* [PATCH v4 0/2] drm/nouveau/dmem: Fix Vulnerability and Device Channels configuration
@ 2024-10-08 11:59 Yonatan Maman
2024-10-08 11:59 ` [PATCH v4 1/2] nouveau/dmem: Fix privileged error in copy engine channel Yonatan Maman
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Yonatan Maman @ 2024-10-08 11:59 UTC (permalink / raw)
To: kherbst, lyude, dakr, airlied, daniel, bskeggs, jglisse,
dri-devel, nouveau
Cc: Yonatan Maman, linux-kernel, stable
From: Yonatan Maman <Ymaman@Nvidia.com>
This patch series addresses two critical issues in the Nouveau driver
related to device channels, error handling, and sensitive data leaks.
- Vulnerability in migrate_to_ram: The migrate_to_ram function might
return a dirty HIGH_USER page when a copy push command (FW channel)
fails, potentially exposing sensitive data and posing a security
risk. To mitigate this, the patch ensures the allocation of a non-dirty
(zero) page for the destination, preventing the return of a dirty page
and enhancing driver security in case of failure.
- Privileged Error in Copy Engine Channel: An error was observed when
the nouveau_dmem_copy_one function is executed, leading to a Host Copy
Engine Privileged error on channel 1. The patch resolves this by
adjusting the Copy Engine channel configuration to permit privileged
push commands, resolving the error.
Changes since V3:
- Fixed version according to Danilo Krummrich's comments.
Yonatan Maman (2):
nouveau/dmem: Fix privileged error in copy engine channel
nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error
drivers/gpu/drm/nouveau/nouveau_dmem.c | 2 +-
drivers/gpu/drm/nouveau/nouveau_drm.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--
2.34.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v4 1/2] nouveau/dmem: Fix privileged error in copy engine channel
2024-10-08 11:59 [PATCH v4 0/2] drm/nouveau/dmem: Fix Vulnerability and Device Channels configuration Yonatan Maman
@ 2024-10-08 11:59 ` Yonatan Maman
2024-10-08 12:02 ` kernel test robot
2024-10-08 11:59 ` [PATCH v4 2/2] nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error Yonatan Maman
2024-10-08 12:28 ` [PATCH v4 0/2] drm/nouveau/dmem: Fix Vulnerability and Device Channels configuration Danilo Krummrich
2 siblings, 1 reply; 5+ messages in thread
From: Yonatan Maman @ 2024-10-08 11:59 UTC (permalink / raw)
To: kherbst, lyude, dakr, airlied, daniel, bskeggs, jglisse,
dri-devel, nouveau
Cc: Yonatan Maman, linux-kernel, stable, Gal Shalom
From: Yonatan Maman <Ymaman@Nvidia.com>
When `nouveau_dmem_copy_one` is called, the following error occurs:
[272146.675156] nouveau 0000:06:00.0: fifo: PBDMA9: 00000004 [HCE_PRIV]
ch 1 00000300 00003386
This indicates that a copy push command triggered a Host Copy Engine
Privileged error on channel 1 (Copy Engine channel). To address this
issue, modify the Copy Engine channel to allow privileged push commands
Fixes: 6de125383a5c ("drm/nouveau/fifo: expose runlist topology info on all chipsets")
Signed-off-by: Yonatan Maman <Ymaman@Nvidia.com>
Co-developed-by: Gal Shalom <GalShalom@Nvidia.com>
Signed-off-by: Gal Shalom <GalShalom@Nvidia.com>
Reviewed-by: Ben Skeggs <bskeggs@nvidia.com>
---
drivers/gpu/drm/nouveau/nouveau_drm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c
index f6e78dba594f..34985771b2a2 100644
--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
+++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
@@ -331,7 +331,7 @@ nouveau_accel_ce_init(struct nouveau_drm *drm)
return;
}
- ret = nouveau_channel_new(&drm->client, false, runm, NvDmaFB, NvDmaTT, &drm->cechan);
+ ret = nouveau_channel_new(&drm->client, true, runm, NvDmaFB, NvDmaTT, &drm->cechan);
if (ret)
NV_ERROR(drm, "failed to create ce channel, %d\n", ret);
}
--
2.34.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v4 2/2] nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error
2024-10-08 11:59 [PATCH v4 0/2] drm/nouveau/dmem: Fix Vulnerability and Device Channels configuration Yonatan Maman
2024-10-08 11:59 ` [PATCH v4 1/2] nouveau/dmem: Fix privileged error in copy engine channel Yonatan Maman
@ 2024-10-08 11:59 ` Yonatan Maman
2024-10-08 12:28 ` [PATCH v4 0/2] drm/nouveau/dmem: Fix Vulnerability and Device Channels configuration Danilo Krummrich
2 siblings, 0 replies; 5+ messages in thread
From: Yonatan Maman @ 2024-10-08 11:59 UTC (permalink / raw)
To: kherbst, lyude, dakr, airlied, daniel, bskeggs, jglisse,
dri-devel, nouveau
Cc: Yonatan Maman, linux-kernel, stable, Gal Shalom
From: Yonatan Maman <Ymaman@Nvidia.com>
The `nouveau_dmem_copy_one` function ensures that the copy push command is
sent to the device firmware but does not track whether it was executed
successfully.
In the case of a copy error (e.g., firmware or hardware failure), the
copy push command will be sent via the firmware channel, and
`nouveau_dmem_copy_one` will likely report success, leading to the
`migrate_to_ram` function returning a dirty HIGH_USER page to the user.
This can result in a security vulnerability, as a HIGH_USER page that may
contain sensitive or corrupted data could be returned to the user.
To prevent this vulnerability, we allocate a zero page. Thus, in case of
an error, a non-dirty (zero) page will be returned to the user.
Fixes: 5be73b690875 ("drm/nouveau/dmem: device memory helpers for SVM")
Signed-off-by: Yonatan Maman <Ymaman@Nvidia.com>
Co-developed-by: Gal Shalom <GalShalom@Nvidia.com>
Signed-off-by: Gal Shalom <GalShalom@Nvidia.com>
Reviewed-by: Ben Skeggs <bskeggs@nvidia.com>
Cc: stable@vger.kernel.org
---
drivers/gpu/drm/nouveau/nouveau_dmem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/nouveau/nouveau_dmem.c b/drivers/gpu/drm/nouveau/nouveau_dmem.c
index 1f2d649f4b96..1a072568cef6 100644
--- a/drivers/gpu/drm/nouveau/nouveau_dmem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_dmem.c
@@ -193,7 +193,7 @@ static vm_fault_t nouveau_dmem_migrate_to_ram(struct vm_fault *vmf)
if (!spage || !(src & MIGRATE_PFN_MIGRATE))
goto done;
- dpage = alloc_page_vma(GFP_HIGHUSER, vmf->vma, vmf->address);
+ dpage = alloc_page_vma(GFP_HIGHUSER | __GFP_ZERO, vmf->vma, vmf->address);
if (!dpage)
goto done;
--
2.34.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v4 1/2] nouveau/dmem: Fix privileged error in copy engine channel
2024-10-08 11:59 ` [PATCH v4 1/2] nouveau/dmem: Fix privileged error in copy engine channel Yonatan Maman
@ 2024-10-08 12:02 ` kernel test robot
0 siblings, 0 replies; 5+ messages in thread
From: kernel test robot @ 2024-10-08 12:02 UTC (permalink / raw)
To: Yonatan Maman; +Cc: stable, oe-kbuild-all
Hi,
Thanks for your patch.
FYI: kernel test robot notices the stable kernel rule is not satisfied.
The check is based on https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html#option-1
Rule: add the tag "Cc: stable@vger.kernel.org" in the sign-off area to have the patch automatically included in the stable tree.
Subject: [PATCH v4 1/2] nouveau/dmem: Fix privileged error in copy engine channel
Link: https://lore.kernel.org/stable/20241008115943.990286-2-ymaman%40nvidia.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v4 0/2] drm/nouveau/dmem: Fix Vulnerability and Device Channels configuration
2024-10-08 11:59 [PATCH v4 0/2] drm/nouveau/dmem: Fix Vulnerability and Device Channels configuration Yonatan Maman
2024-10-08 11:59 ` [PATCH v4 1/2] nouveau/dmem: Fix privileged error in copy engine channel Yonatan Maman
2024-10-08 11:59 ` [PATCH v4 2/2] nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error Yonatan Maman
@ 2024-10-08 12:28 ` Danilo Krummrich
2 siblings, 0 replies; 5+ messages in thread
From: Danilo Krummrich @ 2024-10-08 12:28 UTC (permalink / raw)
To: Yonatan Maman
Cc: kherbst, lyude, dakr, airlied, daniel, bskeggs, jglisse,
dri-devel, nouveau, linux-kernel, stable
On Tue, Oct 08, 2024 at 02:59:41PM +0300, Yonatan Maman wrote:
> From: Yonatan Maman <Ymaman@Nvidia.com>
>
> This patch series addresses two critical issues in the Nouveau driver
> related to device channels, error handling, and sensitive data leaks.
>
> - Vulnerability in migrate_to_ram: The migrate_to_ram function might
> return a dirty HIGH_USER page when a copy push command (FW channel)
> fails, potentially exposing sensitive data and posing a security
> risk. To mitigate this, the patch ensures the allocation of a non-dirty
> (zero) page for the destination, preventing the return of a dirty page
> and enhancing driver security in case of failure.
>
> - Privileged Error in Copy Engine Channel: An error was observed when
> the nouveau_dmem_copy_one function is executed, leading to a Host Copy
> Engine Privileged error on channel 1. The patch resolves this by
> adjusting the Copy Engine channel configuration to permit privileged
> push commands, resolving the error.
>
> Changes since V3:
> - Fixed version according to Danilo Krummrich's comments.
>
> Yonatan Maman (2):
> nouveau/dmem: Fix privileged error in copy engine channel
> nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error
Applied to drm-misc-fixes, thanks!
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-10-08 12:28 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-08 11:59 [PATCH v4 0/2] drm/nouveau/dmem: Fix Vulnerability and Device Channels configuration Yonatan Maman
2024-10-08 11:59 ` [PATCH v4 1/2] nouveau/dmem: Fix privileged error in copy engine channel Yonatan Maman
2024-10-08 12:02 ` kernel test robot
2024-10-08 11:59 ` [PATCH v4 2/2] nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error Yonatan Maman
2024-10-08 12:28 ` [PATCH v4 0/2] drm/nouveau/dmem: Fix Vulnerability and Device Channels configuration Danilo Krummrich
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox