If a malicious or compromised Hyper-V sends a spurious message of type
CHANNELMSG_UNLOAD_RESPONSE, the function vmbus_unload_response() will
call complete() on an uninitialized event, and cause an oops.
Reported-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
---
Changes since v1[1
If a malicious or compromised Hyper-V sends a spurious message of type
CHANNELMSG_UNLOAD_RESPONSE, the function vmbus_unload_response() will
call complete() on an uninitialized event, and cause an oops.
Reported-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv
Check that enough time has passed such that the modify channel message
has been processed before taking a CPU offline.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/hv.c | 56 ++---
1 file changed, 53 insertions(+), 3 deletions(-)
diff --git
Introduce the CHANNELMSG_MODIFYCHANNEL_RESPONSE message type, and code
to receive and process such a message.
Signed-off-by: Andrea Parri (Microsoft)
Reviewed-by: Michael Kelley
---
drivers/hv/channel.c | 99 ---
drivers/hv/channel_mgmt.c | 42
Hyper-V has added VMBus protocol version 5.3. Allow Linux guests to
negotiate the new version on version of Hyper-V that support it.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/connection.c | 3 ++-
include/linux/hyperv.h | 2 ++
2 files changed, 4 insertions(+), 1 deletion
Parri (Microsoft) (3):
Drivers: hv: vmbus: Introduce and negotiate VMBus protocol version 5.3
Drivers: hv: vmbus: Drivers: hv: vmbus: Introduce
CHANNELMSG_MODIFYCHANNEL_RESPONSE
Drivers: hv: vmbus: Check for pending channel interrupts before taking
a CPU offline
drivers/hv/channel.c
Use blk_mq_unique_tag() to generate requestIDs for StorVSC, avoiding
all issues with allocating enough entries in the VMbus requestor.
Suggested-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
---
Changes since RFC:
- pass sentinel values for {init,reset}_request
Check that enough time has passed such that the modify channel message
has been processed before taking a CPU offline.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/hv.c | 49 +
1 file changed, 49 insertions(+)
diff --git a/drivers/hv
Introduce the CHANNELMSG_MODIFYCHANNEL_RESPONSE message type, and code
to receive and process such a message.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 99 ---
drivers/hv/channel_mgmt.c | 42 +
drivers/hv
changes
[1] https://lkml.kernel.org/r/20201126191210.13115-1-parri.and...@gmail.com
Andrea Parri (Microsoft) (3):
Drivers: hv: vmbus: Introduce and negotiate VMBus protocol version 5.3
Drivers: hv: vmbus: Drivers: hv: vmbus: Introduce
CHANNELMSG_MODIFYCHANNEL_RESPONSE
Drivers: hv: vmbus: Check
Hyper-V has added VMBus protocol version 5.3. Allow Linux guests to
negotiate the new version on version of Hyper-V that support it.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/connection.c | 3 ++-
include/linux/hyperv.h | 2 ++
2 files changed, 4 insertions(+), 1 deletion
validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 9 ++--
drivers/hv
Use blk_mq_unique_tag() to generate requestIDs for StorVSC, avoiding
all issues with allocating enough entries in the VMbus requestor.
Suggested-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 14 +++---
drivers/hv/ring_buffer.c | 12
conditional/debug-only.
Suggested-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
Fixes: e8b7db38449ac ("Drivers: hv: vmbus: Add vmbus_requestor data structure
for VMBus hardening")
---
drivers/hv/ring_buffer.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/hv/ring_
' packet (all implementations), that
is known/validated to be less than or equal to the receive section
size and not smaller than the length of the RNDIS message.
Reported-by: Dexuan Cui
Suggested-by: Haiyang Zhang
Signed-off-by: Andrea Parri (Microsoft)
Fixes: 505e3f00c3f36 ("hv_netvsc
Fix the typo.
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
Fixes: 0ba35fe91ce34f ("hv_netvsc: Copy packets sent by Hyper-V out of the
receive buffer")
---
drivers/net/hyperv/rndis_filter.c | 2 +-
1 file
arios from occurring in the future.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
Fixes: 44144185951a0f ("hv_netvsc: Add validation for untrusted Hyper-V values")
---
drivers/net/hyperv/net
by a malicious host to bypass the check on the packet's
length in netvsc_receive() and hence to overflow the recv_buf buffer.
Move the allocation of the recv_buf buffers into netvsc_init_but().
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jaku
Patch #2 also addresses the Smatch complaint reported here:
https://lkml.kernel.org/r/YBp2oVIdMe+G%2FliJ@mwanda/
Thanks,
Andrea
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
Andrea Parri (Microsoft) (2):
hv_netvsc: Allocate the recv_buf buf
and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 38 ++
include/linux/hyperv.h| 1 +
2 files changed, 39 insertions(+)
diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
index 68950a1e4b638..f0ed730e2e4e4
), and 'NONE' (no isolation).
Signed-off-by: Andrea Parri (Microsoft)
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Arnd Bergmann
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
---
arch/x86/hyperv/hv_init.c | 15 +++
arch/x
Restrict the protocol version(s) that will be negotiated with the host
to be 5.2 or greater if the guest is running isolated. This reduces the
footprint of the code that will be exercised by Confidential VMs and
hence the exposure to bugs and vulnerabilities.
Signed-off-by: Andrea Parri
are not supposed to support SR-IOV. This reduces the footprint of the
code that will be exercised by Confidential VMs and hence the exposure
to bugs and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
Acked-by: Jakub Kicinski
Reviewed-by: Haiyang Zhang
Cc: "David S. Miller"
Cc: Jakub Ki
Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Arnd Bergmann
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
Cc: net...@vger.kernel.org
Andrea Parri (Microsoft) (4):
x86/hyperv: Load/save the Isolatio
and offset fields in netvsc_filter_receive(). In this way,
the packet can no longer be modified by the host.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
---
Changes since v1 [1]:
- copy ce
), and 'NONE' (no isolation).
Signed-off-by: Andrea Parri (Microsoft)
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Arnd Bergmann
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
---
arch/x86/hyperv/hv_init.c | 15 +++
arch/x
"
Cc: Arnd Bergmann
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
Cc: net...@vger.kernel.org
Andrea Parri (Microsoft) (4):
x86/hyperv: Load/save the Isolation Configuration leaf
Drivers: hv: vmbus: Restrict vmbus_devices on isolated
are not supposed to support SR-IOV. This reduces the footprint of the
code that will be exercised by Confidential VMs and hence the exposure
to bugs and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
Acked-by: Jakub Kicinski
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.
and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 36
include/linux/hyperv.h| 1 +
2 files changed, 37 insertions(+)
diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
index 68950a1e4b638..774ee19e3e90d
Restrict the protocol version(s) that will be negotiated with the host
to be 5.2 or greater if the guest is running isolated. This reduces the
footprint of the code that will be exercised by Confidential VMs and
hence the exposure to bugs and vulnerabilities.
Signed-off-by: Andrea Parri
and offset fields in netvsc_filter_receive(). In this way,
the packet can no longer be modified by the host.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
---
drivers/net/hyperv/hyperv_ne
: Thomas Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Arnd Bergmann
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
Cc: net...@vger.kernel.org
Andrea Parri (Microsoft) (4):
x86/hyperv: Load/save the Iso
and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 36
include/linux/hyperv.h| 1 +
2 files changed, 37 insertions(+)
diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
index 68950a1e4b638..774ee19e3e90d
are not supposed to support SR-IOV. This reduces the footprint of the
code that will be exercised by Confidential VMs and hence the exposure
to bugs and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
---
drivers/
), and 'NONE' (no isolation).
Signed-off-by: Andrea Parri (Microsoft)
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Arnd Bergmann
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
---
arch/x86/hyperv/hv_init.c | 15 +++
arch/x
Restrict the protocol version(s) that will be negotiated with the host
to be 5.2 or greater if the guest is running isolated. This reduces the
footprint of the code that will be exercised by Confidential VMs and
hence the exposure to bugs and vulnerabilities.
Signed-off-by: Andrea Parri
. Ensure that outgoing packets do not have any leftover guest
memory that has not been zeroed out.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Andrii Nakryiko
Cc: Martin KaF
. Ensure that outgoing packets do not have any leftover guest
memory that has not been zeroed out.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Andrii Nakryiko
Cc: Martin KaF
Check that the packet is of the expected size at least, don't copy data
past the packet.
Reported-by: Saruhan Karademir
Signed-off-by: Andrea Parri (Microsoft)
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
---
drivers/scsi/storvsc_drv.
-by: Dexuan Cui
Signed-off-by: Andrea Parri (Microsoft)
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
---
drivers/scsi/storvsc_drv.c | 45 +-
1 file changed, 25 insertions(+), 20 deletions(-)
diff
-off-by: Andrea Parri (Microsoft)
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
---
drivers/scsi/storvsc_drv.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
tch 1/3 emerged from internal review of these
two patches and is a related fix.
Thanks,
Andrea
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
Andrea Parri (Microsoft) (3):
scsi: storvsc: Fix max_outstanding_req_per_channel for Win8 and
. Let's put the new validation aside until a proper
solution for that race condition is in place.
Signed-off-by: Andrea Parri (Microsoft)
Cc: Dexuan Cui
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
---
drivers/scsi/storvsc_drv.c | 5 -
Since the message is in memory shared with the host, an erroneous or a
malicious Hyper-V could 'corrupt' the message while vmbus_on_msg_dpc()
or individual message handlers are executing. To prevent it, copy the
message into private memory.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri
, potentially leaking guest data. Zero initialize such fields to
avoid leaking sensitive information to the host.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Reviewed-by: Michael Kelley
---
Changes since v2:
- Add Reviewed-by: tag
drivers/hv/channel.c | 4 ++--
1 file changed
to an use-after-free. Add a new flag to the channel structure
to make sure that only one instance of vmbus_onoffer_rescind() can get
the reference to the channel object.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 12
include
not allow overwriting an entry vmbus_connection.channels[].
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
Changes since v2:
- Release channel_mutex before 'return' in vmbus_onoffer() error path
drivers/hv/channel_mgmt.c | 40 +--
drivers/hv
Simplify the function by removing various references to the hv_message
'msg', introduce local variables 'msgtype' and 'payload_size'.
Suggested-by: Juan Vazquez
Suggested-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
---
Changes since v2:
- Squash patches #2 and #3
- Revisit
Integrating feedback from Juan, Michael and Wei. [1] Changelogs are
inline/in the patches.
Thanks,
Andrea
[1] https://lkml.kernel.org/r/20201202092214.13520-1-parri.and...@gmail.com
Andrea Parri (Microsoft) (6):
Drivers: hv: vmbus: Initialize memory to be sent to the host
Drivers: hv
ree can be avoided by noticing that this load/check is
redundant if device_obj is non-NULL: primary_channel must be NULL if
device_obj is non-NULL, cf. vmbus_add_channel_work().
Fixes: 54a66265d6754b ("Drivers: hv: vmbus: Fix rescind handling")
Reported-by: Juan Vazquez
Signed-off-by:
validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc:
ree can be avoided by noticing that this load/check is
redundant if device_obj is non-NULL: primary_channel must be NULL if
device_obj is non-NULL, cf. vmbus_add_channel_work().
Fixes: 54a66265d6754b ("Drivers: hv: vmbus: Fix rescind handling")
Reported-by: Juan Vazquez
Signed-off-by:
to an use-after-free. Add a new flag to the channel structure
to make sure that only one instance of vmbus_onoffer_rescind() can get
the reference to the channel object.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 12
include
vmbus_on_msg_dpc() double fetches from payload_size. The double fetch
can lead to a buffer overflow when (mem)copying the hv_message object.
Avoid the double fetch by saving the value of payload_size into a local
variable.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft
The hv_message object is in memory shared with the host. To prevent
an erroneous or a malicious host from 'corrupting' such object, copy
the object into private memory.
Suggested-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/vmbus_drv.c | 26
not allow overwriting an entry vmbus_connection.channels[].
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
Changes since v1:
- Don't corrupt oldchannel if offer->child_relid is invalid
drivers/hv/channel_mgmt.c | 38 --
drivers
Hi all,
This is v2 of [1], integrating feedback from Juan and Wei and adding
patch 4/7 (after Juan's suggestion). Changelogs are in the patches.
Thanks,
Andrea
[1] https://lkml.kernel.org/r/20201118143649.108465-1-parri.and...@gmail.com
Andrea Parri (Microsoft) (7):
Drivers: hv: vmbus
, potentially leaking guest data. Zero initialize such fields to
avoid leaking sensitive information to the host.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/hv/channel.c b
ing the value of msgtype into a local variable.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/vmbus_drv.c | 18 +-
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
index 0a2711aa63
a CHANNELMSG_MODIFYCHANNEL message associated to that CPU."
Introduce the CHANNELMSG_MODIFYCHANNEL_RESPONSE(24) message type,
which embodies the type of the CHANNELMSG_MODIFYCHANNEL ACK.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 108 +
Lack of validation could lead to out-of-bound reads and information
leaks (cf. usage of nvdev->chan_table[]). Check that the number of
allocated sub-channels fits into the expected range.
Suggested-by: Saruhan Karademir
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller&quo
Check that the packet is of the expected size at least, don't copy
data past the packet.
Reported-by: Saruhan Karademir
Signed-off-by: Andrea Parri (Microsoft)
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.org
---
Based on hyperv-
to an use-after-free. Add a new flag to the channel structure
to make sure that only one instance of vmbus_onoffer_rescind() can get
the reference to the channel object.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 12
include
vmbus_on_msg_dpc() double fetches from payload_size. The double fetch
can lead to a buffer overflow when (mem)copying the hv_message object.
Avoid the double fetch by saving the value of payload_size into a local
variable.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft
not allow overwriting an entry vmbus_connection.channels[].
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 30 ++
drivers/hv/hyperv_vmbus.h | 2 +-
2 files changed, 19 insertions(+), 13 deletions(-)
diff --git a/drivers/hv
, potentially leaking guest data. Zero initialize such fields to
avoid leaking sensitive information to the host.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/hv/channel.c b
ree can be avoided by noticing that this load/check is
redundant if device_obk is non-NULL: primary_channel must be NULL if
device_obj is non-NULL, cf. vmbus_add_channel_work().
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 3 +--
1 file changed
ing the value of msgtype into a local variable.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/vmbus_drv.c | 18 +-
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
index 0a2711aa63
Hi all,
This set is a continuation of the work for hardening the VMBus drivers
against an erroneous or malicious host. This is based on hyperv-next.
Thanks,
Andrea
Andrea Parri (Microsoft) (6):
Drivers: hv: vmbus: Initialize memory to be sent to the host
Drivers: hv: vmbus: Avoid double
validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc:
of the icversion_data
array in vmbus_prep_negotiate_resp().
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
---
Changes in v3:
- Add size check for icframe_vercnt and icmsg_vercnt
Changes in v2:
- Use ratelimited form of kernel
integers generated by vmbus_requestor as requests
(transaction) IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Reviewed-by: Michael Kelley
Acked-by: Jakub Kicinski
Cc: "David S. Miller"
Cc: Jakub Kicinsk
integers generated by vmbus_requestor as requests
(transaction) IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Reviewed-by: Michael Kelley
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-
Currently, VMbus drivers use pointers into guest memory as request IDs
for interactions with Hyper-V. To be more robust in the face of errors
or malicious behavior from a compromised Hyper-V, avoid exposing
guest memory addresses to Hyper-V. Also avoid Hyper-V giving back a
bad request ID that is
a
bad request ID that is then treated as the address of a guest data
structure with no validation. Instead, encapsulate these memory
addresses and provide small integers as request IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft
integers generated by vmbus_requestor as requests
(transaction) IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Reviewed-by: Michael Kelley
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
---
d
a
bad request ID that is then treated as the address of a guest data
structure with no validation. Instead, encapsulate these memory
addresses and provide small integers as request IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft
integers generated by vmbus_requestor as requests
(transaction) IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Reviewed-by: Michael Kelley
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-
Hi all,
This is a resubmission of:
https://lkml.kernel.org/r/20200907161920.71460-1-parri.and...@gmail.com
based on 5.10-rc2.
Andrea
Cc: James E.J. Bottomley
Cc: Martin K. Petersen
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: linux-s...@vger.kernel.org
Cc: net...@vger.kernel.org
, or
subvert an existing validation via integer overflow. Ensure that
outgoing packets do not have any leftover guest memory that has not
been zeroed out.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
, or
subvert an existing validation via integer overflow. Ensure that
outgoing packets do not have any leftover guest memory that has not
been zeroed out.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc:
of the icversion_data
array in vmbus_prep_negotiate_resp().
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
---
Changes in v3:
- Add size check for icframe_vercnt and icmsg_vercnt (Saruhan)
Changes in v2:
- Use ratelimited form of kernel logging
integers generated by vmbus_requestor as requests
(transaction) IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: net...@vger.kernel.org
---
Changes in v7:
integers generated by vmbus_requestor as requests
(transaction) IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "James E.J. Bottomley"
Cc: "Martin K. Petersen"
Cc: linux-s...@vger.kernel.o
a
bad request ID that is then treated as the address of a guest data
structure with no validation. Instead, encapsulate these memory
addresses and provide small integers as request IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft
Currently, VMbus drivers use pointers into guest memory as request IDs
for interactions with Hyper-V. To be more robust in the face of errors
or malicious behavior from a compromised Hyper-V, avoid exposing
guest memory addresses to Hyper-V. Also avoid Hyper-V giving back a
bad request ID that is
The field is read only in numa_node_show() and it is already stored twice
(after a call to cpu_to_node()) in target_cpu_store() and init_vp_index();
there is no need to "cache" its value in the channel data structure.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_
Additions/deletions to/from sc_list (as well as modifications of
target_cpu(s)) are protected by channel_mutex, which hv_synic_cleanup()
and vmbus_bus_suspend() own for the duration of the channel->lock
critical section in question.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/h
ff-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 6 +-
drivers/hv/channel_mgmt.c | 1 -
include/linux/hyperv.h| 6 --
3 files changed, 1 insertion(+), 12 deletions(-)
diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
index 8848d1548b3f2..3ebda7707e46a 100644
---
itical section with a channel_mutex critical section
and extend the latter to include the loads of target_cpu; this same
pattern is also used in hv_synic_cleanup().
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/vmbus_drv.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff
None of the readers/updaters of sc_list rely on channel->lock for
synchronization.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel_mgmt.c | 25 ++---
1 file changed, 6 insertions(+), 19 deletions(-)
diff --git a/drivers/hv/channel_mgmt.c b/drivers
-specific) stor_chns[] array from the
"generic" VMBus code and data structures, clarifying the scope of
this synchronization mechanism.
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/scsi/storvsc_drv.c | 16 +++-
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git
nnel->lock, which is actually *removed
by the end of this series! ;-)
I'm sure there is room for further "cleanups", ;-) but let me check
if these (relatively small) changes make sense first...
Thanks,
Andrea
Andrea Parri (Microsoft) (8):
Drivers: hv: vmbus: Remove t
A slight improvement in readability, and this does also remove one
memory access when NR_CPUS == 1! ;-)
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/vmbus_drv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
index
The field is read only in __vmbus_open() and it is already stored twice
(after a call to hv_cpu_number_to_vp_number()) in target_cpu_store() and
init_vp_index(); there is no need to "cache" its value in the channel
data structure.
Suggested-by: Michael Kelley
Signed-off-by: An
ed to a delayed work, to give channels of such device
more chances to be opened. As in vmbus_balance_vp_indexes_at_cpuhp(),
the balancing is applied to "performance" channels only, and it relies
on the (new) capability to re-assign a channel interrupt.
Suggested-by: Nuno Das Neves
Signed-o
sibility in such scheme (where devices/channels are mapped only "one
at a time"/as they are offered, with the end result that globally the
various interrupts are not always evenly spread across CPUs).
Andrea Parri (Microsoft) (2):
Drivers: hv: vmbus: Re-balance channel interrupts acro
terrupt to a CPU (cf., the CHANNELMSG_MODIFYCHANNEL
message type). As such, the new balancing process is effective starting
with VMBus version 4.1 (no changes in semantics or behavior are intended
for VMBus versions lower than 4.1).
Suggested-by: Nuno Das Neves
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/
prefer to handle these...)
Thanks,
Andrea
Andrea Parri (Microsoft) (2):
Drivers: hv: vmbus: Resolve race between init_vp_index() and CPU
hotplug
Drivers: hv: vmbus: Resolve more races involving init_vp_index()
drivers/hv/channel_mgmt.c | 66
1 - 100 of 102 matches
Mail list logo
