lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <DM6PR18MB26023C300BF91C6A57591252CD8F9@DM6PR18MB2602.namprd18.prod.outlook.com>
Date:   Fri, 31 Mar 2023 08:56:59 +0000
From:   Geethasowjanya Akula <gakula@...vell.com>
To:     Leon Romanovsky <leon@...nel.org>
CC:     Sai Krishna Gajula <saikrishnag@...vell.com>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "edumazet@...gle.com" <edumazet@...gle.com>,
        "kuba@...nel.org" <kuba@...nel.org>,
        "pabeni@...hat.com" <pabeni@...hat.com>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Sunil Kovvuri Goutham <sgoutham@...vell.com>,
        "richardcochran@...il.com" <richardcochran@...il.com>
Subject: RE: [EXT] Re: [net PATCH 1/7] octeontx2-af: Secure APR table update
 with the lock



>-----Original Message-----
>From: Leon Romanovsky <leon@...nel.org> 
>Sent: Thursday, March 30, 2023 12:46 PM
>To: Geethasowjanya Akula <gakula@...vell.com>
>Cc: Sai Krishna Gajula <saikrishnag@...vell.com>; davem@...emloft.net; edumazet@...gle.com; kuba@...nel.org; pabeni@...hat.com; netdev@...r.kernel.org; linux-kernel@...r.kernel.org; Sunil >Kovvuri Goutham <sgoutham@...vell.com>; richardcochran@...il.com
>Subject: Re: [EXT] Re: [net PATCH 1/7] octeontx2-af: Secure APR table update with the lock
>
>On Thu, Mar 30, 2023 at 06:56:54AM +0000, Geethasowjanya Akula wrote:
>> 
>> >-----Original Message-----
>> >From: Leon Romanovsky <leon@...nel.org>
>> >Sent: Thursday, March 30, 2023 11:26 AM
>> >To: Sai Krishna Gajula <saikrishnag@...vell.com>
>> >Cc: davem@...emloft.net; edumazet@...gle.com; kuba@...nel.org; 
>> >pabeni@...hat.com; netdev@...r.kernel.org; 
>> >linux-kernel@...r.kernel.org; Sunil Kovvuri Goutham 
>> ><sgoutham@...vell.com>; >richardcochran@...il.com; Geethasowjanya 
>> >Akula <gakula@...vell.com>
>> >Subject: [EXT] Re: [net PATCH 1/7] octeontx2-af: Secure APR table 
>> >update with the lock
>> 
>> >External Email
>> 
>> >---------------------------------------------------------------------
>> >- On Wed, Mar 29, 2023 at 10:36:13PM +0530, Sai Krishna wrote:
>> >> From: Geetha sowjanya <gakula@...vell.com>
>> >> 
>> >> APR table contains the lmtst base address of PF/VFs.
>> >> These entries are updated by the PF/VF during the device probe. Due 
>> >> to race condition while updating the entries are getting corrupted. 
>> >> Hence secure the APR table update with the lock.
>> 
>> >However, I don't see rsrc_lock in probe path.
>> >otx2_probe()
>> >-> cn10k_lmtst_init()
>> > -> lmt_base/lmstst is updated with and without mbox.lock.
>> 
>> >Where did you take rsrc_lock in probe flow?
>> 
>> rsrc_lock is initialized in AF driver. PF/VF driver in cn10k_lmtst_init() send a mbox request to AF to update the lmtst table. 
>> mbox handler in AF takes rsrc_lock to update lmtst table.

>Can you please present the stack trace of such flow? What are the actual variables/struct rsrc_lock is protecting?

The lock tries to protect the request and response register at line#73 and line#83 in below function, from getting overwritten when
Multiple PFs invokes rvu_get_lmtaddr() simultaneously. 
For example, if PF1 submit the request at line#73 and got permitted before it reads the response at line#80.
PF2 got scheduled submit the request then the response of PF1 is overwritten by the PF2 response.  
When PF1 gets reschedule, it reads wrong data.

#static int rvu_get_lmtaddr(struct rvu *rvu, u16 pcifunc,
  59                            u64 iova, u64 *lmt_addr)
  60 {
  61        [...]
  68 
  69         rvu_write64(rvu, BLKADDR_RVUM, RVU_AF_SMMU_ADDR_REQ, iova);
  70         pf = rvu_get_pf(pcifunc) & 0x1F;
  71         val = BIT_ULL(63) | BIT_ULL(14) | BIT_ULL(13) | pf << 8 |
  72               ((pcifunc & RVU_PFVF_FUNC_MASK) & 0xFF);
  73         rvu_write64(rvu, BLKADDR_RVUM, RVU_AF_SMMU_TXN_REQ, val);
  74 
  75         err = rvu_poll_reg(rvu, BLKADDR_RVUM, RVU_AF_SMMU_ADDR_RSP_STS, BIT_ULL(0), false);
  76         if (err) {
  77                 dev_err(rvu->dev, "%s LMTLINE iova transulation failed\n", __func__);
  78                 return err;
  79         }
  80         val = rvu_read64(rvu, BLKADDR_RVUM, RVU_AF_SMMU_ADDR_RSP_STS);
  81         if (val & ~0x1ULL) {
  82                 dev_err(rvu->dev, "%s LMTLINE iova transulation failed err:%llx\n", __func__, val);
  83                 return -EIO;
  84         }
  85         
  
Thanks.
>>Thanks

>> 
>> Thanks,
>> Geetha.
>> 
>> >Thanks
>> 
>> >> 
>> >> Fixes: 893ae97214c3 ("octeontx2-af: cn10k: Support configurable 
>> >> LMTST
>> >> regions")
>> >> Signed-off-by: Geetha sowjanya <gakula@...vell.com>
>> >> Signed-off-by: Sunil Kovvuri Goutham <sgoutham@...vell.com>
>> >> Signed-off-by: Sai Krishna <saikrishnag@...vell.com>
>> >> ---
>> >>  drivers/net/ethernet/marvell/octeontx2/af/rvu_cn10k.c | 8 +++++---
>> >>  1 file changed, 5 insertions(+), 3 deletions(-)
>> >> 
>> >> diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cn10k.c
>> >> b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cn10k.c
>> >> index 4ad9ff025c96..8530250f6fba 100644
>> >> --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cn10k.c
>> >> +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cn10k.c
>> >> @@ -142,16 +142,17 @@ int rvu_mbox_handler_lmtst_tbl_setup(struct rvu *rvu,
>> >>  	 * region, if so, convert that IOVA to physical address and
>> >>  	 * populate LMT table with that address
>> >>  	 */
>> >> +	mutex_lock(&rvu->rsrc_lock);
>> >>  	if (req->use_local_lmt_region) {
>> >>  		err = rvu_get_lmtaddr(rvu, req->hdr.pcifunc,
>> >>  				      req->lmt_iova, &lmt_addr);
>> >>  		if (err < 0)
>> >> -			return err;
>> >> +			goto error;
>> >>  
>> >>  		/* Update the lmt addr for this PFFUNC in the LMT table */
>> >>  		err = rvu_update_lmtaddr(rvu, req->hdr.pcifunc, lmt_addr);
>> >>  		if (err)
>> >> -			return err;
>> >> +			goto error;
>> >>  	}
>> >>  
>> >>  	/* Reconfiguring lmtst map table in lmt region shared mode i.e. 
>> >> make @@ -181,7 +182,7 @@ int rvu_mbox_handler_lmtst_tbl_setup(struct rvu *rvu,
>> >>  		 */
>> >>  		err = rvu_update_lmtaddr(rvu, req->hdr.pcifunc, val);
>> >>  		if (err)
>> >> -			return err;
>> >> +			goto error;
>> >>  	}
>> >>  
>> >>  	/* This mailbox can also be used to update word1 of 
>> >> APR_LMT_MAP_ENTRY_S @@ -230,6 +231,7 @@ int rvu_mbox_handler_lmtst_tbl_setup(struct rvu *rvu,
>> >>  	}
>> >>  
>> >>  error:
>> >> +	mutex_unlock(&rvu->rsrc_lock);
>> >>  	return err;
>> >>  }
>> >>  
>> >> --
>> >> 2.25.1
>> >> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ