he stop_machine() patching
> function and emit a local icache flush there.
>
> Co-developed-by: Björn Töpel
> Signed-off-by: Björn Töpel
> Signed-off-by: Alexandre Ghiti
Modulo the removal of the hunk discussed with Samuel,
Reviewed-by: Andrea Parri
Some nits / amendment
On Wed, Feb 28, 2024 at 06:51:48PM +0100, Alexandre Ghiti wrote:
> This memory barrier is not needed and not documented so simply remove
> it.
>
> Suggested-by: Andrea Parri
> Signed-off-by: Alexandre Ghiti
Reviewed-by: Andrea Parri
Andrea
> I did not even think of that, and it actually makes sense so I'll go
> with what you propose: I'll replace atomic_inc() with
> atomic_inc_return_release(). And I'll add the following comment if
> that's ok with you:
>
> "Make sure the patching store is effective *before* we increment the
>
> +static int __ftrace_modify_code(void *data)
> +{
> + struct ftrace_modify_param *param = data;
> +
> + if (atomic_inc_return(>cpu_count) == num_online_cpus()) {
> + ftrace_modify_all_code(param->command);
> + atomic_inc(>cpu_count);
I stared at
If a malicious or compromised Hyper-V sends a spurious message of type
CHANNELMSG_UNLOAD_RESPONSE, the function vmbus_unload_response() will
call complete() on an uninitialized event, and cause an oops.
Reported-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
---
Changes since v1[1
On Fri, Apr 16, 2021 at 03:25:03PM +, Michael Kelley wrote:
> From: Andrea Parri (Microsoft) Sent: Friday, April
> 16, 2021 7:40 AM
> >
> > If a malicious or compromised Hyper-V sends a spurious message of type
> > CHANNELMSG_UNLOAD_RESPONSE, the functi
If a malicious or compromised Hyper-V sends a spurious message of type
CHANNELMSG_UNLOAD_RESPONSE, the function vmbus_unload_response() will
call complete() on an uninitialized event, and cause an oops.
Reported-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv
Check that enough time has passed such that the modify channel message
has been processed before taking a CPU offline.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/hv.c | 56 ++---
1 file changed, 53 insertions(+), 3 deletions(-)
diff --git
Introduce the CHANNELMSG_MODIFYCHANNEL_RESPONSE message type, and code
to receive and process such a message.
Signed-off-by: Andrea Parri (Microsoft)
Reviewed-by: Michael Kelley
---
drivers/hv/channel.c | 99 ---
drivers/hv/channel_mgmt.c | 42
Hyper-V has added VMBus protocol version 5.3. Allow Linux guests to
negotiate the new version on version of Hyper-V that support it.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/connection.c | 3 ++-
include/linux/hyperv.h | 2 ++
2 files changed, 4 insertions(+), 1 deletion
checks in send_modifychannel_with_ack()
- remove unneeded test in hv_synic_event_pending()
- add/amend inline comments
- style changes
[1] https://lkml.kernel.org/r/20210414150118.2843-1-parri.and...@gmail.com
[2] https://lkml.kernel.org/r/20201126191210.13115-1-parri.and...@gmail.com
Andrea
> > @@ -336,6 +372,19 @@ int hv_synic_cleanup(unsigned int cpu)
> > if (channel_found && vmbus_connection.conn_state == CONNECTED)
> > return -EBUSY;
> >
> > + if (vmbus_proto_version >= VERSION_WIN10_V4_1) {
> > + /*
> > +* channel_found == false means
> > @@ -234,6 +234,7 @@ static inline u32 hv_get_avail_to_write_percent(
> > * 5 . 0 (Newer Windows 10)
> > * 5 . 1 (Windows 10 RS4)
> > * 5 . 2 (Windows Server 2019, RS5)
> > + * 5 . 3 (Windows Server 2021) // FIXME: use proper version number/name
>
> The official name is now public
Use blk_mq_unique_tag() to generate requestIDs for StorVSC, avoiding
all issues with allocating enough entries in the VMbus requestor.
Suggested-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
---
Changes since RFC:
- pass sentinel values for {init,reset}_request
Check that enough time has passed such that the modify channel message
has been processed before taking a CPU offline.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/hv.c | 49 +
1 file changed, 49 insertions(+)
diff --git a/drivers/hv
Introduce the CHANNELMSG_MODIFYCHANNEL_RESPONSE message type, and code
to receive and process such a message.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 99 ---
drivers/hv/channel_mgmt.c | 42 +
drivers/hv
changes
[1] https://lkml.kernel.org/r/20201126191210.13115-1-parri.and...@gmail.com
Andrea Parri (Microsoft) (3):
Drivers: hv: vmbus: Introduce and negotiate VMBus protocol version 5.3
Drivers: hv: vmbus: Drivers: hv: vmbus: Introduce
CHANNELMSG_MODIFYCHANNEL_RESPONSE
Drivers: hv: vmbus: Check
Hyper-V has added VMBus protocol version 5.3. Allow Linux guests to
negotiate the new version on version of Hyper-V that support it.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/connection.c | 3 ++-
include/linux/hyperv.h | 2 ++
2 files changed, 4 insertions(+), 1 deletion
rom the
> list, and then free it.
>
> Fixes: 6f3d791f3006 ("Drivers: hv: vmbus: Fix rescind handling issues")
> Signed-off-by: Dan Carpenter
I had this 'queued' in my list,
Reviewed-by: Andrea Parri
Andrea
> ---
> From static analysis. Untested etc. There
On Fri, Apr 09, 2021 at 03:38:14PM +, Michael Kelley wrote:
> From: Andrea Parri (Microsoft) Sent: Thursday, April
> 8, 2021 9:13 AM
> >
> > Use blk_mq_unique_tag() to generate requestIDs for StorVSC, avoiding
> > all issues with allocating enough entrie
On Fri, Apr 09, 2021 at 03:49:00PM +, Michael Kelley wrote:
> From: Andrea Parri (Microsoft) Sent: Thursday, April
> 8, 2021 9:15 AM
> >
> > Pointers to ring-buffer packets sent by Hyper-V are used within the
> > guest VM. Hyper-V can send packets with erroneous val
validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 9 ++--
drivers/hv
Use blk_mq_unique_tag() to generate requestIDs for StorVSC, avoiding
all issues with allocating enough entries in the VMbus requestor.
Suggested-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 14 +++---
drivers/hv/ring_buffer.c | 12
Hi Olaf,
On Mon, Mar 29, 2021 at 06:37:21PM +0200, Olaf Hering wrote:
> On Thu, Dec 17, Andrea Parri (Microsoft) wrote:
>
> > Check that the packet is of the expected size at least, don't copy data
> > past the packet.
>
> > + if (hv_pkt_datalen(desc) &
conditional/debug-only.
Suggested-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
Fixes: e8b7db38449ac ("Drivers: hv: vmbus: Add vmbus_requestor data structure
for VMBus hardening")
---
drivers/hv/ring_buffer.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/hv/ring_
' packet (all implementations), that
is known/validated to be less than or equal to the receive section
size and not smaller than the length of the RNDIS message.
Reported-by: Dexuan Cui
Suggested-by: Haiyang Zhang
Signed-off-by: Andrea Parri (Microsoft)
Fixes: 505e3f00c3f36 ("hv_netvsc
On Wed, Feb 24, 2021 at 02:16:00PM +0100, Andrea Parri wrote:
> On Wed, Feb 24, 2021 at 07:50:08AM -0500, Sasha Levin wrote:
> > From: "Andrea Parri (Microsoft)"
> >
> > [ Upstream commit e99c4afbee07e9323e9191a20b24d74dbf815bdf ]
> >
> > _
On Wed, Feb 24, 2021 at 07:55:12AM -0500, Sasha Levin wrote:
> From: "Andrea Parri (Microsoft)"
>
> [ Upstream commit e4d221b42354b2e2ddb9187a806afb651eee2cda ]
>
> An erroneous or malicious host could send multiple rescind messages for
> a same channel. In vmbus_
On Wed, Feb 24, 2021 at 07:51:56AM -0500, Sasha Levin wrote:
> From: "Andrea Parri (Microsoft)"
>
> [ Upstream commit e99c4afbee07e9323e9191a20b24d74dbf815bdf ]
>
> __vmbus_open() and vmbus_teardown_gpadl() do not inizialite the memory
> for th
On Wed, Feb 24, 2021 at 07:51:57AM -0500, Sasha Levin wrote:
> From: "Andrea Parri (Microsoft)"
>
> [ Upstream commit e4d221b42354b2e2ddb9187a806afb651eee2cda ]
>
> An erroneous or malicious host could send multiple rescind messages for
> a same channel. In vmbus_
On Wed, Feb 24, 2021 at 07:53:30AM -0500, Sasha Levin wrote:
> From: "Andrea Parri (Microsoft)"
>
> [ Upstream commit e4d221b42354b2e2ddb9187a806afb651eee2cda ]
>
> An erroneous or malicious host could send multiple rescind messages for
> a same channel. In vmbus_
On Wed, Feb 24, 2021 at 07:54:29AM -0500, Sasha Levin wrote:
> From: "Andrea Parri (Microsoft)"
>
> [ Upstream commit e4d221b42354b2e2ddb9187a806afb651eee2cda ]
>
> An erroneous or malicious host could send multiple rescind messages for
> a same channel. In vmbus_
On Wed, Feb 24, 2021 at 07:50:09AM -0500, Sasha Levin wrote:
> From: "Andrea Parri (Microsoft)"
>
> [ Upstream commit e4d221b42354b2e2ddb9187a806afb651eee2cda ]
>
> An erroneous or malicious host could send multiple rescind messages for
> a same channel. In vmbus_
On Wed, Feb 24, 2021 at 07:50:08AM -0500, Sasha Levin wrote:
> From: "Andrea Parri (Microsoft)"
>
> [ Upstream commit e99c4afbee07e9323e9191a20b24d74dbf815bdf ]
>
> __vmbus_open() and vmbus_teardown_gpadl() do not inizialite the memory
> for th
Hi all,
I'm reporting two regressions following certain VMBus/VSCs hardening changes
we've been discussing 'recently', unfortunately the first regression already
touched/affects mainline while the second one is in hyperv-next:
1) [mainline]
The first regression manifests with the following
Fix the typo.
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
Fixes: 0ba35fe91ce34f ("hv_netvsc: Copy packets sent by Hyper-V out of the
receive buffer")
---
drivers/net/hyperv/rndis_filter.c | 2 +-
1 file
arios from occurring in the future.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
Fixes: 44144185951a0f ("hv_netvsc: Add validation for untrusted Hyper-V values")
---
drivers/net/hyperv/net
by a malicious host to bypass the check on the packet's
length in netvsc_receive() and hence to overflow the recv_buf buffer.
Move the allocation of the recv_buf buffers into netvsc_init_but().
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jaku
Patch #2 also addresses the Smatch complaint reported here:
https://lkml.kernel.org/r/YBp2oVIdMe+G%2FliJ@mwanda/
Thanks,
Andrea
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
Andrea Parri (Microsoft) (2):
hv_netvsc: Allocate the recv_buf buf
On Tue, Feb 02, 2021 at 11:45:49AM -0800, Jakub Kicinski wrote:
> On Tue, 2 Feb 2021 09:18:43 +0100 Andrea Parri wrote:
> > Hi net maintainers,
> >
> >
> > On Sat, Jan 30, 2021 at 12:50:06AM +,
> > patchwork-bot+netdev...@kernel.org wrote:
> > >
Hi net maintainers,
On Sat, Jan 30, 2021 at 12:50:06AM +, patchwork-bot+netdev...@kernel.org
wrote:
> Hello:
>
> This patch was applied to netdev/net-next.git (refs/heads/master):
>
> On Tue, 26 Jan 2021 17:29:07 +0100 you wrote:
> > Pointers to receive-buffer packets sent by Hyper-V are
and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 38 ++
include/linux/hyperv.h| 1 +
2 files changed, 39 insertions(+)
diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
index 68950a1e4b638..f0ed730e2e4e4
), and 'NONE' (no isolation).
Signed-off-by: Andrea Parri (Microsoft)
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Arnd Bergmann
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
---
arch/x86/hyperv/hv_init.c | 15 +++
arch/x
Restrict the protocol version(s) that will be negotiated with the host
to be 5.2 or greater if the guest is running isolated. This reduces the
footprint of the code that will be exercised by Confidential VMs and
hence the exposure to bugs and vulnerabilities.
Signed-off-by: Andrea Parri
are not supposed to support SR-IOV. This reduces the footprint of the
code that will be exercised by Confidential VMs and hence the exposure
to bugs and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
Acked-by: Jakub Kicinski
Reviewed-by: Haiyang Zhang
Cc: "David S. Miller"
Cc: Jakub Ki
Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Arnd Bergmann
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
Cc: net...@vger.kernel.org
Andrea Parri (Microsoft) (4):
x86/hyperv: Load/save the Isolatio
and offset fields in netvsc_filter_receive(). In this way,
the packet can no longer be modified by the host.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
---
Changes since v1 [1]:
- copy ce
On Tue, Jan 26, 2021 at 12:38:47PM +0100, Andrea Parri (Microsoft) wrote:
> Pointers to receive-buffer packets sent by Hyper-V are used within the
> guest VM. Hyper-V can send packets with erroneous values or modify
> packet fields after they are processed by the guest. To defen
), and 'NONE' (no isolation).
Signed-off-by: Andrea Parri (Microsoft)
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Arnd Bergmann
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
---
arch/x86/hyperv/hv_init.c | 15 +++
arch/x
"
Cc: Arnd Bergmann
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
Cc: net...@vger.kernel.org
Andrea Parri (Microsoft) (4):
x86/hyperv: Load/save the Isolation Configuration leaf
Drivers: hv: vmbus: Restrict vmbus_devices on isolated
are not supposed to support SR-IOV. This reduces the footprint of the
code that will be exercised by Confidential VMs and hence the exposure
to bugs and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
Acked-by: Jakub Kicinski
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.
and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 36
include/linux/hyperv.h| 1 +
2 files changed, 37 insertions(+)
diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
index 68950a1e4b638..774ee19e3e90d
Restrict the protocol version(s) that will be negotiated with the host
to be 5.2 or greater if the guest is running isolated. This reduces the
footprint of the code that will be exercised by Confidential VMs and
hence the exposure to bugs and vulnerabilities.
Signed-off-by: Andrea Parri
and offset fields in netvsc_filter_receive(). In this way,
the packet can no longer be modified by the host.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
---
drivers/net/hyperv/hyperv_ne
> > > > @@ -544,7 +545,8 @@ static int negotiate_nvsp_ver(struct hv_device
> > > > *device,
> > > > init_packet->msg.v2_msg.send_ndis_config.capability.ieee8021q =
> > > > 1;
> > > >
> > > > if (nvsp_ver >= NVSP_PROTOCOL_VERSION_5) {
> > > > -
> > > >
> > @@ -544,7 +545,8 @@ static int negotiate_nvsp_ver(struct hv_device
> > *device,
> > init_packet->msg.v2_msg.send_ndis_config.capability.ieee8021q = 1;
> >
> > if (nvsp_ver >= NVSP_PROTOCOL_VERSION_5) {
> > - init_packet->msg.v2_msg.send_ndis_config.capability.sriov =
> > 1;
: Thomas Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Arnd Bergmann
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
Cc: net...@vger.kernel.org
Andrea Parri (Microsoft) (4):
x86/hyperv: Load/save the Iso
and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 36
include/linux/hyperv.h| 1 +
2 files changed, 37 insertions(+)
diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
index 68950a1e4b638..774ee19e3e90d
are not supposed to support SR-IOV. This reduces the footprint of the
code that will be exercised by Confidential VMs and hence the exposure
to bugs and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
---
drivers/
), and 'NONE' (no isolation).
Signed-off-by: Andrea Parri (Microsoft)
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Arnd Bergmann
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
---
arch/x86/hyperv/hv_init.c | 15 +++
arch/x
Restrict the protocol version(s) that will be negotiated with the host
to be 5.2 or greater if the guest is running isolated. This reduces the
footprint of the code that will be exercised by Confidential VMs and
hence the exposure to bugs and vulnerabilities.
Signed-off-by: Andrea Parri
On Sun, Jan 17, 2021 at 03:10:32PM +, Wei Liu wrote:
> On Sat, Jan 16, 2021 at 02:02:01PM +0100, Andrea Parri wrote:
> > On Fri, Jan 15, 2021 at 08:30:22PM -0800, Jakub Kicinski wrote:
> > > On Thu, 14 Jan 2021 21:26:28 +0100 Andrea Parri (Microsoft) wrote:
> > >
On Fri, Jan 15, 2021 at 08:30:22PM -0800, Jakub Kicinski wrote:
> On Thu, 14 Jan 2021 21:26:28 +0100 Andrea Parri (Microsoft) wrote:
> > For additional robustness in the face of Hyper-V errors or malicious
> > behavior, validate all values that originate from packets that Hyper
. Ensure that outgoing packets do not have any leftover guest
memory that has not been zeroed out.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Andrii Nakryiko
Cc: Martin KaF
. Ensure that outgoing packets do not have any leftover guest
memory that has not been zeroed out.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Andrii Nakryiko
Cc: Martin KaF
On Wed, Dec 23, 2020 at 02:47:56AM +, Michael Kelley wrote:
> From: Sasha Levin Sent: Tuesday, December 22, 2020 6:22 PM
> >
> > From: "Andrea Parri (Microsoft)"
> >
> > [ Upstream commit 206ad34d52a2f1205c84d08c12fc116aad0eb407 ]
> >
> &
Check that the packet is of the expected size at least, don't copy data
past the packet.
Reported-by: Saruhan Karademir
Signed-off-by: Andrea Parri (Microsoft)
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
---
drivers/scsi/storvsc_drv.
-by: Dexuan Cui
Signed-off-by: Andrea Parri (Microsoft)
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
---
drivers/scsi/storvsc_drv.c | 45 +-
1 file changed, 25 insertions(+), 20 deletions(-)
diff
-off-by: Andrea Parri (Microsoft)
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
---
drivers/scsi/storvsc_drv.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
tch 1/3 emerged from internal review of these
two patches and is a related fix.
Thanks,
Andrea
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
Andrea Parri (Microsoft) (3):
scsi: storvsc: Fix max_outstanding_req_per_channel for Win8 and
Hi Sasha,
On Sat, Dec 12, 2020 at 11:07:56AM -0500, Sasha Levin wrote:
> From: "Andrea Parri (Microsoft)"
>
> [ Upstream commit 3b8c72d076c42bf27284cda7b2b2b522810686f8 ]
FYI, we found that this commit introduced a regression and posted a
revert:
https:
. Let's put the new validation aside until a proper
solution for that race condition is in place.
Signed-off-by: Andrea Parri (Microsoft)
Cc: Dexuan Cui
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
---
drivers/scsi/storvsc_drv.c | 5 -
Since the message is in memory shared with the host, an erroneous or a
malicious Hyper-V could 'corrupt' the message while vmbus_on_msg_dpc()
or individual message handlers are executing. To prevent it, copy the
message into private memory.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri
, potentially leaking guest data. Zero initialize such fields to
avoid leaking sensitive information to the host.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Reviewed-by: Michael Kelley
---
Changes since v2:
- Add Reviewed-by: tag
drivers/hv/channel.c | 4 ++--
1 file changed
to an use-after-free. Add a new flag to the channel structure
to make sure that only one instance of vmbus_onoffer_rescind() can get
the reference to the channel object.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 12
include
not allow overwriting an entry vmbus_connection.channels[].
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
Changes since v2:
- Release channel_mutex before 'return' in vmbus_onoffer() error path
drivers/hv/channel_mgmt.c | 40 +--
drivers/hv
Simplify the function by removing various references to the hv_message
'msg', introduce local variables 'msgtype' and 'payload_size'.
Suggested-by: Juan Vazquez
Suggested-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
---
Changes since v2:
- Squash patches #2 and #3
- Revisit
Integrating feedback from Juan, Michael and Wei. [1] Changelogs are
inline/in the patches.
Thanks,
Andrea
[1] https://lkml.kernel.org/r/20201202092214.13520-1-parri.and...@gmail.com
Andrea Parri (Microsoft) (6):
Drivers: hv: vmbus: Initialize memory to be sent to the host
Drivers: hv
ree can be avoided by noticing that this load/check is
redundant if device_obj is non-NULL: primary_channel must be NULL if
device_obj is non-NULL, cf. vmbus_add_channel_work().
Fixes: 54a66265d6754b ("Drivers: hv: vmbus: Fix rescind handling")
Reported-by: Juan Vazquez
Signed-off-by:
validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc:
> > @@ -419,17 +446,52 @@ static u32 hv_pkt_iter_avail(const struct
> > hv_ring_buffer_info *rbi)
> > struct vmpacket_descriptor *hv_pkt_iter_first(struct vmbus_channel
> > *channel)
> > {
> > struct hv_ring_buffer_info *rbi = >inbound;
> > - struct vmpacket_descriptor *desc;
> > +
On Sun, Dec 06, 2020 at 06:39:39PM +, Michael Kelley wrote:
> From: Andrea Parri (Microsoft) Sent: Wednesday,
> December 2, 2020 1:22 AM
> >
> > The hv_message object is in memory shared with the host. To prevent
> > an erroneous or a malicious host from 'corru
On Sun, Dec 06, 2020 at 05:14:18PM +, Michael Kelley wrote:
> From: Andrea Parri (Microsoft) Sent: Wednesday,
> November 18, 2020 6:37 AM
> >
> > vmbus_on_msg_dpc() double fetches from payload_size. The double fetch
> > can lead to a buffer overflow when (mem)copyi
On Sun, Dec 06, 2020 at 05:10:26PM +, Michael Kelley wrote:
> From: Andrea Parri (Microsoft) Sent: Wednesday,
> November 18, 2020 6:37 AM
> >
> > vmbus_on_msg_dpc() double fetches from msgtype. The double fetch can
> > lead to an out-of-bound access when accessing t
On Sun, Dec 06, 2020 at 04:59:32PM +, Michael Kelley wrote:
> From: Andrea Parri (Microsoft) Sent: Wednesday,
> November 18, 2020 6:37 AM
> >
> > __vmbus_open() and vmbus_teardown_gpadl() do not inizialite the memory
> > for the vm
On Wed, Dec 02, 2020 at 01:40:04PM +, Wei Liu wrote:
> On Wed, Dec 02, 2020 at 02:37:16PM +0100, Andrea Parri wrote:
> > > > @@ -1072,12 +1073,19 @@ void vmbus_on_msg_dpc(unsigned long data)
> > > > /* no msg */
>
> > @@ -1072,12 +1073,19 @@ void vmbus_on_msg_dpc(unsigned long data)
> > /* no msg */
> > return;
> >
> > + /*
> > +* The hv_message object is in memory shared with the host. The host
> > +* could erroneously or maliciously modify such object. Make sure to
>
ree can be avoided by noticing that this load/check is
redundant if device_obj is non-NULL: primary_channel must be NULL if
device_obj is non-NULL, cf. vmbus_add_channel_work().
Fixes: 54a66265d6754b ("Drivers: hv: vmbus: Fix rescind handling")
Reported-by: Juan Vazquez
Signed-off-by:
to an use-after-free. Add a new flag to the channel structure
to make sure that only one instance of vmbus_onoffer_rescind() can get
the reference to the channel object.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 12
include
vmbus_on_msg_dpc() double fetches from payload_size. The double fetch
can lead to a buffer overflow when (mem)copying the hv_message object.
Avoid the double fetch by saving the value of payload_size into a local
variable.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft
The hv_message object is in memory shared with the host. To prevent
an erroneous or a malicious host from 'corrupting' such object, copy
the object into private memory.
Suggested-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/vmbus_drv.c | 26
not allow overwriting an entry vmbus_connection.channels[].
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
Changes since v1:
- Don't corrupt oldchannel if offer->child_relid is invalid
drivers/hv/channel_mgmt.c | 38 --
drivers
Hi all,
This is v2 of [1], integrating feedback from Juan and Wei and adding
patch 4/7 (after Juan's suggestion). Changelogs are in the patches.
Thanks,
Andrea
[1] https://lkml.kernel.org/r/20201118143649.108465-1-parri.and...@gmail.com
Andrea Parri (Microsoft) (7):
Drivers: hv: vmbus
, potentially leaking guest data. Zero initialize such fields to
avoid leaking sensitive information to the host.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/hv/channel.c b
ing the value of msgtype into a local variable.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/vmbus_drv.c | 18 +-
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
index 0a2711aa63
On Sun, Nov 29, 2020 at 06:29:55PM +, Michael Kelley wrote:
> From: Andrea Parri (Microsoft) Sent: Thursday,
> November 26, 2020 11:12 AM
> >
> > Quoting from commit 7527810573436f ("Drivers: hv: vmbus: Introduce
> > the CHANNELMSG_MODIFYCHANNEL message type&quo
a CHANNELMSG_MODIFYCHANNEL message associated to that CPU."
Introduce the CHANNELMSG_MODIFYCHANNEL_RESPONSE(24) message type,
which embodies the type of the CHANNELMSG_MODIFYCHANNEL ACK.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 108 +
On Tue, Nov 24, 2020 at 04:26:33PM +, Wei Liu wrote:
> On Wed, Nov 18, 2020 at 03:36:47PM +0100, Andrea Parri (Microsoft) wrote:
> > When channel->device_obj is non-NULL, vmbus_onoffer_rescind() could
> > invoke put_device(), that will eventually release the device and fr
On Mon, Nov 09, 2020 at 11:07:27AM +0100, Andrea Parri (Microsoft) wrote:
> From: Andres Beltran
>
> Pointers to ring-buffer packets sent by Hyper-V are used within the
> guest VM. Hyper-V can send packets with erroneous values or modify
> packet fields after they are process
On Mon, Nov 09, 2020 at 11:07:04AM +0100, Andrea Parri (Microsoft) wrote:
> From: Andres Beltran
>
> For additional robustness in the face of Hyper-V errors or malicious
> behavior, validate all values that originate from packets that Hyper-V
> has sent to the guest in the hos
1 - 100 of 1000 matches
Mail list logo