Use blk_mq_unique_tag() to generate requestIDs for StorVSC, avoiding
all issues with allocating enough entries in the VMbus requestor.
Suggested-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 14 +++---
drivers/hv/ring_buffer.c | 12
validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 9 ++--
drivers/hv
malicious host to bypass the check on the packet's
length in netvsc_receive() and hence to overflow the recv_buf buffer.
Move the allocation of the recv_buf buffers into netvsc_init_but().
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc:
Patch #2 also addresses the Smatch complaint reported here:
https://lkml.kernel.org/r/YBp2oVIdMe+G%2FliJ@mwanda/
Thanks,
Andrea
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
Andrea Parri (Microsoft) (2):
hv_netvsc: Allocate the recv_buf buf
Fix the typo.
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
Fixes: 0ba35fe91ce34f ("hv_netvsc: Copy packets sent by Hyper-V out of the
receive buffer")
---
drivers/net/hyperv/rndis_filter.c | 2 +-
1 file
arios from occurring in the future.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
Fixes: 44144185951a0f ("hv_netvsc: Add validation for untrusted Hyper-V values")
---
drivers/net/hyperv/net
i.and...@gmail.com
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Arnd Bergmann
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
Cc: net...@vger.kernel.org
Andrea Parri (Microsoft) (4):
x86/
supposed to support SR-IOV. This reduces the footprint of the
code that will be exercised by Confidential VMs and hence the exposure
to bugs and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
Acked-by: Jakub Kicinski
Reviewed-by: Haiyang Zhang
Cc: "David S. Miller"
Cc: Jakub Ki
Restrict the protocol version(s) that will be negotiated with the host
to be 5.2 or greater if the guest is running isolated. This reduces the
footprint of the code that will be exercised by Confidential VMs and
hence the exposure to bugs and vulnerabilities.
Signed-off-by: Andrea Parri
vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 38 ++
include/linux/hyperv.h| 1 +
2 files changed, 39 insertions(+)
diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
index 68950a1e4b638..f0ed730e2e4e4
ware-based isolation), and 'NONE' (no isolation).
Signed-off-by: Andrea Parri (Microsoft)
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Arnd Bergmann
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
---
arch/x86/hyperv/hv_init.c
. Let's put the new validation aside until a proper
solution for that race condition is in place.
Signed-off-by: Andrea Parri (Microsoft)
Cc: Dexuan Cui
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
---
drivers/scsi/storvsc_drv.c
validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc:
Restrict the protocol version(s) that will be negotiated with the host
to be 5.2 or greater if the guest is running isolated. This reduces the
footprint of the code that will be exercised by Confidential VMs and
hence the exposure to bugs and vulnerabilities.
Signed-off-by: Andrea Parri
ware-based isolation), and 'NONE' (no isolation).
Signed-off-by: Andrea Parri (Microsoft)
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Arnd Bergmann
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
---
arch/x86/hyperv/hv_init.c
supposed to support SR-IOV. This reduces the footprint of the
code that will be exercised by Confidential VMs and hence the exposure
to bugs and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
---
drivers/
vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 36
include/linux/hyperv.h| 1 +
2 files changed, 37 insertions(+)
diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
index 68950a1e4b638..774ee19e3e90d
# cvm
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Arnd Bergmann
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
Cc: net...@vger.kernel.org
Andrea Parri (Microsoft) (4):
x86/hyperv: Load/sa
. Ensure that outgoing packets do not have any leftover guest
memory that has not been zeroed out.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Andrii Nakryiko
Cc: Martin KaF
. Ensure that outgoing packets do not have any leftover guest
memory that has not been zeroed out.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Andrii Nakryiko
Cc: Martin KaF
Use blk_mq_unique_tag() to generate requestIDs for StorVSC, avoiding
all issues with allocating enough entries in the VMbus requestor.
Suggested-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
---
Changes since RFC:
- pass sentinel values for {init,reset}_request in
.com
Andrea Parri (Microsoft) (3):
Drivers: hv: vmbus: Introduce and negotiate VMBus protocol version 5.3
Drivers: hv: vmbus: Drivers: hv: vmbus: Introduce
CHANNELMSG_MODIFYCHANNEL_RESPONSE
Drivers: hv: vmbus: Check for pending channel interrupts before taking
a CPU offline
driver
Introduce the CHANNELMSG_MODIFYCHANNEL_RESPONSE message type, and code
to receive and process such a message.
Signed-off-by: Andrea Parri (Microsoft)
Reviewed-by: Michael Kelley
---
drivers/hv/channel.c | 99 ---
drivers/hv/channel_mgmt.c | 42
Hyper-V has added VMBus protocol version 5.3. Allow Linux guests to
negotiate the new version on version of Hyper-V that support it.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/connection.c | 3 ++-
include/linux/hyperv.h | 2 ++
2 files changed, 4 insertions(+), 1 deletion
Check that enough time has passed such that the modify channel message
has been processed before taking a CPU offline.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/hv.c | 56 ++---
1 file changed, 53 insertions(+), 3 deletions(-)
diff --git
If a malicious or compromised Hyper-V sends a spurious message of type
CHANNELMSG_UNLOAD_RESPONSE, the function vmbus_unload_response() will
call complete() on an uninitialized event, and cause an oops.
Reported-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv
ents
- style changes
[1] https://lkml.kernel.org/r/20201126191210.13115-1-parri.and...@gmail.com
Andrea Parri (Microsoft) (3):
Drivers: hv: vmbus: Introduce and negotiate VMBus protocol version 5.3
Drivers: hv: vmbus: Drivers: hv: vmbus: Introduce
CHANNELMSG_MODIFYCHANNEL_RESPONSE
Drivers
Hyper-V has added VMBus protocol version 5.3. Allow Linux guests to
negotiate the new version on version of Hyper-V that support it.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/connection.c | 3 ++-
include/linux/hyperv.h | 2 ++
2 files changed, 4 insertions(+), 1 deletion
Introduce the CHANNELMSG_MODIFYCHANNEL_RESPONSE message type, and code
to receive and process such a message.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 99 ---
drivers/hv/channel_mgmt.c | 42 +
drivers/hv
Check that enough time has passed such that the modify channel message
has been processed before taking a CPU offline.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/hv.c | 49 +
1 file changed, 49 insertions(+)
diff --git a/drivers/hv
If a malicious or compromised Hyper-V sends a spurious message of type
CHANNELMSG_UNLOAD_RESPONSE, the function vmbus_unload_response() will
call complete() on an uninitialized event, and cause an oops.
Reported-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
---
Changes since v1[1
, potentially leaking guest data. Zero initialize such fields to
avoid leaking sensitive information to the host.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/hv/channel.c b
ree can be avoided by noticing that this load/check is
redundant if device_obk is non-NULL: primary_channel must be NULL if
device_obj is non-NULL, cf. vmbus_add_channel_work().
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 3 +--
1 file changed
an use-after-free. Add a new flag to the channel structure
to make sure that only one instance of vmbus_onoffer_rescind() can get
the reference to the channel object.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 12
include
vmbus_on_msg_dpc() double fetches from payload_size. The double fetch
can lead to a buffer overflow when (mem)copying the hv_message object.
Avoid the double fetch by saving the value of payload_size into a local
variable.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft
the value of msgtype into a local variable.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/vmbus_drv.c | 18 +-
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
index 0a2711aa63
allow overwriting an entry vmbus_connection.channels[].
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 30 ++
drivers/hv/hyperv_vmbus.h | 2 +-
2 files changed, 19 insertions(+), 13 deletions(-)
diff --git a/drivers/hv
Hi all,
This set is a continuation of the work for hardening the VMBus drivers
against an erroneous or malicious host. This is based on hyperv-next.
Thanks,
Andrea
Andrea Parri (Microsoft) (6):
Drivers: hv: vmbus: Initialize memory to be sent to the host
Drivers: hv: vmbus: Avoid double
Check that the packet is of the expected size at least, don't copy
data past the packet.
Reported-by: Saruhan Karademir
Signed-off-by: Andrea Parri (Microsoft)
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
---
Based on hy
Lack of validation could lead to out-of-bound reads and information
leaks (cf. usage of nvdev->chan_table[]). Check that the number of
allocated sub-channels fits into the expected range.
Suggested-by: Saruhan Karademir
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller&quo
Simplify the function by removing various references to the hv_message
'msg', introduce local variables 'msgtype' and 'payload_size'.
Suggested-by: Juan Vazquez
Suggested-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
---
Changes since v2:
- Squash
Integrating feedback from Juan, Michael and Wei. [1] Changelogs are
inline/in the patches.
Thanks,
Andrea
[1] https://lkml.kernel.org/r/20201202092214.13520-1-parri.and...@gmail.com
Andrea Parri (Microsoft) (6):
Drivers: hv: vmbus: Initialize memory to be sent to the host
Drivers: hv
ree can be avoided by noticing that this load/check is
redundant if device_obj is non-NULL: primary_channel must be NULL if
device_obj is non-NULL, cf. vmbus_add_channel_work().
Fixes: 54a66265d6754b ("Drivers: hv: vmbus: Fix rescind handling")
Reported-by: Juan Vazquez
Signed-off-by:
, potentially leaking guest data. Zero initialize such fields to
avoid leaking sensitive information to the host.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Reviewed-by: Michael Kelley
---
Changes since v2:
- Add Reviewed-by: tag
drivers/hv/channel.c | 4 ++--
1 file changed
Since the message is in memory shared with the host, an erroneous or a
malicious Hyper-V could 'corrupt' the message while vmbus_on_msg_dpc()
or individual message handlers are executing. To prevent it, copy the
message into private memory.
Reported-by: Juan Vazquez
Signed-off-by: An
an use-after-free. Add a new flag to the channel structure
to make sure that only one instance of vmbus_onoffer_rescind() can get
the reference to the channel object.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 12
include
allow overwriting an entry vmbus_connection.channels[].
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
Changes since v2:
- Release channel_mutex before 'return' in vmbus_onoffer() error path
drivers/hv/channel_mgmt.c | 40 +--
ed-by: Dexuan Cui
Signed-off-by: Andrea Parri (Microsoft)
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
---
drivers/scsi/storvsc_drv.c | 45 +-
1 file changed, 25 insertions(+), 20 deletions(-)
ui
Signed-off-by: Andrea Parri (Microsoft)
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
---
drivers/scsi/storvsc_drv.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/sto
Check that the packet is of the expected size at least, don't copy data
past the packet.
Reported-by: Saruhan Karademir
Signed-off-by: Andrea Parri (Microsoft)
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
---
drivers/scsi/storvsc
tch 1/3 emerged from internal review of these
two patches and is a related fix.
Thanks,
Andrea
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
Andrea Parri (Microsoft) (3):
scsi: storvsc: Fix max_outstanding_req_per_channel for Win8 and new
, potentially leaking guest data. Zero initialize such fields to
avoid leaking sensitive information to the host.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/hv/channel.c b
the value of msgtype into a local variable.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/vmbus_drv.c | 18 +-
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
index 0a2711aa63
an use-after-free. Add a new flag to the channel structure
to make sure that only one instance of vmbus_onoffer_rescind() can get
the reference to the channel object.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 12
include
vmbus_on_msg_dpc() double fetches from payload_size. The double fetch
can lead to a buffer overflow when (mem)copying the hv_message object.
Avoid the double fetch by saving the value of payload_size into a local
variable.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft
ree can be avoided by noticing that this load/check is
redundant if device_obj is non-NULL: primary_channel must be NULL if
device_obj is non-NULL, cf. vmbus_add_channel_work().
Fixes: 54a66265d6754b ("Drivers: hv: vmbus: Fix rescind handling")
Reported-by: Juan Vazquez
Signed-off-by:
The hv_message object is in memory shared with the host. To prevent
an erroneous or a malicious host from 'corrupting' such object, copy
the object into private memory.
Suggested-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/vmbus_
allow overwriting an entry vmbus_connection.channels[].
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
Changes since v1:
- Don't corrupt oldchannel if offer->child_relid is invalid
drivers/hv/channel_mgmt.c | 38 --
dr
Hi all,
This is v2 of [1], integrating feedback from Juan and Wei and adding
patch 4/7 (after Juan's suggestion). Changelogs are in the patches.
Thanks,
Andrea
[1] https://lkml.kernel.org/r/20201118143649.108465-1-parri.and...@gmail.com
Andrea Parri (Microsoft) (7):
Drivers: hv:
nsfer_page' packet (all implementations), that
is known/validated to be less than or equal to the receive section
size and not smaller than the length of the RNDIS message.
Reported-by: Dexuan Cui
Suggested-by: Haiyang Zhang
Signed-off-by: Andrea Parri (Microsoft)
Fixes: 505e3f00c3f36 (
made conditional/debug-only.
Suggested-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
Fixes: e8b7db38449ac ("Drivers: hv: vmbus: Add vmbus_requestor data structure
for VMBus hardening")
---
drivers/hv/ring_buffer.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/hv/
and offset fields in netvsc_filter_receive(). In this way,
the packet can no longer be modified by the host.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
---
drivers/net/hyperv/hyperv_ne
supposed to support SR-IOV. This reduces the footprint of the
code that will be exercised by Confidential VMs and hence the exposure
to bugs and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
Acked-by: Jakub Kicinski
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.
vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 36
include/linux/hyperv.h| 1 +
2 files changed, 37 insertions(+)
diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
index 68950a1e4b638..774ee19e3e90d
Restrict the protocol version(s) that will be negotiated with the host
to be 5.2 or greater if the guest is running isolated. This reduces the
footprint of the code that will be exercised by Confidential VMs and
hence the exposure to bugs and vulnerabilities.
Signed-off-by: Andrea Parri
"
Cc: Arnd Bergmann
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
Cc: net...@vger.kernel.org
Andrea Parri (Microsoft) (4):
x86/hyperv: Load/save the Isolation Configuration leaf
Drivers: hv: vmbus: Restrict vmbus_devices on isolated
ware-based isolation), and 'NONE' (no isolation).
Signed-off-by: Andrea Parri (Microsoft)
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Arnd Bergmann
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
---
arch/x86/hyperv/hv_init.c
and offset fields in netvsc_filter_receive(). In this way,
the packet can no longer be modified by the host.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
---
Changes since v1 [1]:
- copy certain
cessing
a CHANNELMSG_MODIFYCHANNEL message associated to that CPU."
Introduce the CHANNELMSG_MODIFYCHANNEL_RESPONSE(24) message type,
which embodies the type of the CHANNELMSG_MODIFYCHANNEL ACK.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 108 +++
sibility in such scheme (where devices/channels are mapped only "one
at a time"/as they are offered, with the end result that globally the
various interrupts are not always evenly spread across CPUs).
Andrea Parri (Microsoft) (2):
Drivers: hv: vmbus: Re-balance channel interrupts acro
t to a CPU (cf., the CHANNELMSG_MODIFYCHANNEL
message type). As such, the new balancing process is effective starting
with VMBus version 4.1 (no changes in semantics or behavior are intended
for VMBus versions lower than 4.1).
Suggested-by: Nuno Das Neves
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/
o a delayed work, to give channels of such device
more chances to be opened. As in vmbus_balance_vp_indexes_at_cpuhp(),
the balancing is applied to "performance" channels only, and it relies
on the (new) capability to re-assign a channel interrupt.
Suggested-by: Nuno Das Neves
Signed-o
dling of the
target CPUs (that are now always modified with channel_mutex held).
Fixes: d570aec0f2154e ("Drivers: hv: vmbus: Synchronize init_vp_index() vs. CPU
hotplug")
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 46 +++--
uted by parsing the
channel's offer, in the channel structure itself.
Fixes: 7527810573436f ("Drivers: hv: vmbus: Introduce the
CHANNELMSG_MODIFYCHANNEL message type")
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 22
x27;d prefer to handle these...)
Thanks,
Andrea
Andrea Parri (Microsoft) (2):
Drivers: hv: vmbus: Resolve race between init_vp_index() and CPU
hotplug
Drivers: hv: vmbus: Resolve more races involving init_vp_index()
drivers/hv/channel_mgmt.c
Currently, VMbus drivers use pointers into guest memory as request IDs
for interactions with Hyper-V. To be more robust in the face of errors
or malicious behavior from a compromised Hyper-V, avoid exposing
guest memory addresses to Hyper-V. Also avoid Hyper-V giving back a
bad request ID that is t
integers generated by vmbus_requestor as requests
(transaction) IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.o
bad request ID that is then treated as the address of a guest data
structure with no validation. Instead, encapsulate these memory
addresses and provide small integers as request IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft
integers generated by vmbus_requestor as requests
(transaction) IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
---
Changes in v7:
Hi all,
This is a resubmission of:
https://lkml.kernel.org/r/20200907161920.71460-1-parri.and...@gmail.com
based on 5.10-rc2.
Andrea
Cc: James E.J. Bottomley
Cc: Martin K. Petersen
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: linux-s...@vger.kernel.org
Cc: net...@vger.kernel.org
Andre
integers generated by vmbus_requestor as requests
(transaction) IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Reviewed-by: Michael Kelley
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-
integers generated by vmbus_requestor as requests
(transaction) IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Reviewed-by: Michael Kelley
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
---
d
bad request ID that is then treated as the address of a guest data
structure with no validation. Instead, encapsulate these memory
addresses and provide small integers as request IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft
bad request ID that is then treated as the address of a guest data
structure with no validation. Instead, encapsulate these memory
addresses and provide small integers as request IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft
integers generated by vmbus_requestor as requests
(transaction) IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Reviewed-by: Michael Kelley
Acked-by: Jakub Kicinski
Cc: "David S. Miller"
Cc: Jakub Kicinsk
integers generated by vmbus_requestor as requests
(transaction) IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Reviewed-by: Michael Kelley
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-
Currently, VMbus drivers use pointers into guest memory as request IDs
for interactions with Hyper-V. To be more robust in the face of errors
or malicious behavior from a compromised Hyper-V, avoid exposing
guest memory addresses to Hyper-V. Also avoid Hyper-V giving back a
bad request ID that is t
icversion_data
array in vmbus_prep_negotiate_resp().
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
---
Changes in v3:
- Add size check for icframe_vercnt and icmsg_vercnt
Changes in v2:
- Use ratelimited form of kernel
validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc:
icversion_data
array in vmbus_prep_negotiate_resp().
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
---
Changes in v3:
- Add size check for icframe_vercnt and icmsg_vercnt (Saruhan)
Changes in v2:
- Use ratelimited form of kernel logging
validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc:
subvert an existing validation via integer overflow. Ensure that
outgoing packets do not have any leftover guest memory that has not
been zeroed out.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
subvert an existing validation via integer overflow. Ensure that
outgoing packets do not have any leftover guest memory that has not
been zeroed out.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
A slight improvement in readability, and this does also remove one
memory access when NR_CPUS == 1! ;-)
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/vmbus_drv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
index
The field is read only in __vmbus_open() and it is already stored twice
(after a call to hv_cpu_number_to_vp_number()) in target_cpu_store() and
init_vp_index(); there is no need to "cache" its value in the channel
data structure.
Suggested-by: Michael Kelley
Signed-off-by: An
ous cleanups for channel->lock, which is actually *removed
by the end of this series! ;-)
I'm sure there is room for further "cleanups", ;-) but let me check
if these (relatively small) changes make sense first...
Thanks,
Andrea
Andrea Parri (Microsoft) (8):
Drivers
None of the readers/updaters of sc_list rely on channel->lock for
synchronization.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 25 ++---
1 file changed, 6 insertions(+), 19 deletions(-)
diff --git a/drivers/hv/channel_mgmt.c b/drivers
orvsc-specific) stor_chns[] array from the
"generic" VMBus code and data structures, clarifying the scope of
this synchronization mechanism.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/scsi/storvsc_drv.c | 16 +++-
1 file changed, 11 insertions(+), 5 deletions(-)
diff
ck critical section with a channel_mutex critical section
and extend the latter to include the loads of target_cpu; this same
pattern is also used in hv_synic_cleanup().
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/vmbus_drv.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
ff-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 6 +-
drivers/hv/channel_mgmt.c | 1 -
include/linux/hyperv.h| 6 --
3 files changed, 1 insertion(+), 12 deletions(-)
diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
index 8848d1548b3f2..3ebda7707e46a 100644
---
1 - 100 of 102 matches
Mail list logo
