From: Greg Kroah-Hartman Date: Wed, 15 May 2024 07:41:24 +0000 (+0200) Subject: 6.8-stable patches X-Git-Tag: v4.19.314~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9fa6b84680a92b5281af8d3d56cf57802cc617a1;p=thirdparty%2Fkernel%2Fstable-queue.git 6.8-stable patches added patches: dmaengine-idxd-add-a-new-security-check-to-deal-with-a-hardware-erratum.patch dmaengine-idxd-add-a-write-method-for-applications-to-submit-work.patch keys-fix-overwrite-of-key-expiration-on-instantiation.patch vfio-add-the-spr_dsa-and-spr_iax-devices-to-the-denylist.patch --- diff --git a/queue-6.8/dmaengine-idxd-add-a-new-security-check-to-deal-with-a-hardware-erratum.patch b/queue-6.8/dmaengine-idxd-add-a-new-security-check-to-deal-with-a-hardware-erratum.patch new file mode 100644 index 00000000000..900a9e4bb42 --- /dev/null +++ b/queue-6.8/dmaengine-idxd-add-a-new-security-check-to-deal-with-a-hardware-erratum.patch @@ -0,0 +1,97 @@ +From e11452eb071b2a8e6ba52892b2e270bbdaa6640d Mon Sep 17 00:00:00 2001 +From: Arjan van de Ven +Date: Wed, 24 Apr 2024 14:43:22 +0000 +Subject: dmaengine: idxd: add a new security check to deal with a hardware erratum + +From: Arjan van de Ven + +commit e11452eb071b2a8e6ba52892b2e270bbdaa6640d upstream. + +On Sapphire Rapids and related platforms, the DSA and IAA devices have an +erratum that causes direct access (for example, by using the ENQCMD or +MOVDIR64 instructions) from untrusted applications to be a security problem. + +To solve this, add a flag to the PCI device enumeration and device structures +to indicate the presence/absence of this security exposure. In the mmap() +method of the device, this flag is then used to enforce that the user +has the CAP_SYS_RAWIO capability. + +In a future patch, a write() based method will be added that allows untrusted +applications submit work to the accelerator, where the kernel can do +sanity checking on the user input to ensure secure operation of the accelerator. + +Signed-off-by: Arjan van de Ven +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/idxd/cdev.c | 12 ++++++++++++ + drivers/dma/idxd/idxd.h | 3 +++ + drivers/dma/idxd/init.c | 4 ++++ + 3 files changed, 19 insertions(+) + +--- a/drivers/dma/idxd/cdev.c ++++ b/drivers/dma/idxd/cdev.c +@@ -400,6 +400,18 @@ static int idxd_cdev_mmap(struct file *f + int rc; + + dev_dbg(&pdev->dev, "%s called\n", __func__); ++ ++ /* ++ * Due to an erratum in some of the devices supported by the driver, ++ * direct user submission to the device can be unsafe. ++ * (See the INTEL-SA-01084 security advisory) ++ * ++ * For the devices that exhibit this behavior, require that the user ++ * has CAP_SYS_RAWIO capabilities. ++ */ ++ if (!idxd->user_submission_safe && !capable(CAP_SYS_RAWIO)) ++ return -EPERM; ++ + rc = check_vma(wq, vma, __func__); + if (rc < 0) + return rc; +--- a/drivers/dma/idxd/idxd.h ++++ b/drivers/dma/idxd/idxd.h +@@ -288,6 +288,7 @@ struct idxd_driver_data { + int evl_cr_off; + int cr_status_off; + int cr_result_off; ++ bool user_submission_safe; + load_device_defaults_fn_t load_device_defaults; + }; + +@@ -374,6 +375,8 @@ struct idxd_device { + + struct dentry *dbgfs_dir; + struct dentry *dbgfs_evl_file; ++ ++ bool user_submission_safe; + }; + + static inline unsigned int evl_ent_size(struct idxd_device *idxd) +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -47,6 +47,7 @@ static struct idxd_driver_data idxd_driv + .align = 32, + .dev_type = &dsa_device_type, + .evl_cr_off = offsetof(struct dsa_evl_entry, cr), ++ .user_submission_safe = false, /* See INTEL-SA-01084 security advisory */ + .cr_status_off = offsetof(struct dsa_completion_record, status), + .cr_result_off = offsetof(struct dsa_completion_record, result), + }, +@@ -57,6 +58,7 @@ static struct idxd_driver_data idxd_driv + .align = 64, + .dev_type = &iax_device_type, + .evl_cr_off = offsetof(struct iax_evl_entry, cr), ++ .user_submission_safe = false, /* See INTEL-SA-01084 security advisory */ + .cr_status_off = offsetof(struct iax_completion_record, status), + .cr_result_off = offsetof(struct iax_completion_record, error_code), + .load_device_defaults = idxd_load_iaa_device_defaults, +@@ -774,6 +776,8 @@ static int idxd_pci_probe(struct pci_dev + dev_info(&pdev->dev, "Intel(R) Accelerator Device (v%x)\n", + idxd->hw.version); + ++ idxd->user_submission_safe = data->user_submission_safe; ++ + return 0; + + err_dev_register: diff --git a/queue-6.8/dmaengine-idxd-add-a-write-method-for-applications-to-submit-work.patch b/queue-6.8/dmaengine-idxd-add-a-write-method-for-applications-to-submit-work.patch new file mode 100644 index 00000000000..5e0e2e73371 --- /dev/null +++ b/queue-6.8/dmaengine-idxd-add-a-write-method-for-applications-to-submit-work.patch @@ -0,0 +1,164 @@ +From 6827738dc684a87ad54ebba3ae7f3d7c977698eb Mon Sep 17 00:00:00 2001 +From: Nikhil Rao +Date: Wed, 24 Apr 2024 15:16:12 +0000 +Subject: dmaengine: idxd: add a write() method for applications to submit work + +From: Nikhil Rao + +commit 6827738dc684a87ad54ebba3ae7f3d7c977698eb upstream. + +After the patch to restrict the use of mmap() to CAP_SYS_RAWIO for +the currently existing devices, most applications can no longer make +use of the accelerators as in production "you don't run things as root". + +To keep the DSA and IAA accelerators usable, hook up a write() method +so that applications can still submit work. In the write method, +sufficient input validation is performed to avoid the security issue +that required the mmap CAP_SYS_RAWIO check. + +One complication is that the DSA device allows for indirect ("batched") +descriptors. There is no reasonable way to do the input validation +on these indirect descriptors so the write() method will not allow these +to be submitted to the hardware on affected hardware, and the sysfs +enumeration of support for the opcode is also removed. + +Early performance data shows that the performance delta for most common +cases is within the noise. + +Signed-off-by: Nikhil Rao +Signed-off-by: Arjan van de Ven +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/idxd/cdev.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++ + drivers/dma/idxd/sysfs.c | 27 ++++++++++++++++++- + 2 files changed, 90 insertions(+), 2 deletions(-) + +--- a/drivers/dma/idxd/cdev.c ++++ b/drivers/dma/idxd/cdev.c +@@ -426,6 +426,70 @@ static int idxd_cdev_mmap(struct file *f + vma->vm_page_prot); + } + ++static int idxd_submit_user_descriptor(struct idxd_user_context *ctx, ++ struct dsa_hw_desc __user *udesc) ++{ ++ struct idxd_wq *wq = ctx->wq; ++ struct idxd_dev *idxd_dev = &wq->idxd->idxd_dev; ++ const uint64_t comp_addr_align = is_dsa_dev(idxd_dev) ? 0x20 : 0x40; ++ void __iomem *portal = idxd_wq_portal_addr(wq); ++ struct dsa_hw_desc descriptor __aligned(64); ++ int rc; ++ ++ rc = copy_from_user(&descriptor, udesc, sizeof(descriptor)); ++ if (rc) ++ return -EFAULT; ++ ++ /* ++ * DSA devices are capable of indirect ("batch") command submission. ++ * On devices where direct user submissions are not safe, we cannot ++ * allow this since there is no good way for us to verify these ++ * indirect commands. ++ */ ++ if (is_dsa_dev(idxd_dev) && descriptor.opcode == DSA_OPCODE_BATCH && ++ !wq->idxd->user_submission_safe) ++ return -EINVAL; ++ /* ++ * As per the programming specification, the completion address must be ++ * aligned to 32 or 64 bytes. If this is violated the hardware ++ * engine can get very confused (security issue). ++ */ ++ if (!IS_ALIGNED(descriptor.completion_addr, comp_addr_align)) ++ return -EINVAL; ++ ++ if (wq_dedicated(wq)) ++ iosubmit_cmds512(portal, &descriptor, 1); ++ else { ++ descriptor.priv = 0; ++ descriptor.pasid = ctx->pasid; ++ rc = idxd_enqcmds(wq, portal, &descriptor); ++ if (rc < 0) ++ return rc; ++ } ++ ++ return 0; ++} ++ ++static ssize_t idxd_cdev_write(struct file *filp, const char __user *buf, size_t len, ++ loff_t *unused) ++{ ++ struct dsa_hw_desc __user *udesc = (struct dsa_hw_desc __user *)buf; ++ struct idxd_user_context *ctx = filp->private_data; ++ ssize_t written = 0; ++ int i; ++ ++ for (i = 0; i < len/sizeof(struct dsa_hw_desc); i++) { ++ int rc = idxd_submit_user_descriptor(ctx, udesc + i); ++ ++ if (rc) ++ return written ? written : rc; ++ ++ written += sizeof(struct dsa_hw_desc); ++ } ++ ++ return written; ++} ++ + static __poll_t idxd_cdev_poll(struct file *filp, + struct poll_table_struct *wait) + { +@@ -448,6 +512,7 @@ static const struct file_operations idxd + .open = idxd_cdev_open, + .release = idxd_cdev_release, + .mmap = idxd_cdev_mmap, ++ .write = idxd_cdev_write, + .poll = idxd_cdev_poll, + }; + +--- a/drivers/dma/idxd/sysfs.c ++++ b/drivers/dma/idxd/sysfs.c +@@ -1197,12 +1197,35 @@ static ssize_t wq_enqcmds_retries_store( + static struct device_attribute dev_attr_wq_enqcmds_retries = + __ATTR(enqcmds_retries, 0644, wq_enqcmds_retries_show, wq_enqcmds_retries_store); + ++static ssize_t op_cap_show_common(struct device *dev, char *buf, unsigned long *opcap_bmap) ++{ ++ ssize_t pos; ++ int i; ++ ++ pos = 0; ++ for (i = IDXD_MAX_OPCAP_BITS/64 - 1; i >= 0; i--) { ++ unsigned long val = opcap_bmap[i]; ++ ++ /* On systems where direct user submissions are not safe, we need to clear out ++ * the BATCH capability from the capability mask in sysfs since we cannot support ++ * that command on such systems. ++ */ ++ if (i == DSA_OPCODE_BATCH/64 && !confdev_to_idxd(dev)->user_submission_safe) ++ clear_bit(DSA_OPCODE_BATCH % 64, &val); ++ ++ pos += sysfs_emit_at(buf, pos, "%*pb", 64, &val); ++ pos += sysfs_emit_at(buf, pos, "%c", i == 0 ? '\n' : ','); ++ } ++ ++ return pos; ++} ++ + static ssize_t wq_op_config_show(struct device *dev, + struct device_attribute *attr, char *buf) + { + struct idxd_wq *wq = confdev_to_wq(dev); + +- return sysfs_emit(buf, "%*pb\n", IDXD_MAX_OPCAP_BITS, wq->opcap_bmap); ++ return op_cap_show_common(dev, buf, wq->opcap_bmap); + } + + static int idxd_verify_supported_opcap(struct idxd_device *idxd, unsigned long *opmask) +@@ -1455,7 +1478,7 @@ static ssize_t op_cap_show(struct device + { + struct idxd_device *idxd = confdev_to_idxd(dev); + +- return sysfs_emit(buf, "%*pb\n", IDXD_MAX_OPCAP_BITS, idxd->opcap_bmap); ++ return op_cap_show_common(dev, buf, idxd->opcap_bmap); + } + static DEVICE_ATTR_RO(op_cap); + diff --git a/queue-6.8/keys-fix-overwrite-of-key-expiration-on-instantiation.patch b/queue-6.8/keys-fix-overwrite-of-key-expiration-on-instantiation.patch new file mode 100644 index 00000000000..35b558d1646 --- /dev/null +++ b/queue-6.8/keys-fix-overwrite-of-key-expiration-on-instantiation.patch @@ -0,0 +1,44 @@ +From 9da27fb65a14c18efd4473e2e82b76b53ba60252 Mon Sep 17 00:00:00 2001 +From: Silvio Gissi +Date: Fri, 15 Mar 2024 15:05:39 -0400 +Subject: keys: Fix overwrite of key expiration on instantiation + +From: Silvio Gissi + +commit 9da27fb65a14c18efd4473e2e82b76b53ba60252 upstream. + +The expiry time of a key is unconditionally overwritten during +instantiation, defaulting to turn it permanent. This causes a problem +for DNS resolution as the expiration set by user-space is overwritten to +TIME64_MAX, disabling further DNS updates. Fix this by restoring the +condition that key_set_expiry is only called when the pre-parser sets a +specific expiry. + +Fixes: 39299bdd2546 ("keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry") +Signed-off-by: Silvio Gissi +cc: David Howells +cc: Hazem Mohamed Abuelfotoh +cc: linux-afs@lists.infradead.org +cc: linux-cifs@vger.kernel.org +cc: keyrings@vger.kernel.org +cc: netdev@vger.kernel.org +cc: stable@vger.kernel.org +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/key.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -464,7 +464,8 @@ static int __key_instantiate_and_link(st + if (authkey) + key_invalidate(authkey); + +- key_set_expiry(key, prep->expiry); ++ if (prep->expiry != TIME64_MAX) ++ key_set_expiry(key, prep->expiry); + } + } + diff --git a/queue-6.8/series b/queue-6.8/series index 8a7589653e7..293def788d5 100644 --- a/queue-6.8/series +++ b/queue-6.8/series @@ -334,3 +334,7 @@ bluetooth-qca-generalise-device-address-check.patch bluetooth-qca-fix-info-leak-when-fetching-board-id.patch bluetooth-qca-fix-info-leak-when-fetching-fw-build-id.patch bluetooth-qca-fix-firmware-check-error-path.patch +vfio-add-the-spr_dsa-and-spr_iax-devices-to-the-denylist.patch +dmaengine-idxd-add-a-new-security-check-to-deal-with-a-hardware-erratum.patch +dmaengine-idxd-add-a-write-method-for-applications-to-submit-work.patch +keys-fix-overwrite-of-key-expiration-on-instantiation.patch diff --git a/queue-6.8/vfio-add-the-spr_dsa-and-spr_iax-devices-to-the-denylist.patch b/queue-6.8/vfio-add-the-spr_dsa-and-spr_iax-devices-to-the-denylist.patch new file mode 100644 index 00000000000..8ab3e40e0fc --- /dev/null +++ b/queue-6.8/vfio-add-the-spr_dsa-and-spr_iax-devices-to-the-denylist.patch @@ -0,0 +1,60 @@ +From 95feb3160eef0caa6018e175a5560b816aee8e79 Mon Sep 17 00:00:00 2001 +From: Arjan van de Ven +Date: Thu, 21 Mar 2024 19:44:07 +0000 +Subject: VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist + +From: Arjan van de Ven + +commit 95feb3160eef0caa6018e175a5560b816aee8e79 upstream. + +Due to an erratum with the SPR_DSA and SPR_IAX devices, it is not secure to assign +these devices to virtual machines. Add the PCI IDs of these devices to the VFIO +denylist to ensure that this is handled appropriately by the VFIO subsystem. + +The SPR_DSA and SPR_IAX devices are on-SOC devices for the Sapphire Rapids +(and related) family of products that perform data movement and compression. + +Signed-off-by: Arjan van de Ven +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/idxd/registers.h | 3 --- + drivers/vfio/pci/vfio_pci.c | 2 ++ + include/linux/pci_ids.h | 2 ++ + 3 files changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/dma/idxd/registers.h ++++ b/drivers/dma/idxd/registers.h +@@ -6,9 +6,6 @@ + #include + + /* PCI Config */ +-#define PCI_DEVICE_ID_INTEL_DSA_SPR0 0x0b25 +-#define PCI_DEVICE_ID_INTEL_IAX_SPR0 0x0cfe +- + #define DEVICE_VERSION_1 0x100 + #define DEVICE_VERSION_2 0x200 + +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -71,6 +71,8 @@ static bool vfio_pci_dev_in_denylist(str + case PCI_DEVICE_ID_INTEL_QAT_C62X_VF: + case PCI_DEVICE_ID_INTEL_QAT_DH895XCC: + case PCI_DEVICE_ID_INTEL_QAT_DH895XCC_VF: ++ case PCI_DEVICE_ID_INTEL_DSA_SPR0: ++ case PCI_DEVICE_ID_INTEL_IAX_SPR0: + return true; + default: + return false; +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -2686,8 +2686,10 @@ + #define PCI_DEVICE_ID_INTEL_I960 0x0960 + #define PCI_DEVICE_ID_INTEL_I960RM 0x0962 + #define PCI_DEVICE_ID_INTEL_HDA_HSW_0 0x0a0c ++#define PCI_DEVICE_ID_INTEL_DSA_SPR0 0x0b25 + #define PCI_DEVICE_ID_INTEL_HDA_HSW_2 0x0c0c + #define PCI_DEVICE_ID_INTEL_CENTERTON_ILB 0x0c60 ++#define PCI_DEVICE_ID_INTEL_IAX_SPR0 0x0cfe + #define PCI_DEVICE_ID_INTEL_HDA_HSW_3 0x0d0c + #define PCI_DEVICE_ID_INTEL_HDA_BYT 0x0f04 + #define PCI_DEVICE_ID_INTEL_SST_BYT 0x0f28