| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YPW5/jndPPpnpWYo@hazel>
Date: Mon, 19 Jul 2021 18:44:30 +0100
From: Jamie Iles <jamie@...iainc.com>
To: jesse.brandeburg@...el.com, anthony.l.nguyen@...el.com
Cc: netdev@...r.kernel.org
Subject: IXGBE VF DMA error handling bug(?)
Hi folks,
Whilst reviewing the IXGBE driver I found a potential bug for VF DMA
error handling.
83c61fa97a7d ("ixgbe: Add protection from VF invalid target DMA") added
a workaround for an invalid VF DMA address that would read the TLP
header from the PCIe RP to get the requester ID and then reset the
originating VF. 144384649dc1 ("ixgbe: Check config reads for removal")
then added checks for removal when performing config accesses, but
changed:
bdev = pdev->bus->self;
while (bdev && (pci_pcie_type(bdev) != PCI_EXP_TYPE_ROOT_PORT))
bdev = bdev->bus->self;
...
- pci_read_config_dword(bdev, pos + PCI_ERR_HEADER_LOG, &dw0);
- pci_read_config_dword(bdev, pos + PCI_ERR_HEADER_LOG + 4, &dw1);
- pci_read_config_dword(bdev, pos + PCI_ERR_HEADER_LOG + 8, &dw2);
- pci_read_config_dword(bdev, pos + PCI_ERR_HEADER_LOG + 12, &dw3);
+ dw0 = ixgbe_read_pci_cfg_dword(hw, pos + PCI_ERR_HEADER_LOG);
+ dw1 = ixgbe_read_pci_cfg_dword(hw, pos + PCI_ERR_HEADER_LOG + 4);
+ dw2 = ixgbe_read_pci_cfg_dword(hw, pos + PCI_ERR_HEADER_LOG + 8);
+ dw3 = ixgbe_read_pci_cfg_dword(hw, pos + PCI_ERR_HEADER_LOG + 12);
so now the header is being read from NIC config space rather than the
root port.
If correct, the fix should be as simple as reverting those accessor
changes in ixgbe_io_error_detected.
Thanks,
Jamie
Powered by blists - more mailing lists