev, region, vma);
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
2012-07-31 14:16:24 +00:00
|
|
|
if (index >= VFIO_PCI_ROM_REGION_INDEX)
|
|
|
|
|
return -EINVAL;
|
2016-06-30 07:21:24 +00:00
|
|
|
if (!vdev->bar_mmap_supported[index])
|
2012-07-31 14:16:24 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
2016-06-30 07:21:24 +00:00
|
|
|
phys_len = PAGE_ALIGN(pci_resource_len(pdev, index));
|
2012-07-31 14:16:24 +00:00
|
|
|
req_len = vma->vm_end - vma->vm_start;
|
|
|
|
|
pgoff = vma->vm_pgoff &
|
|
|
|
|
((1U << (VFIO_PCI_OFFSET_SHIFT - PAGE_SHIFT)) - 1);
|
|
|
|
|
req_start = pgoff << PAGE_SHIFT;
|
|
|
|
|
|
2016-06-30 07:21:24 +00:00
|
|
|
if (req_start + req_len > phys_len)
|
2012-07-31 14:16:24 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Even though we don't make use of the barmap for the mmap,
|
|
|
|
|
* we need to request the region and the barmap tracks that.
|
|
|
|
|
*/
|
|
|
|
|
if (!vdev->barmap[index]) {
|
|
|
|
|
ret = pci_request_selected_regions(pdev,
|
|
|
|
|
1 << index, "vfio-pci");
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
vdev->barmap[index] = pci_iomap(pdev, index, 0);
|
2017-01-03 11:56:46 +00:00
|
|
|
if (!vdev->barmap[index]) {
|
|
|
|
|
pci_release_selected_regions(pdev, 1 << index);
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
}
|
2012-07-31 14:16:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
vma->vm_private_data = vdev;
|
|
|
|
|
vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
|
2012-10-10 15:10:31 +00:00
|
|
|
vma->vm_pgoff = (pci_resource_start(pdev, index) >> PAGE_SHIFT) + pgoff;
|
2012-07-31 14:16:24 +00:00
|
|
|
|
2020-04-28 19:12:20 +00:00
|
|
|
/*
|
|
|
|
|
* See remap_pfn_range(), called from vfio_pci_fault() but we can't
|
|
|
|
|
* change vm_flags within the fault handler. Set them now.
|
|
|
|
|
*/
|
|
|
|
|
vma->vm_flags |= VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP;
|
|
|
|
|
vma->vm_ops = &vfio_pci_mmap_ops;
|
|
|
|
|
|
|
|
|
|
return 0;
|
2012-07-31 14:16:24 +00:00
|
|
|
}
|
2021-08-26 10:39:12 +00:00
|
|
|
EXPORT_SYMBOL_GPL(vfio_pci_core_mmap);
|
2012-07-31 14:16:24 +00:00
|
|
|
|
2021-08-26 10:39:05 +00:00
|
|
|
void vfio_pci_core_request(struct vfio_device *core_vdev, unsigned int count)
|
2015-02-06 22:05:08 +00:00
|
|
|
{
|
2021-08-26 10:39:02 +00:00
|
|
|
struct vfio_pci_core_device *vdev =
|
|
|
|
|
container_of(core_vdev, struct vfio_pci_core_device, vdev);
|
2019-03-30 14:41:35 +00:00
|
|
|
struct pci_dev *pdev = vdev->pdev;
|
2015-02-06 22:05:08 +00:00
|
|
|
|
|
|
|
|
mutex_lock(&vdev->igate);
|
|
|
|
|
|
|
|
|
|
if (vdev->req_trigger) {
|
2015-04-28 16:23:30 +00:00
|
|
|
if (!(count % 10))
|
2019-03-30 14:41:35 +00:00
|
|
|
pci_notice_ratelimited(pdev,
|
2015-04-28 16:23:30 +00:00
|
|
|
"Relaying device request to user (#%u)\n",
|
|
|
|
|
count);
|
2015-02-06 22:05:08 +00:00
|
|
|
eventfd_signal(vdev->req_trigger, 1);
|
2015-04-28 16:23:30 +00:00
|
|
|
} else if (count == 0) {
|
2019-03-30 14:41:35 +00:00
|
|
|
pci_warn(pdev,
|
2015-04-28 16:23:30 +00:00
|
|
|
"No device request channel registered, blocked until released by user\n");
|
2015-02-06 22:05:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
mutex_unlock(&vdev->igate);
|
|
|
|
|
}
|
2021-08-26 10:39:12 +00:00
|
|
|
EXPORT_SYMBOL_GPL(vfio_pci_core_request);
|
2015-02-06 22:05:08 +00:00
|
|
|
|
2021-08-26 10:39:02 +00:00
|
|
|
static int vfio_pci_validate_vf_token(struct vfio_pci_core_device *vdev,
|
vfio/pci: Introduce VF token
If we enable SR-IOV on a vfio-pci owned PF, the resulting VFs are not
fully isolated from the PF. The PF can always cause a denial of service
to the VF, even if by simply resetting itself. The degree to which a PF
can access the data passed through a VF or interfere with its operation
is dependent on a given SR-IOV implementation. Therefore we want to
avoid a scenario where an existing vfio-pci based userspace driver might
assume the PF driver is trusted, for example assigning a PF to one VM
and VF to another with some expectation of isolation. IOMMU grouping
could be a solution to this, but imposes an unnecessarily strong
relationship between PF and VF drivers if they need to operate with the
same IOMMU context. Instead we introduce a "VF token", which is
essentially just a shared secret between PF and VF drivers, implemented
as a UUID.
The VF token can be set by a vfio-pci based PF driver and must be known
by the vfio-pci based VF driver in order to gain access to the device.
This allows the degree to which this VF token is considered secret to be
determined by the applications and environment. For example a VM might
generate a random UUID known only internally to the hypervisor while a
userspace networking appliance might use a shared, or even well know,
UUID among the application drivers.
To incorporate this VF token, the VFIO_GROUP_GET_DEVICE_FD interface is
extended to accept key=value pairs in addition to the device name. This
allows us to most easily deny user access to the device without risk
that existing userspace drivers assume region offsets, IRQs, and other
device features, leading to more elaborate error paths. The format of
these options are expected to take the form:
"$DEVICE_NAME $OPTION1=$VALUE1 $OPTION2=$VALUE2"
Where the device name is always provided first for compatibility and
additional options are specified in a space separated list. The
relation between and requirements for the additional options will be
vfio bus driver dependent, however unknown or unused option within this
schema should return error. This allow for future use of unknown
options as well as a positive indication to the user that an option is
used.
An example VF token option would take this form:
"0000:03:00.0 vf_token=2ab74924-c335-45f4-9b16-8569e5b08258"
When accessing a VF where the PF is making use of vfio-pci, the user
MUST provide the current vf_token. When accessing a PF, the user MUST
provide the current vf_token IF there are active VF users or MAY provide
a vf_token in order to set the current VF token when no VF users are
active. The former requirement assures VF users that an unassociated
driver cannot usurp the PF device. These semantics also imply that a
VF token MUST be set by a PF driver before VF drivers can access their
device, the default token is random and mechanisms to read the token are
not provided in order to protect the VF token of previous users. Use of
the vf_token option outside of these cases will return an error, as
discussed above.
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-03-24 15:28:27 +00:00
|
|
|
bool vf_token, uuid_t *uuid)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* There's always some degree of trust or collaboration between SR-IOV
|
|
|
|
|
* PF and VFs, even if just that the PF hosts the SR-IOV capability and
|
|
|
|
|
* can disrupt VFs with a reset, but often the PF has more explicit
|
|
|
|
|
* access to deny service to the VF or access data passed through the
|
|
|
|
|
* VF. We therefore require an opt-in via a shared VF token (UUID) to
|
|
|
|
|
* represent this trust. This both prevents that a VF driver might
|
|
|
|
|
* assume the PF driver is a trusted, in-kernel driver, and also that
|
|
|
|
|
* a PF driver might be replaced with a rogue driver, unknown to in-use
|
|
|
|
|
* VF drivers.
|
|
|
|
|
*
|
|
|
|
|
* Therefore when presented with a VF, if the PF is a vfio device and
|
|
|
|
|
* it is bound to the vfio-pci driver, the user needs to provide a VF
|
|
|
|
|
* token to access the device, in the form of appending a vf_token to
|
|
|
|
|
* the device name, for example:
|
|
|
|
|
*
|
|
|
|
|
* "0000:04:10.0 vf_token=bd8d9d2b-5a5f-4f5a-a211-f591514ba1f3"
|
|
|
|
|
*
|
|
|
|
|
* When presented with a PF which has VFs in use, the user must also
|
|
|
|
|
* provide the current VF token to prove collaboration with existing
|
|
|
|
|
* VF users. If VFs are not in use, the VF token provided for the PF
|
|
|
|
|
* device will act to set the VF token.
|
|
|
|
|
*
|
|
|
|
|
* If the VF token is provided but unused, an error is generated.
|
|
|
|
|
*/
|
|
|
|
|
if (!vdev->pdev->is_virtfn && !vdev->vf_token && !vf_token)
|
|
|
|
|
return 0; /* No VF token provided or required */
|
|
|
|
|
|
|
|
|
|
if (vdev->pdev->is_virtfn) {
|
2021-08-26 10:39:02 +00:00
|
|
|
struct vfio_pci_core_device *pf_vdev = get_pf_vdev(vdev);
|
vfio/pci: Introduce VF token
If we enable SR-IOV on a vfio-pci owned PF, the resulting VFs are not
fully isolated from the PF. The PF can always cause a denial of service
to the VF, even if by simply resetting itself. The degree to which a PF
can access the data passed through a VF or interfere with its operation
is dependent on a given SR-IOV implementation. Therefore we want to
avoid a scenario where an existing vfio-pci based userspace driver might
assume the PF driver is trusted, for example assigning a PF to one VM
and VF to another with some expectation of isolation. IOMMU grouping
could be a solution to this, but imposes an unnecessarily strong
relationship between PF and VF drivers if they need to operate with the
same IOMMU context. Instead we introduce a "VF token", which is
essentially just a shared secret between PF and VF drivers, implemented
as a UUID.
The VF token can be set by a vfio-pci based PF driver and must be known
by the vfio-pci based VF driver in order to gain access to the device.
This allows the degree to which this VF token is considered secret to be
determined by the applications and environment. For example a VM might
generate a random UUID known only internally to the hypervisor while a
userspace networking appliance might use a shared, or even well know,
UUID among the application drivers.
To incorporate this VF token, the VFIO_GROUP_GET_DEVICE_FD interface is
extended to accept key=value pairs in addition to the device name. This
allows us to most easily deny user access to the device without risk
that existing userspace drivers assume region offsets, IRQs, and other
device features, leading to more elaborate error paths. The format of
these options are expected to take the form:
"$DEVICE_NAME $OPTION1=$VALUE1 $OPTION2=$VALUE2"
Where the device name is always provided first for compatibility and
additional options are specified in a space separated list. The
relation between and requirements for the additional options will be
vfio bus driver dependent, however unknown or unused option within this
schema should return error. This allow for future use of unknown
options as well as a positive indication to the user that an option is
used.
An example VF token option would take this form:
"0000:03:00.0 vf_token=2ab74924-c335-45f4-9b16-8569e5b08258"
When accessing a VF where the PF is making use of vfio-pci, the user
MUST provide the current vf_token. When accessing a PF, the user MUST
provide the current vf_token IF there are active VF users or MAY provide
a vf_token in order to set the current VF token when no VF users are
active. The former requirement assures VF users that an unassociated
driver cannot usurp the PF device. These semantics also imply that a
VF token MUST be set by a PF driver before VF drivers can access their
device, the default token is random and mechanisms to read the token are
not provided in order to protect the VF token of previous users. Use of
the vf_token option outside of these cases will return an error, as
discussed above.
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-03-24 15:28:27 +00:00
|
|
|
bool match;
|
|
|
|
|
|
|
|
|
|
if (!pf_vdev) {
|
|
|
|
|
if (!vf_token)
|
|
|
|
|
return 0; /* PF is not vfio-pci, no VF token */
|
|
|
|
|
|
|
|
|
|
pci_info_ratelimited(vdev->pdev,
|
|
|
|
|
"VF token incorrectly provided, PF not bound to vfio-pci\n");
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!vf_token) {
|
2021-03-30 15:53:08 +00:00
|
|
|
vfio_device_put(&pf_vdev->vdev);
|
vfio/pci: Introduce VF token
If we enable SR-IOV on a vfio-pci owned PF, the resulting VFs are not
fully isolated from the PF. The PF can always cause a denial of service
to the VF, even if by simply resetting itself. The degree to which a PF
can access the data passed through a VF or interfere with its operation
is dependent on a given SR-IOV implementation. Therefore we want to
avoid a scenario where an existing vfio-pci based userspace driver might
assume the PF driver is trusted, for example assigning a PF to one VM
and VF to another with some expectation of isolation. IOMMU grouping
could be a solution to this, but imposes an unnecessarily strong
relationship between PF and VF drivers if they need to operate with the
same IOMMU context. Instead we introduce a "VF token", which is
essentially just a shared secret between PF and VF drivers, implemented
as a UUID.
The VF token can be set by a vfio-pci based PF driver and must be known
by the vfio-pci based VF driver in order to gain access to the device.
This allows the degree to which this VF token is considered secret to be
determined by the applications and environment. For example a VM might
generate a random UUID known only internally to the hypervisor while a
userspace networking appliance might use a shared, or even well know,
UUID among the application drivers.
To incorporate this VF token, the VFIO_GROUP_GET_DEVICE_FD interface is
extended to accept key=value pairs in addition to the device name. This
allows us to most easily deny user access to the device without risk
that existing userspace drivers assume region offsets, IRQs, and other
device features, leading to more elaborate error paths. The format of
these options are expected to take the form:
"$DEVICE_NAME $OPTION1=$VALUE1 $OPTION2=$VALUE2"
Where the device name is always provided first for compatibility and
additional options are specified in a space separated list. The
relation between and requirements for the additional options will be
vfio bus driver dependent, however unknown or unused option within this
schema should return error. This allow for future use of unknown
options as well as a positive indication to the user that an option is
used.
An example VF token option would take this form:
"0000:03:00.0 vf_token=2ab74924-c335-45f4-9b16-8569e5b08258"
When accessing a VF where the PF is making use of vfio-pci, the user
MUST provide the current vf_token. When accessing a PF, the user MUST
provide the current vf_token IF there are active VF users or MAY provide
a vf_token in order to set the current VF token when no VF users are
active. The former requirement assures VF users that an unassociated
driver cannot usurp the PF device. These semantics also imply that a
VF token MUST be set by a PF driver before VF drivers can access their
device, the default token is random and mechanisms to read the token are
not provided in order to protect the VF token of previous users. Use of
the vf_token option outside of these cases will return an error, as
discussed above.
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-03-24 15:28:27 +00:00
|
|
|
pci_info_ratelimited(vdev->pdev,
|
|
|
|
|
"VF token required to access device\n");
|
|
|
|
|
return -EACCES;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
mutex_lock(&pf_vdev->vf_token->lock);
|
|
|
|
|
match = uuid_equal(uuid, &pf_vdev->vf_token->uuid);
|
|
|
|
|
mutex_unlock(&pf_vdev->vf_token->lock);
|
|
|
|
|
|
2021-03-30 15:53:08 +00:00
|
|
|
vfio_device_put(&pf_vdev->vdev);
|
vfio/pci: Introduce VF token
If we enable SR-IOV on a vfio-pci owned PF, the resulting VFs are not
fully isolated from the PF. The PF can always cause a denial of service
to the VF, even if by simply resetting itself. The degree to which a PF
can access the data passed through a VF or interfere with its operation
is dependent on a given SR-IOV implementation. Therefore we want to
avoid a scenario where an existing vfio-pci based userspace driver might
assume the PF driver is trusted, for example assigning a PF to one VM
and VF to another with some expectation of isolation. IOMMU grouping
could be a solution to this, but imposes an unnecessarily strong
relationship between PF and VF drivers if they need to operate with the
same IOMMU context. Instead we introduce a "VF token", which is
essentially just a shared secret between PF and VF drivers, implemented
as a UUID.
The VF token can be set by a vfio-pci based PF driver and must be known
by the vfio-pci based VF driver in order to gain access to the device.
This allows the degree to which this VF token is considered secret to be
determined by the applications and environment. For example a VM might
generate a random UUID known only internally to the hypervisor while a
userspace networking appliance might use a shared, or even well know,
UUID among the application drivers.
To incorporate this VF token, the VFIO_GROUP_GET_DEVICE_FD interface is
extended to accept key=value pairs in addition to the device name. This
allows us to most easily deny user access to the device without risk
that existing userspace drivers assume region offsets, IRQs, and other
device features, leading to more elaborate error paths. The format of
these options are expected to take the form:
"$DEVICE_NAME $OPTION1=$VALUE1 $OPTION2=$VALUE2"
Where the device name is always provided first for compatibility and
additional options are specified in a space separated list. The
relation between and requirements for the additional options will be
vfio bus driver dependent, however unknown or unused option within this
schema should return error. This allow for future use of unknown
options as well as a positive indication to the user that an option is
used.
An example VF token option would take this form:
"0000:03:00.0 vf_token=2ab74924-c335-45f4-9b16-8569e5b08258"
When accessing a VF where the PF is making use of vfio-pci, the user
MUST provide the current vf_token. When accessing a PF, the user MUST
provide the current vf_token IF there are active VF users or MAY provide
a vf_token in order to set the current VF token when no VF users are
active. The former requirement assures VF users that an unassociated
driver cannot usurp the PF device. These semantics also imply that a
VF token MUST be set by a PF driver before VF drivers can access their
device, the default token is random and mechanisms to read the token are
not provided in order to protect the VF token of previous users. Use of
the vf_token option outside of these cases will return an error, as
discussed above.
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-03-24 15:28:27 +00:00
|
|
|
|
|
|
|
|
if (!match) {
|
|
|
|
|
pci_info_ratelimited(vdev->pdev,
|
|
|
|
|
"Incorrect VF token provided for device\n");
|
|
|
|
|
return -EACCES;
|
|
|
|
|
}
|
|
|
|
|
} else if (vdev->vf_token) {
|
|
|
|
|
mutex_lock(&vdev->vf_token->lock);
|
|
|
|
|
if (vdev->vf_token->users) {
|
|
|
|
|
if (!vf_token) {
|
|
|
|
|
mutex_unlock(&vdev->vf_token->lock);
|
|
|
|
|
pci_info_ratelimited(vdev->pdev,
|
|
|
|
|
"VF token required to access device\n");
|
|
|
|
|
return -EACCES;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!uuid_equal(uuid, &vdev->vf_token->uuid)) {
|
|
|
|
|
mutex_unlock(&vdev->vf_token->lock);
|
|
|
|
|
pci_info_ratelimited(vdev->pdev,
|
|
|
|
|
"Incorrect VF token provided for device\n");
|
|
|
|
|
return -EACCES;
|
|
|
|
|
}
|
|
|
|
|
} else if (vf_token) {
|
|
|
|
|
uuid_copy(&vdev->vf_token->uuid, uuid);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
mutex_unlock(&vdev->vf_token->lock);
|
|
|
|
|
} else if (vf_token) {
|
|
|
|
|
pci_info_ratelimited(vdev->pdev,
|
|
|
|
|
"VF token incorrectly provided, not a PF or VF\n");
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#define VF_TOKEN_ARG "vf_token="
|
|
|
|
|
|
2021-08-26 10:39:05 +00:00
|
|
|
int vfio_pci_core_match(struct vfio_device *core_vdev, char *buf)
|
2020-03-24 15:28:26 +00:00
|
|
|
{
|
2021-08-26 10:39:02 +00:00
|
|
|
struct vfio_pci_core_device *vdev =
|
|
|
|
|
container_of(core_vdev, struct vfio_pci_core_device, vdev);
|
vfio/pci: Introduce VF token
If we enable SR-IOV on a vfio-pci owned PF, the resulting VFs are not
fully isolated from the PF. The PF can always cause a denial of service
to the VF, even if by simply resetting itself. The degree to which a PF
can access the data passed through a VF or interfere with its operation
is dependent on a given SR-IOV implementation. Therefore we want to
avoid a scenario where an existing vfio-pci based userspace driver might
assume the PF driver is trusted, for example assigning a PF to one VM
and VF to another with some expectation of isolation. IOMMU grouping
could be a solution to this, but imposes an unnecessarily strong
relationship between PF and VF drivers if they need to operate with the
same IOMMU context. Instead we introduce a "VF token", which is
essentially just a shared secret between PF and VF drivers, implemented
as a UUID.
The VF token can be set by a vfio-pci based PF driver and must be known
by the vfio-pci based VF driver in order to gain access to the device.
This allows the degree to which this VF token is considered secret to be
determined by the applications and environment. For example a VM might
generate a random UUID known only internally to the hypervisor while a
userspace networking appliance might use a shared, or even well know,
UUID among the application drivers.
To incorporate this VF token, the VFIO_GROUP_GET_DEVICE_FD interface is
extended to accept key=value pairs in addition to the device name. This
allows us to most easily deny user access to the device without risk
that existing userspace drivers assume region offsets, IRQs, and other
device features, leading to more elaborate error paths. The format of
these options are expected to take the form:
"$DEVICE_NAME $OPTION1=$VALUE1 $OPTION2=$VALUE2"
Where the device name is always provided first for compatibility and
additional options are specified in a space separated list. The
relation between and requirements for the additional options will be
vfio bus driver dependent, however unknown or unused option within this
schema should return error. This allow for future use of unknown
options as well as a positive indication to the user that an option is
used.
An example VF token option would take this form:
"0000:03:00.0 vf_token=2ab74924-c335-45f4-9b16-8569e5b08258"
When accessing a VF where the PF is making use of vfio-pci, the user
MUST provide the current vf_token. When accessing a PF, the user MUST
provide the current vf_token IF there are active VF users or MAY provide
a vf_token in order to set the current VF token when no VF users are
active. The former requirement assures VF users that an unassociated
driver cannot usurp the PF device. These semantics also imply that a
VF token MUST be set by a PF driver before VF drivers can access their
device, the default token is random and mechanisms to read the token are
not provided in order to protect the VF token of previous users. Use of
the vf_token option outside of these cases will return an error, as
discussed above.
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-03-24 15:28:27 +00:00
|
|
|
bool vf_token = false;
|
|
|
|
|
uuid_t uuid;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
if (strncmp(pci_name(vdev->pdev), buf, strlen(pci_name(vdev->pdev))))
|
|
|
|
|
return 0; /* No match */
|
|
|
|
|
|
|
|
|
|
if (strlen(buf) > strlen(pci_name(vdev->pdev))) {
|
|
|
|
|
buf += strlen(pci_name(vdev->pdev));
|
|
|
|
|
|
|
|
|
|
if (*buf != ' ')
|
|
|
|
|
return 0; /* No match: non-whitespace after name */
|
|
|
|
|
|
|
|
|
|
while (*buf) {
|
|
|
|
|
if (*buf == ' ') {
|
|
|
|
|
buf++;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!vf_token && !strncmp(buf, VF_TOKEN_ARG,
|
|
|
|
|
strlen(VF_TOKEN_ARG))) {
|
|
|
|
|
buf += strlen(VF_TOKEN_ARG);
|
|
|
|
|
|
|
|
|
|
if (strlen(buf) < UUID_STRING_LEN)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
ret = uuid_parse(buf, &uuid);
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
2020-03-24 15:28:26 +00:00
|
|
|
|
vfio/pci: Introduce VF token
If we enable SR-IOV on a vfio-pci owned PF, the resulting VFs are not
fully isolated from the PF. The PF can always cause a denial of service
to the VF, even if by simply resetting itself. The degree to which a PF
can access the data passed through a VF or interfere with its operation
is dependent on a given SR-IOV implementation. Therefore we want to
avoid a scenario where an existing vfio-pci based userspace driver might
assume the PF driver is trusted, for example assigning a PF to one VM
and VF to another with some expectation of isolation. IOMMU grouping
could be a solution to this, but imposes an unnecessarily strong
relationship between PF and VF drivers if they need to operate with the
same IOMMU context. Instead we introduce a "VF token", which is
essentially just a shared secret between PF and VF drivers, implemented
as a UUID.
The VF token can be set by a vfio-pci based PF driver and must be known
by the vfio-pci based VF driver in order to gain access to the device.
This allows the degree to which this VF token is considered secret to be
determined by the applications and environment. For example a VM might
generate a random UUID known only internally to the hypervisor while a
userspace networking appliance might use a shared, or even well know,
UUID among the application drivers.
To incorporate this VF token, the VFIO_GROUP_GET_DEVICE_FD interface is
extended to accept key=value pairs in addition to the device name. This
allows us to most easily deny user access to the device without risk
that existing userspace drivers assume region offsets, IRQs, and other
device features, leading to more elaborate error paths. The format of
these options are expected to take the form:
"$DEVICE_NAME $OPTION1=$VALUE1 $OPTION2=$VALUE2"
Where the device name is always provided first for compatibility and
additional options are specified in a space separated list. The
relation between and requirements for the additional options will be
vfio bus driver dependent, however unknown or unused option within this
schema should return error. This allow for future use of unknown
options as well as a positive indication to the user that an option is
used.
An example VF token option would take this form:
"0000:03:00.0 vf_token=2ab74924-c335-45f4-9b16-8569e5b08258"
When accessing a VF where the PF is making use of vfio-pci, the user
MUST provide the current vf_token. When accessing a PF, the user MUST
provide the current vf_token IF there are active VF users or MAY provide
a vf_token in order to set the current VF token when no VF users are
active. The former requirement assures VF users that an unassociated
driver cannot usurp the PF device. These semantics also imply that a
VF token MUST be set by a PF driver before VF drivers can access their
device, the default token is random and mechanisms to read the token are
not provided in order to protect the VF token of previous users. Use of
the vf_token option outside of these cases will return an error, as
discussed above.
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-03-24 15:28:27 +00:00
|
|
|
vf_token = true;
|
|
|
|
|
buf += UUID_STRING_LEN;
|
|
|
|
|
} else {
|
|
|
|
|
/* Unknown/duplicate option */
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = vfio_pci_validate_vf_token(vdev, vf_token, &uuid);
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
return 1; /* Match */
|
2020-03-24 15:28:26 +00:00
|
|
|
}
|
2021-08-26 10:39:12 +00:00
|
|
|
EXPORT_SYMBOL_GPL(vfio_pci_core_match);
|
2020-03-24 15:28:26 +00:00
|
|
|
|
2020-03-24 15:28:28 +00:00
|
|
|
static int vfio_pci_bus_notifier(struct notifier_block *nb,
|
|
|
|
|
unsigned long action, void *data)
|
|
|
|
|
{
|
2021-08-26 10:39:02 +00:00
|
|
|
struct vfio_pci_core_device *vdev = container_of(nb,
|
|
|
|
|
struct vfio_pci_core_device, nb);
|
2020-03-24 15:28:28 +00:00
|
|
|
struct device *dev = data;
|
|
|
|
|
struct pci_dev *pdev = to_pci_dev(dev);
|
|
|
|
|
struct pci_dev *physfn = pci_physfn(pdev);
|
|
|
|
|
|
|
|
|
|
if (action == BUS_NOTIFY_ADD_DEVICE &&
|
|
|
|
|
pdev->is_virtfn && physfn == vdev->pdev) {
|
|
|
|
|
pci_info(vdev->pdev, "Captured SR-IOV VF %s driver_override\n",
|
|
|
|
|
pci_name(pdev));
|
|
|
|
|
pdev->driver_override = kasprintf(GFP_KERNEL, "%s",
|
2021-08-26 10:39:05 +00:00
|
|
|
vdev->vdev.ops->name);
|
2020-03-24 15:28:28 +00:00
|
|
|
} else if (action == BUS_NOTIFY_BOUND_DRIVER &&
|
|
|
|
|
pdev->is_virtfn && physfn == vdev->pdev) {
|
|
|
|
|
struct pci_driver *drv = pci_dev_driver(pdev);
|
|
|
|
|
|
2021-08-26 10:39:05 +00:00
|
|
|
if (drv && drv != pci_dev_driver(vdev->pdev))
|
2020-03-24 15:28:28 +00:00
|
|
|
pci_warn(vdev->pdev,
|
2021-08-26 10:39:05 +00:00
|
|
|
"VF %s bound to driver %s while PF bound to driver %s\n",
|
|
|
|
|
pci_name(pdev), drv->name,
|
|
|
|
|
pci_dev_driver(vdev->pdev)->name);
|
2020-03-24 15:28:28 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2018-12-12 19:51:07 +00:00
|
|
|
|
2021-08-26 10:39:02 +00:00
|
|
|
static int vfio_pci_vf_init(struct vfio_pci_core_device *vdev)
|
2021-03-30 15:53:06 +00:00
|
|
|
{
|
|
|
|
|
struct pci_dev *pdev = vdev->pdev;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
if (!pdev->is_physfn)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
vdev->vf_token = kzalloc(sizeof(*vdev->vf_token), GFP_KERNEL);
|
|
|
|
|
if (!vdev->vf_token)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
mutex_init(&vdev->vf_token->lock);
|
|
|
|
|
uuid_gen(&vdev->vf_token->uuid);
|
|
|
|
|
|
|
|
|
|
vdev->nb.notifier_call = vfio_pci_bus_notifier;
|
|
|
|
|
ret = bus_register_notifier(&pci_bus_type, &vdev->nb);
|
|
|
|
|
if (ret) {
|
|
|
|
|
kfree(vdev->vf_token);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-26 10:39:02 +00:00
|
|
|
static void vfio_pci_vf_uninit(struct vfio_pci_core_device *vdev)
|
2021-03-30 15:53:06 +00:00
|
|
|
{
|
|
|
|
|
if (!vdev->vf_token)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
bus_unregister_notifier(&pci_bus_type, &vdev->nb);
|
|
|
|
|
WARN_ON(vdev->vf_token->users);
|
|
|
|
|
mutex_destroy(&vdev->vf_token->lock);
|
|
|
|
|
kfree(vdev->vf_token);
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-26 10:39:02 +00:00
|
|
|
static int vfio_pci_vga_init(struct vfio_pci_core_device *vdev)
|
2021-03-30 15:53:06 +00:00
|
|
|
{
|
|
|
|
|
struct pci_dev *pdev = vdev->pdev;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
if (!vfio_pci_is_vga(pdev))
|
|
|
|
|
return 0;
|
|
|
|
|
|
VFIO update for v5.15-rc1
- Fix dma-valid return WAITED implementation (Anthony Yznaga)
- SPDX license cleanups (Cai Huoqing)
- Split vfio-pci-core from vfio-pci and enhance PCI driver matching
to support future vendor provided vfio-pci variants (Yishai Hadas,
Max Gurtovoy, Jason Gunthorpe)
- Replace duplicated reflck with core support for managing first
open, last close, and device sets (Jason Gunthorpe, Max Gurtovoy,
Yishai Hadas)
- Fix non-modular mdev support and don't nag about request callback
support (Christoph Hellwig)
- Add semaphore to protect instruction intercept handler and replace
open-coded locks in vfio-ap driver (Tony Krowiak)
- Convert vfio-ap to vfio_register_group_dev() API (Jason Gunthorpe)
-----BEGIN PGP SIGNATURE-----
iQJPBAABCAA5FiEEQvbATlQL0amee4qQI5ubbjuwiyIFAmEvwWkbHGFsZXgud2ls
bGlhbXNvbkByZWRoYXQuY29tAAoJECObm247sIsi+1UP/3CRizghroINVYR+cJ99
Tjz7lB/wlzxmRfX+SL4NAVe1SSB2VeCgU4B0PF6kywELLS8OhCO3HXYXVsz244fW
Gk5UIns86+TFTrfCOMpwYBV0P86zuaa1ZnvCnkhMK1i2pTZ+oX8hUH1Yj5clHuU+
YgC7JfEuTIAX73q2bC/llLvNE9ke1QCoDX3+HAH87ttqutnRWcnnq56PTEqwe+EW
eMA+glB1UG6JAqXxoJET4155arNOny1/ZMprfBr3YXZTiXDF/lSzuMyUtbp526Sf
hsvlnqtE6TCdfKbog0Lxckl+8E9NCq8jzFBKiZhbccrQv3vVaoP6dOsPWcT35Kp1
IjzMLiHIbl4wXOL+Xap/biz3LCM5BMdT/OhW5LUC007zggK71ndRvb9F8ptW83Bv
0Uh9DNv7YIQ0su3JHZEsJ3qPFXQXceP199UiADOGSeV8U1Qig3YKsHUDMuALfFvN
t+NleeJ4qCWao+W4VCfyDfKurVnMj/cThXiDEWEeq5gMOO+6YKBIFWJVKFxUYDbf
MgGdg0nQTUECuXKXxLD4c1HAWH9xi207OnLvhW1Icywp20MsYqOWt0vhg+PRdMBT
DK6STxP18aQxCaOuQN9Vf81LjhXNTeg+xt3mMyViOZPcKfX6/wAC9qLt4MucJDdw
FBfOz2UL2F56dhAYT+1vHoUM
=nzK7
-----END PGP SIGNATURE-----
Merge tag 'vfio-v5.15-rc1' of git://github.com/awilliam/linux-vfio
Pull VFIO updates from Alex Williamson:
- Fix dma-valid return WAITED implementation (Anthony Yznaga)
- SPDX license cleanups (Cai Huoqing)
- Split vfio-pci-core from vfio-pci and enhance PCI driver matching to
support future vendor provided vfio-pci variants (Yishai Hadas, Max
Gurtovoy, Jason Gunthorpe)
- Replace duplicated reflck with core support for managing first open,
last close, and device sets (Jason Gunthorpe, Max Gurtovoy, Yishai
Hadas)
- Fix non-modular mdev support and don't nag about request callback
support (Christoph Hellwig)
- Add semaphore to protect instruction intercept handler and replace
open-coded locks in vfio-ap driver (Tony Krowiak)
- Convert vfio-ap to vfio_register_group_dev() API (Jason Gunthorpe)
* tag 'vfio-v5.15-rc1' of git://github.com/awilliam/linux-vfio: (37 commits)
vfio/pci: Introduce vfio_pci_core.ko
vfio: Use kconfig if XX/endif blocks instead of repeating 'depends on'
vfio: Use select for eventfd
PCI / VFIO: Add 'override_only' support for VFIO PCI sub system
PCI: Add 'override_only' field to struct pci_device_id
vfio/pci: Move module parameters to vfio_pci.c
vfio/pci: Move igd initialization to vfio_pci.c
vfio/pci: Split the pci_driver code out of vfio_pci_core.c
vfio/pci: Include vfio header in vfio_pci_core.h
vfio/pci: Rename ops functions to fit core namings
vfio/pci: Rename vfio_pci_device to vfio_pci_core_device
vfio/pci: Rename vfio_pci_private.h to vfio_pci_core.h
vfio/pci: Rename vfio_pci.c to vfio_pci_core.c
vfio/ap_ops: Convert to use vfio_register_group_dev()
s390/vfio-ap: replace open coded locks for VFIO_GROUP_NOTIFY_SET_KVM notification
s390/vfio-ap: r/w lock for PQAP interception handler function pointer
vfio/type1: Fix vfio_find_dma_valid return
vfio-pci/zdev: Remove repeated verbose license text
vfio: platform: reset: Convert to SPDX identifier
vfio: Remove struct vfio_device_ops open/release
...
2021-09-02 20:41:33 +00:00
|
|
|
ret = vga_client_register(pdev, vfio_pci_set_decode);
|
2021-03-30 15:53:06 +00:00
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
VFIO update for v5.15-rc1
- Fix dma-valid return WAITED implementation (Anthony Yznaga)
- SPDX license cleanups (Cai Huoqing)
- Split vfio-pci-core from vfio-pci and enhance PCI driver matching
to support future vendor provided vfio-pci variants (Yishai Hadas,
Max Gurtovoy, Jason Gunthorpe)
- Replace duplicated reflck with core support for managing first
open, last close, and device sets (Jason Gunthorpe, Max Gurtovoy,
Yishai Hadas)
- Fix non-modular mdev support and don't nag about request callback
support (Christoph Hellwig)
- Add semaphore to protect instruction intercept handler and replace
open-coded locks in vfio-ap driver (Tony Krowiak)
- Convert vfio-ap to vfio_register_group_dev() API (Jason Gunthorpe)
-----BEGIN PGP SIGNATURE-----
iQJPBAABCAA5FiEEQvbATlQL0amee4qQI5ubbjuwiyIFAmEvwWkbHGFsZXgud2ls
bGlhbXNvbkByZWRoYXQuY29tAAoJECObm247sIsi+1UP/3CRizghroINVYR+cJ99
Tjz7lB/wlzxmRfX+SL4NAVe1SSB2VeCgU4B0PF6kywELLS8OhCO3HXYXVsz244fW
Gk5UIns86+TFTrfCOMpwYBV0P86zuaa1ZnvCnkhMK1i2pTZ+oX8hUH1Yj5clHuU+
YgC7JfEuTIAX73q2bC/llLvNE9ke1QCoDX3+HAH87ttqutnRWcnnq56PTEqwe+EW
eMA+glB1UG6JAqXxoJET4155arNOny1/ZMprfBr3YXZTiXDF/lSzuMyUtbp526Sf
hsvlnqtE6TCdfKbog0Lxckl+8E9NCq8jzFBKiZhbccrQv3vVaoP6dOsPWcT35Kp1
IjzMLiHIbl4wXOL+Xap/biz3LCM5BMdT/OhW5LUC007zggK71ndRvb9F8ptW83Bv
0Uh9DNv7YIQ0su3JHZEsJ3qPFXQXceP199UiADOGSeV8U1Qig3YKsHUDMuALfFvN
t+NleeJ4qCWao+W4VCfyDfKurVnMj/cThXiDEWEeq5gMOO+6YKBIFWJVKFxUYDbf
MgGdg0nQTUECuXKXxLD4c1HAWH9xi207OnLvhW1Icywp20MsYqOWt0vhg+PRdMBT
DK6STxP18aQxCaOuQN9Vf81LjhXNTeg+xt3mMyViOZPcKfX6/wAC9qLt4MucJDdw
FBfOz2UL2F56dhAYT+1vHoUM
=nzK7
-----END PGP SIGNATURE-----
Merge tag 'vfio-v5.15-rc1' of git://github.com/awilliam/linux-vfio
Pull VFIO updates from Alex Williamson:
- Fix dma-valid return WAITED implementation (Anthony Yznaga)
- SPDX license cleanups (Cai Huoqing)
- Split vfio-pci-core from vfio-pci and enhance PCI driver matching to
support future vendor provided vfio-pci variants (Yishai Hadas, Max
Gurtovoy, Jason Gunthorpe)
- Replace duplicated reflck with core support for managing first open,
last close, and device sets (Jason Gunthorpe, Max Gurtovoy, Yishai
Hadas)
- Fix non-modular mdev support and don't nag about request callback
support (Christoph Hellwig)
- Add semaphore to protect instruction intercept handler and replace
open-coded locks in vfio-ap driver (Tony Krowiak)
- Convert vfio-ap to vfio_register_group_dev() API (Jason Gunthorpe)
* tag 'vfio-v5.15-rc1' of git://github.com/awilliam/linux-vfio: (37 commits)
vfio/pci: Introduce vfio_pci_core.ko
vfio: Use kconfig if XX/endif blocks instead of repeating 'depends on'
vfio: Use select for eventfd
PCI / VFIO: Add 'override_only' support for VFIO PCI sub system
PCI: Add 'override_only' field to struct pci_device_id
vfio/pci: Move module parameters to vfio_pci.c
vfio/pci: Move igd initialization to vfio_pci.c
vfio/pci: Split the pci_driver code out of vfio_pci_core.c
vfio/pci: Include vfio header in vfio_pci_core.h
vfio/pci: Rename ops functions to fit core namings
vfio/pci: Rename vfio_pci_device to vfio_pci_core_device
vfio/pci: Rename vfio_pci_private.h to vfio_pci_core.h
vfio/pci: Rename vfio_pci.c to vfio_pci_core.c
vfio/ap_ops: Convert to use vfio_register_group_dev()
s390/vfio-ap: replace open coded locks for VFIO_GROUP_NOTIFY_SET_KVM notification
s390/vfio-ap: r/w lock for PQAP interception handler function pointer
vfio/type1: Fix vfio_find_dma_valid return
vfio-pci/zdev: Remove repeated verbose license text
vfio: platform: reset: Convert to SPDX identifier
vfio: Remove struct vfio_device_ops open/release
...
2021-09-02 20:41:33 +00:00
|
|
|
vga_set_legacy_decoding(pdev, vfio_pci_set_decode(pdev, false));
|
2021-03-30 15:53:06 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-26 10:39:02 +00:00
|
|
|
static void vfio_pci_vga_uninit(struct vfio_pci_core_device *vdev)
|
2021-03-30 15:53:06 +00:00
|
|
|
{
|
|
|
|
|
struct pci_dev *pdev = vdev->pdev;
|
|
|
|
|
|
|
|
|
|
if (!vfio_pci_is_vga(pdev))
|
|
|
|
|
return;
|
VFIO update for v5.15-rc1
- Fix dma-valid return WAITED implementation (Anthony Yznaga)
- SPDX license cleanups (Cai Huoqing)
- Split vfio-pci-core from vfio-pci and enhance PCI driver matching
to support future vendor provided vfio-pci variants (Yishai Hadas,
Max Gurtovoy, Jason Gunthorpe)
- Replace duplicated reflck with core support for managing first
open, last close, and device sets (Jason Gunthorpe, Max Gurtovoy,
Yishai Hadas)
- Fix non-modular mdev support and don't nag about request callback
support (Christoph Hellwig)
- Add semaphore to protect instruction intercept handler and replace
open-coded locks in vfio-ap driver (Tony Krowiak)
- Convert vfio-ap to vfio_register_group_dev() API (Jason Gunthorpe)
-----BEGIN PGP SIGNATURE-----
iQJPBAABCAA5FiEEQvbATlQL0amee4qQI5ubbjuwiyIFAmEvwWkbHGFsZXgud2ls
bGlhbXNvbkByZWRoYXQuY29tAAoJECObm247sIsi+1UP/3CRizghroINVYR+cJ99
Tjz7lB/wlzxmRfX+SL4NAVe1SSB2VeCgU4B0PF6kywELLS8OhCO3HXYXVsz244fW
Gk5UIns86+TFTrfCOMpwYBV0P86zuaa1ZnvCnkhMK1i2pTZ+oX8hUH1Yj5clHuU+
YgC7JfEuTIAX73q2bC/llLvNE9ke1QCoDX3+HAH87ttqutnRWcnnq56PTEqwe+EW
eMA+glB1UG6JAqXxoJET4155arNOny1/ZMprfBr3YXZTiXDF/lSzuMyUtbp526Sf
hsvlnqtE6TCdfKbog0Lxckl+8E9NCq8jzFBKiZhbccrQv3vVaoP6dOsPWcT35Kp1
IjzMLiHIbl4wXOL+Xap/biz3LCM5BMdT/OhW5LUC007zggK71ndRvb9F8ptW83Bv
0Uh9DNv7YIQ0su3JHZEsJ3qPFXQXceP199UiADOGSeV8U1Qig3YKsHUDMuALfFvN
t+NleeJ4qCWao+W4VCfyDfKurVnMj/cThXiDEWEeq5gMOO+6YKBIFWJVKFxUYDbf
MgGdg0nQTUECuXKXxLD4c1HAWH9xi207OnLvhW1Icywp20MsYqOWt0vhg+PRdMBT
DK6STxP18aQxCaOuQN9Vf81LjhXNTeg+xt3mMyViOZPcKfX6/wAC9qLt4MucJDdw
FBfOz2UL2F56dhAYT+1vHoUM
=nzK7
-----END PGP SIGNATURE-----
Merge tag 'vfio-v5.15-rc1' of git://github.com/awilliam/linux-vfio
Pull VFIO updates from Alex Williamson:
- Fix dma-valid return WAITED implementation (Anthony Yznaga)
- SPDX license cleanups (Cai Huoqing)
- Split vfio-pci-core from vfio-pci and enhance PCI driver matching to
support future vendor provided vfio-pci variants (Yishai Hadas, Max
Gurtovoy, Jason Gunthorpe)
- Replace duplicated reflck with core support for managing first open,
last close, and device sets (Jason Gunthorpe, Max Gurtovoy, Yishai
Hadas)
- Fix non-modular mdev support and don't nag about request callback
support (Christoph Hellwig)
- Add semaphore to protect instruction intercept handler and replace
open-coded locks in vfio-ap driver (Tony Krowiak)
- Convert vfio-ap to vfio_register_group_dev() API (Jason Gunthorpe)
* tag 'vfio-v5.15-rc1' of git://github.com/awilliam/linux-vfio: (37 commits)
vfio/pci: Introduce vfio_pci_core.ko
vfio: Use kconfig if XX/endif blocks instead of repeating 'depends on'
vfio: Use select for eventfd
PCI / VFIO: Add 'override_only' support for VFIO PCI sub system
PCI: Add 'override_only' field to struct pci_device_id
vfio/pci: Move module parameters to vfio_pci.c
vfio/pci: Move igd initialization to vfio_pci.c
vfio/pci: Split the pci_driver code out of vfio_pci_core.c
vfio/pci: Include vfio header in vfio_pci_core.h
vfio/pci: Rename ops functions to fit core namings
vfio/pci: Rename vfio_pci_device to vfio_pci_core_device
vfio/pci: Rename vfio_pci_private.h to vfio_pci_core.h
vfio/pci: Rename vfio_pci.c to vfio_pci_core.c
vfio/ap_ops: Convert to use vfio_register_group_dev()
s390/vfio-ap: replace open coded locks for VFIO_GROUP_NOTIFY_SET_KVM notification
s390/vfio-ap: r/w lock for PQAP interception handler function pointer
vfio/type1: Fix vfio_find_dma_valid return
vfio-pci/zdev: Remove repeated verbose license text
vfio: platform: reset: Convert to SPDX identifier
vfio: Remove struct vfio_device_ops open/release
...
2021-09-02 20:41:33 +00:00
|
|
|
vga_client_unregister(pdev);
|
2021-03-30 15:53:06 +00:00
|
|
|
vga_set_legacy_decoding(pdev, VGA_RSRC_NORMAL_IO | VGA_RSRC_NORMAL_MEM |
|
|
|
|
|
VGA_RSRC_LEGACY_IO |
|
|
|
|
|
VGA_RSRC_LEGACY_MEM);
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-26 10:39:05 +00:00
|
|
|
void vfio_pci_core_init_device(struct vfio_pci_core_device *vdev,
|
|
|
|
|
struct pci_dev *pdev,
|
|
|
|
|
const struct vfio_device_ops *vfio_pci_ops)
|
2012-07-31 14:16:24 +00:00
|
|
|
{
|
2021-08-26 10:39:05 +00:00
|
|
|
vfio_init_group_dev(&vdev->vdev, &pdev->dev, vfio_pci_ops);
|
|
|
|
|
vdev->pdev = pdev;
|
|
|
|
|
vdev->irq_type = VFIO_PCI_NUM_IRQS;
|
|
|
|
|
mutex_init(&vdev->igate);
|
|
|
|
|
spin_lock_init(&vdev->irqlock);
|
|
|
|
|
mutex_init(&vdev->ioeventfds_lock);
|
|
|
|
|
INIT_LIST_HEAD(&vdev->dummy_resources_list);
|
|
|
|
|
INIT_LIST_HEAD(&vdev->ioeventfds_list);
|
|
|
|
|
mutex_init(&vdev->vma_lock);
|
|
|
|
|
INIT_LIST_HEAD(&vdev->vma_list);
|
|
|
|
|
init_rwsem(&vdev->memory_lock);
|
|
|
|
|
}
|
2021-08-26 10:39:12 +00:00
|
|
|
EXPORT_SYMBOL_GPL(vfio_pci_core_init_device);
|
2021-08-26 10:39:05 +00:00
|
|
|
|
|
|
|
|
void vfio_pci_core_uninit_device(struct vfio_pci_core_device *vdev)
|
|
|
|
|
{
|
|
|
|
|
mutex_destroy(&vdev->igate);
|
|
|
|
|
mutex_destroy(&vdev->ioeventfds_lock);
|
|
|
|
|
mutex_destroy(&vdev->vma_lock);
|
|
|
|
|
vfio_uninit_group_dev(&vdev->vdev);
|
|
|
|
|
kfree(vdev->region);
|
|
|
|
|
kfree(vdev->pm_save);
|
|
|
|
|
}
|
2021-08-26 10:39:12 +00:00
|
|
|
EXPORT_SYMBOL_GPL(vfio_pci_core_uninit_device);
|
2021-08-26 10:39:05 +00:00
|
|
|
|
|
|
|
|
int vfio_pci_core_register_device(struct vfio_pci_core_device *vdev)
|
|
|
|
|
{
|
|
|
|
|
struct pci_dev *pdev = vdev->pdev;
|
2012-07-31 14:16:24 +00:00
|
|
|
int ret;
|
|
|
|
|
|
2015-01-07 17:29:11 +00:00
|
|
|
if (pdev->hdr_type != PCI_HEADER_TYPE_NORMAL)
|
2012-07-31 14:16:24 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
2018-07-12 22:33:04 +00:00
|
|
|
/*
|
2020-03-24 15:28:28 +00:00
|
|
|
* Prevent binding to PFs with VFs enabled, the VFs might be in use
|
|
|
|
|
* by the host or other users. We cannot capture the VFs if they
|
|
|
|
|
* already exist, nor can we track VF users. Disabling SR-IOV here
|
|
|
|
|
* would initiate removing the VFs, which would unbind the driver,
|
|
|
|
|
* which is prone to blocking if that VF is also in use by vfio-pci.
|
|
|
|
|
* Just reject these PFs and let the user sort it out.
|
2018-07-12 22:33:04 +00:00
|
|
|
*/
|
|
|
|
|
if (pci_num_vf(pdev)) {
|
|
|
|
|
pci_warn(pdev, "Cannot bind to PF with SR-IOV enabled\n");
|
|
|
|
|
return -EBUSY;
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-06 01:19:04 +00:00
|
|
|
if (pci_is_root_bus(pdev->bus)) {
|
|
|
|
|
ret = vfio_assign_device_set(&vdev->vdev, vdev);
|
|
|
|
|
} else if (!pci_probe_reset_slot(pdev->slot)) {
|
|
|
|
|
ret = vfio_assign_device_set(&vdev->vdev, pdev->slot);
|
|
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* If there is no slot reset support for this device, the whole
|
|
|
|
|
* bus needs to be grouped together to support bus-wide resets.
|
|
|
|
|
*/
|
|
|
|
|
ret = vfio_assign_device_set(&vdev->vdev, pdev->bus);
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-24 15:28:29 +00:00
|
|
|
if (ret)
|
2021-09-24 15:56:51 +00:00
|
|
|
return ret;
|
2021-03-30 15:53:06 +00:00
|
|
|
ret = vfio_pci_vf_init(vdev);
|
2020-03-24 15:28:29 +00:00
|
|
|
if (ret)
|
2021-09-24 15:56:51 +00:00
|
|
|
return ret;
|
2021-03-30 15:53:06 +00:00
|
|
|
ret = vfio_pci_vga_init(vdev);
|
|
|
|
|
if (ret)
|
|
|
|
|
goto out_vf;
|
2015-04-07 17:14:41 +00:00
|
|
|
|
2019-02-09 20:43:30 +00:00
|
|
|
vfio_pci_probe_power_state(vdev);
|
|
|
|
|
|
2015-04-07 17:14:46 +00:00
|
|
|
if (!disable_idle_d3) {
|
|
|
|
|
/*
|
|
|
|
|
* pci-core sets the device power state to an unknown value at
|
|
|
|
|
* bootup and after being removed from a driver. The only
|
|
|
|
|
* transition it allows from this unknown state is to D0, which
|
|
|
|
|
* typically happens when a driver calls pci_enable_device().
|
|
|
|
|
* We're not ready to enable the device yet, but we do want to
|
|
|
|
|
* be able to get to D3. Therefore first do a D0 transition
|
|
|
|
|
* before going to D3.
|
|
|
|
|
*/
|
2019-02-09 20:43:30 +00:00
|
|
|
vfio_pci_set_power_state(vdev, PCI_D0);
|
|
|
|
|
vfio_pci_set_power_state(vdev, PCI_D3hot);
|
2015-04-07 17:14:46 +00:00
|
|
|
}
|
|
|
|
|
|
2021-03-30 15:53:07 +00:00
|
|
|
ret = vfio_register_group_dev(&vdev->vdev);
|
2021-03-30 15:53:06 +00:00
|
|
|
if (ret)
|
|
|
|
|
goto out_power;
|
|
|
|
|
return 0;
|
2020-03-24 15:28:29 +00:00
|
|
|
|
2021-03-30 15:53:06 +00:00
|
|
|
out_power:
|
|
|
|
|
if (!disable_idle_d3)
|
|
|
|
|
vfio_pci_set_power_state(vdev, PCI_D0);
|
2021-03-30 15:53:06 +00:00
|
|
|
out_vf:
|
|
|
|
|
vfio_pci_vf_uninit(vdev);
|
2020-03-24 15:28:29 +00:00
|
|
|
return ret;
|
2012-07-31 14:16:24 +00:00
|
|
|
}
|
2021-08-26 10:39:12 +00:00
|
|
|
EXPORT_SYMBOL_GPL(vfio_pci_core_register_device);
|
2012-07-31 14:16:24 +00:00
|
|
|
|
2021-08-26 10:39:05 +00:00
|
|
|
void vfio_pci_core_unregister_device(struct vfio_pci_core_device *vdev)
|
2012-07-31 14:16:24 +00:00
|
|
|
{
|
2021-08-26 10:39:05 +00:00
|
|
|
struct pci_dev *pdev = vdev->pdev;
|
2012-07-31 14:16:24 +00:00
|
|
|
|
2020-03-24 15:28:28 +00:00
|
|
|
pci_disable_sriov(pdev);
|
|
|
|
|
|
2021-03-30 15:53:07 +00:00
|
|
|
vfio_unregister_group_dev(&vdev->vdev);
|
2020-03-24 15:28:28 +00:00
|
|
|
|
2021-03-30 15:53:06 +00:00
|
|
|
vfio_pci_vf_uninit(vdev);
|
|
|
|
|
vfio_pci_vga_uninit(vdev);
|
2018-12-12 19:51:07 +00:00
|
|
|
|
2019-02-09 20:43:30 +00:00
|
|
|
if (!disable_idle_d3)
|
|
|
|
|
vfio_pci_set_power_state(vdev, PCI_D0);
|
2012-07-31 14:16:24 +00:00
|
|
|
}
|
2021-08-26 10:39:12 +00:00
|
|
|
EXPORT_SYMBOL_GPL(vfio_pci_core_unregister_device);
|
2012-07-31 14:16:24 +00:00
|
|
|
|
2013-03-11 15:31:22 +00:00
|
|
|
static pci_ers_result_t vfio_pci_aer_err_detected(struct pci_dev *pdev,
|
|
|
|
|
pci_channel_state_t state)
|
|
|
|
|
{
|
2021-08-26 10:39:02 +00:00
|
|
|
struct vfio_pci_core_device *vdev;
|
2013-03-11 15:31:22 +00:00
|
|
|
struct vfio_device *device;
|
|
|
|
|
|
|
|
|
|
device = vfio_device_get_from_dev(&pdev->dev);
|
|
|
|
|
if (device == NULL)
|
|
|
|
|
return PCI_ERS_RESULT_DISCONNECT;
|
|
|
|
|
|
2021-08-26 10:39:02 +00:00
|
|
|
vdev = container_of(device, struct vfio_pci_core_device, vdev);
|
2013-03-11 15:31:22 +00:00
|
|
|
|
2014-01-14 23:12:55 +00:00
|
|
|
mutex_lock(&vdev->igate);
|
|
|
|
|
|
2013-03-11 15:31:22 +00:00
|
|
|
if (vdev->err_trigger)
|
|
|
|
|
eventfd_signal(vdev->err_trigger, 1);
|
|
|
|
|
|
2014-01-14 23:12:55 +00:00
|
|
|
mutex_unlock(&vdev->igate);
|
|
|
|
|
|
2013-03-11 15:31:22 +00:00
|
|
|
vfio_device_put(device);
|
|
|
|
|
|
|
|
|
|
return PCI_ERS_RESULT_CAN_RECOVER;
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-26 10:39:05 +00:00
|
|
|
int vfio_pci_core_sriov_configure(struct pci_dev *pdev, int nr_virtfn)
|
2020-03-24 15:28:28 +00:00
|
|
|
{
|
|
|
|
|
struct vfio_device *device;
|
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
|
|
device = vfio_device_get_from_dev(&pdev->dev);
|
|
|
|
|
if (!device)
|
|
|
|
|
return -ENODEV;
|
|
|
|
|
|
|
|
|
|
if (nr_virtfn == 0)
|
|
|
|
|
pci_disable_sriov(pdev);
|
|
|
|
|
else
|
|
|
|
|
ret = pci_enable_sriov(pdev, nr_virtfn);
|
|
|
|
|
|
|
|
|
|
vfio_device_put(device);
|
|
|
|
|
|
|
|
|
|
return ret < 0 ? ret : nr_virtfn;
|
|
|
|
|
}
|
2021-08-26 10:39:12 +00:00
|
|
|
EXPORT_SYMBOL_GPL(vfio_pci_core_sriov_configure);
|
2020-03-24 15:28:28 +00:00
|
|
|
|
2021-08-26 10:39:05 +00:00
|
|
|
const struct pci_error_handlers vfio_pci_core_err_handlers = {
|
2013-03-11 15:31:22 +00:00
|
|
|
.error_detected = vfio_pci_aer_err_detected,
|
|
|
|
|
};
|
2021-08-26 10:39:12 +00:00
|
|
|
EXPORT_SYMBOL_GPL(vfio_pci_core_err_handlers);
|
2013-03-11 15:31:22 +00:00
|
|
|
|
2021-08-26 10:39:02 +00:00
|
|
|
static bool vfio_dev_in_groups(struct vfio_pci_core_device *vdev,
|
2021-08-06 01:19:06 +00:00
|
|
|
struct vfio_pci_group_info *groups)
|
2014-08-07 17:12:07 +00:00
|
|
|
{
|
2021-08-06 01:19:06 +00:00
|
|
|
unsigned int i;
|
2014-08-07 17:12:07 +00:00
|
|
|
|
2021-08-06 01:19:06 +00:00
|
|
|
for (i = 0; i < groups->count; i++)
|
|
|
|
|
if (groups->groups[i] == vdev->vdev.group)
|
|
|
|
|
return true;
|
|
|
|
|
return false;
|
2014-08-07 17:12:07 +00:00
|
|
|
}
|
|
|
|
|
|
2021-08-06 01:19:05 +00:00
|
|
|
static int vfio_pci_is_device_in_set(struct pci_dev *pdev, void *data)
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
{
|
2021-08-06 01:19:05 +00:00
|
|
|
struct vfio_device_set *dev_set = data;
|
|
|
|
|
struct vfio_device *cur;
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
|
2021-08-06 01:19:05 +00:00
|
|
|
list_for_each_entry(cur, &dev_set->device_list, dev_set_list)
|
|
|
|
|
if (cur->dev == &pdev->dev)
|
|
|
|
|
return 0;
|
|
|
|
|
return -EBUSY;
|
|
|
|
|
}
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
|
2021-08-06 01:19:05 +00:00
|
|
|
/*
|
|
|
|
|
* vfio-core considers a group to be viable and will create a vfio_device even
|
|
|
|
|
* if some devices are bound to drivers like pci-stub or pcieport. Here we
|
|
|
|
|
* require all PCI devices to be inside our dev_set since that ensures they stay
|
|
|
|
|
* put and that every driver controlling the device can co-ordinate with the
|
|
|
|
|
* device reset.
|
|
|
|
|
*
|
|
|
|
|
* Returns the pci_dev to pass to pci_reset_bus() if every PCI device to be
|
|
|
|
|
* reset is inside the dev_set, and pci_reset_bus() can succeed. NULL otherwise.
|
|
|
|
|
*/
|
|
|
|
|
static struct pci_dev *
|
|
|
|
|
vfio_pci_dev_set_resettable(struct vfio_device_set *dev_set)
|
|
|
|
|
{
|
|
|
|
|
struct pci_dev *pdev;
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
|
2021-08-06 01:19:05 +00:00
|
|
|
lockdep_assert_held(&dev_set->lock);
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
|
|
|
|
|
/*
|
2021-08-06 01:19:05 +00:00
|
|
|
* By definition all PCI devices in the dev_set share the same PCI
|
|
|
|
|
* reset, so any pci_dev will have the same outcomes for
|
|
|
|
|
* pci_probe_reset_*() and pci_reset_bus().
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
*/
|
2021-08-26 10:39:02 +00:00
|
|
|
pdev = list_first_entry(&dev_set->device_list,
|
|
|
|
|
struct vfio_pci_core_device,
|
2021-08-06 01:19:05 +00:00
|
|
|
vdev.dev_set_list)->pdev;
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
|
2021-08-06 01:19:05 +00:00
|
|
|
/* pci_reset_bus() is supported */
|
|
|
|
|
if (pci_probe_reset_slot(pdev->slot) && pci_probe_reset_bus(pdev->bus))
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
if (vfio_pci_for_each_slot_or_bus(pdev, vfio_pci_is_device_in_set,
|
|
|
|
|
dev_set,
|
|
|
|
|
!pci_probe_reset_slot(pdev->slot)))
|
|
|
|
|
return NULL;
|
|
|
|
|
return pdev;
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-06 01:19:06 +00:00
|
|
|
/*
|
|
|
|
|
* We need to get memory_lock for each device, but devices can share mmap_lock,
|
|
|
|
|
* therefore we need to zap and hold the vma_lock for each device, and only then
|
|
|
|
|
* get each memory_lock.
|
|
|
|
|
*/
|
|
|
|
|
static int vfio_pci_dev_set_hot_reset(struct vfio_device_set *dev_set,
|
|
|
|
|
struct vfio_pci_group_info *groups)
|
|
|
|
|
{
|
2021-08-26 10:39:02 +00:00
|
|
|
struct vfio_pci_core_device *cur_mem;
|
|
|
|
|
struct vfio_pci_core_device *cur_vma;
|
|
|
|
|
struct vfio_pci_core_device *cur;
|
2021-08-06 01:19:06 +00:00
|
|
|
struct pci_dev *pdev;
|
|
|
|
|
bool is_mem = true;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
mutex_lock(&dev_set->lock);
|
|
|
|
|
cur_mem = list_first_entry(&dev_set->device_list,
|
2021-08-26 10:39:02 +00:00
|
|
|
struct vfio_pci_core_device,
|
|
|
|
|
vdev.dev_set_list);
|
2021-08-06 01:19:06 +00:00
|
|
|
|
|
|
|
|
pdev = vfio_pci_dev_set_resettable(dev_set);
|
|
|
|
|
if (!pdev) {
|
|
|
|
|
ret = -EINVAL;
|
|
|
|
|
goto err_unlock;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
list_for_each_entry(cur_vma, &dev_set->device_list, vdev.dev_set_list) {
|
|
|
|
|
/*
|
|
|
|
|
* Test whether all the affected devices are contained by the
|
|
|
|
|
* set of groups provided by the user.
|
|
|
|
|
*/
|
|
|
|
|
if (!vfio_dev_in_groups(cur_vma, groups)) {
|
|
|
|
|
ret = -EINVAL;
|
|
|
|
|
goto err_undo;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Locking multiple devices is prone to deadlock, runaway and
|
|
|
|
|
* unwind if we hit contention.
|
|
|
|
|
*/
|
|
|
|
|
if (!vfio_pci_zap_and_vma_lock(cur_vma, true)) {
|
|
|
|
|
ret = -EBUSY;
|
|
|
|
|
goto err_undo;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
cur_vma = NULL;
|
|
|
|
|
|
|
|
|
|
list_for_each_entry(cur_mem, &dev_set->device_list, vdev.dev_set_list) {
|
|
|
|
|
if (!down_write_trylock(&cur_mem->memory_lock)) {
|
|
|
|
|
ret = -EBUSY;
|
|
|
|
|
goto err_undo;
|
|
|
|
|
}
|
|
|
|
|
mutex_unlock(&cur_mem->vma_lock);
|
|
|
|
|
}
|
|
|
|
|
cur_mem = NULL;
|
|
|
|
|
|
|
|
|
|
ret = pci_reset_bus(pdev);
|
|
|
|
|
|
|
|
|
|
err_undo:
|
|
|
|
|
list_for_each_entry(cur, &dev_set->device_list, vdev.dev_set_list) {
|
|
|
|
|
if (cur == cur_mem)
|
|
|
|
|
is_mem = false;
|
|
|
|
|
if (cur == cur_vma)
|
|
|
|
|
break;
|
|
|
|
|
if (is_mem)
|
|
|
|
|
up_write(&cur->memory_lock);
|
|
|
|
|
else
|
|
|
|
|
mutex_unlock(&cur->vma_lock);
|
|
|
|
|
}
|
|
|
|
|
err_unlock:
|
|
|
|
|
mutex_unlock(&dev_set->lock);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-06 01:19:05 +00:00
|
|
|
static bool vfio_pci_dev_set_needs_reset(struct vfio_device_set *dev_set)
|
|
|
|
|
{
|
2021-08-26 10:39:02 +00:00
|
|
|
struct vfio_pci_core_device *cur;
|
2021-08-06 01:19:05 +00:00
|
|
|
bool needs_reset = false;
|
|
|
|
|
|
|
|
|
|
list_for_each_entry(cur, &dev_set->device_list, vdev.dev_set_list) {
|
|
|
|
|
/* No VFIO device in the set can have an open device FD */
|
|
|
|
|
if (cur->vdev.open_count)
|
|
|
|
|
return false;
|
|
|
|
|
needs_reset |= cur->needs_reset;
|
|
|
|
|
}
|
|
|
|
|
return needs_reset;
|
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
Accessing the disabled memory space of a PCI device would typically
result in a master abort response on conventional PCI, or an
unsupported request on PCI express. The user would generally see
these as a -1 response for the read return data and the write would be
silently discarded, possibly with an uncorrected, non-fatal AER error
triggered on the host. Some systems however take it upon themselves
to bring down the entire system when they see something that might
indicate a loss of data, such as this discarded write to a disabled
memory space.
To avoid this, we want to try to block the user from accessing memory
spaces while they're disabled. We start with a semaphore around the
memory enable bit, where writers modify the memory enable state and
must be serialized, while readers make use of the memory region and
can access in parallel. Writers include both direct manipulation via
the command register, as well as any reset path where the internal
mechanics of the reset may both explicitly and implicitly disable
memory access, and manipulation of the MSI-X configuration, where the
MSI-X vector table resides in MMIO space of the device. Readers
include the read and write file ops to access the vfio device fd
offsets as well as memory mapped access. In the latter case, we make
use of our new vma list support to zap, or invalidate, those memory
mappings in order to force them to be faulted back in on access.
Our semaphore usage will stall user access to MMIO spaces across
internal operations like reset, but the user might experience new
behavior when trying to access the MMIO space while disabled via the
PCI command register. Access via read or write while disabled will
return -EIO and access via memory maps will result in a SIGBUS. This
is expected to be compatible with known use cases and potentially
provides better error handling capabilities than present in the
hardware, while avoiding the more readily accessible and severe
platform error responses that might otherwise occur.
Fixes: CVE-2020-12888
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2020-04-22 19:48:11 +00:00
|
|
|
}
|
|
|
|
|
|
2014-08-07 17:12:07 +00:00
|
|
|
/*
|
2021-08-06 01:19:05 +00:00
|
|
|
* If a bus or slot reset is available for the provided dev_set and:
|
2018-12-12 19:51:07 +00:00
|
|
|
* - All of the devices affected by that bus or slot reset are unused
|
|
|
|
|
* - At least one of the affected devices is marked dirty via
|
|
|
|
|
* needs_reset (such as by lack of FLR support)
|
2021-08-06 01:19:05 +00:00
|
|
|
* Then attempt to perform that bus or slot reset.
|
|
|
|
|
* Returns true if the dev_set was reset.
|
2014-08-07 17:12:07 +00:00
|
|
|
*/
|
2021-08-06 01:19:05 +00:00
|
|
|
static bool vfio_pci_dev_set_try_reset(struct vfio_device_set *dev_set)
|
2014-08-07 17:12:07 +00:00
|
|
|
{
|
2021-08-26 10:39:02 +00:00
|
|
|
struct vfio_pci_core_device *cur;
|
2021-08-06 01:19:05 +00:00
|
|
|
struct pci_dev *pdev;
|
|
|
|
|
int ret;
|
2014-09-29 23:18:39 +00:00
|
|
|
|
2021-08-06 01:19:05 +00:00
|
|
|
if (!vfio_pci_dev_set_needs_reset(dev_set))
|
|
|
|
|
return false;
|
2018-12-12 19:51:07 +00:00
|
|
|
|
2021-08-06 01:19:05 +00:00
|
|
|
pdev = vfio_pci_dev_set_resettable(dev_set);
|
|
|
|
|
if (!pdev)
|
|
|
|
|
return false;
|
2015-04-07 17:14:46 +00:00
|
|
|
|
2021-08-06 01:19:05 +00:00
|
|
|
ret = pci_reset_bus(pdev);
|
|
|
|
|
if (ret)
|
|
|
|
|
return false;
|
2015-04-07 17:14:46 +00:00
|
|
|
|
2021-08-06 01:19:05 +00:00
|
|
|
list_for_each_entry(cur, &dev_set->device_list, vdev.dev_set_list) {
|
|
|
|
|
cur->needs_reset = false;
|
|
|
|
|
if (!disable_idle_d3)
|
|
|
|
|
vfio_pci_set_power_state(cur, PCI_D3hot);
|
2014-09-29 23:18:39 +00:00
|
|
|
}
|
2021-08-06 01:19:05 +00:00
|
|
|
return true;
|
2014-08-07 17:12:07 +00:00
|
|
|
}
|
|
|
|
|
|
2021-08-26 10:39:07 +00:00
|
|
|
void vfio_pci_core_set_params(bool is_nointxmask, bool is_disable_vga,
|
|
|
|
|
bool is_disable_idle_d3)
|
|
|
|
|
{
|
|
|
|
|
nointxmask = is_nointxmask;
|
|
|
|
|
disable_vga = is_disable_vga;
|
|
|
|
|
disable_idle_d3 = is_disable_idle_d3;
|
|
|
|
|
}
|
2021-08-26 10:39:12 +00:00
|
|
|
EXPORT_SYMBOL_GPL(vfio_pci_core_set_params);
|
2021-08-26 10:39:07 +00:00
|
|
|
|
2021-08-26 10:39:12 +00:00
|
|
|
static void vfio_pci_core_cleanup(void)
|
2012-07-31 14:16:24 +00:00
|
|
|
{
|
|
|
|
|
vfio_pci_uninit_perm_bits();
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-26 10:39:12 +00:00
|
|
|
static int __init vfio_pci_core_init(void)
|
2015-04-07 17:14:43 +00:00
|
|
|
{
|
2021-03-30 15:54:21 +00:00
|
|
|
/* Allocate shared config space permission data used by all devices */
|
2021-08-26 10:39:05 +00:00
|
|
|
return vfio_pci_init_perm_bits();
|
2012-07-31 14:16:24 +00:00
|
|
|
}
|
2021-08-26 10:39:12 +00:00
|
|
|
|
|
|
|
|
module_init(vfio_pci_core_init);
|
|
|
|
|
module_exit(vfio_pci_core_cleanup);
|
|
|
|
|
|
|
|
|
|
MODULE_LICENSE("GPL v2");
|
|
|
|
|
MODULE_AUTHOR(DRIVER_AUTHOR);
|
|
|
|
|
MODULE_DESCRIPTION(DRIVER_DESC);
|