| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 23 Jan 2018 18:13:26 +0530
From: Ganesh Goudar <ganeshgr@...lsio.com>
To: Arjun Vynipadath <arjun@...lsio.com>
Cc: bhelgaas@...gle.com, linux-pci@...r.kernel.org,
linux-kernel@...r.kernel.org, davem@...emloft.net,
netdev@...r.kernel.org, leedom@...lsio.com, santosh@...lsio.com,
nirranjan@...lsio.com, kumaras@...lsio.com,
swise@...ngridcomputing.com, hare@...e.de
Subject: Re: [REGRESSION, bisect] pci: cxgb4 probe fails after commit
104daa71b3961434 ("PCI: Determine actual VPD size on first access")
+Hannes Reinecke
On Tuesday, January 01/23/18, 2018 at 17:59:09 +0530, Arjun Vynipadath wrote:
> Sending on behalf of "Casey Leedom <leedom@...lsio.com>"
>
> Way back on April 11, 2016 we reported a regression in Linux kernel 4.6-rc2
> brought on by kernel.org commit 104daa71b396. This commit calculates the
> size of a PCI Device's VPD area by parsing the VPD Structure at offset 0x000,
> and restricts accesses to the VPD to that computed size.
>
> Our devices have a second VPD structure which is located starting at offset
> 0x400 which is the "real" VPD[1]. The 104daa71b396 commit (plus a follow on
> commit 408641e93aa5) caused efforts to read past the end of that computed
> length of the VPD to return silently without error leaving stack junk in the
> VPD read buffers.
>
> We introduced kernel.org commit cb92148b to allow a driver to tell the
> kernel how large the VPD area really is, introducing a new API
> pci_set_vpd_size() for this purpose.
>
> Now we've discovered a new subtlety to the problem.
>
> We have a KVM Hypervisor running a 4.9.70 kernel. So it has all of the
> above commits. When we attach our Physical Function 4 to a Virtual Machine
> and attempt to run cxgb4 in that VM, we see the problem again. The issue is
> that all of the VM Guest OS's efforts to access the PCIe VPD Capability are
> trapped into the KVM 4.9.70 kernel and executed there, with the results
> routed back to the VM Guest OS. The cxgb4 driver in the VM Guest OS uses
> the new pci_set_vpd_size() to notify the OS of the true size of the VPD, but
> that information of course is never sent to the KVM 4.9.70 Hypervisor.
> (And, truth be told, if the Guest OS were older than 4.6, it wouldn't even
> know that it needed to do this.) The result is that again we get silent VPD
> read failures with random stack garbage in the VPD read buffers. (sigh)
>
> It strikes me that the only way to handle this issue is to have KVM
> circumvent the VPD-Size Restricted logic which was added in kernel.org
> commits 104daa71b396 and 408641e93aa5. Maybe via a __pci_read_vpd() or
> similar API. But we are open to other suggestions.
>
> Thoughts?
>
> Casey.
>
> [1] Chelsio adapters actually have two VPD structures stored in the VPD. An
> abbreviated on at Offset 0x0 and the complete VPD at Offset 0x400. The
> abbreviated one only contains the PN, SN and EC Keywords, while the
> complete VPD contains those plus various adapter constants contained in
> V0, V1, etc. And it also contains the Base Ethernet MAC Address in the
> "NA" Keyword which the cxgb4 driver needs when it can't contact the
> adapter firmware. (We don't have the "NA" Keyword in the VPD Structure
> at Offset 0x000 because that's not an allowed VPD Keyword in the PCI-E
> 3.0 specification.)
>
> Note that two other drivers look like they may also do something
> similar, the Broadcom bnx2x and tg3.
Powered by blists - more mailing lists