[PATCH v3 0/2] drm/nouveau/dmem: Fix Vulnerability and Device Channels configuration

List overview All Threads
Download

newer

older

[PATCH 0/3] media: uvcvideo:...

[PATCH 6.1.y 1/5] erofs: get rid...

Yonatan Maman

8 Oct 2024 8 Oct '24

7:31 a.m.

From: Yonatan Maman Ymaman@Nvidia.com

This patch series addresses two critical issues in the Nouveau driver related to device channels, error handling, and sensitive data leaks.

- Vulnerability in migrate_to_ram: The migrate_to_ram function might return a dirty HIGH_USER page when a copy push command (FW channel) fails, potentially exposing sensitive data and posing a security risk. To mitigate this, the patch ensures the allocation of a non-dirty (zero) page for the destination, preventing the return of a dirty page and enhancing driver security in case of failure.

- Privileged Error in Copy Engine Channel: An error was observed when the nouveau_dmem_copy_one function is executed, leading to a Host Copy Engine Privileged error on channel 1. The patch resolves this by adjusting the Copy Engine channel configuration to permit privileged push commands, resolving the error.

Changes since V2: - Fixed version according to Danilo Krummrich's comments.

Yonatan Maman (2): nouveau/dmem: Fix privileged error in copy engine channel nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error

drivers/gpu/drm/nouveau/nouveau_dmem.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)

-- 2.34.1

Show replies by date

Yonatan Maman

8 Oct 8 Oct

7:31 a.m.

New subject: [PATCH v3 1/2] nouveau/dmem: Fix privileged error in copy engine channel

From: Yonatan Maman Ymaman@Nvidia.com

When `nouveau_dmem_copy_one` is called, the following error occurs:

[272146.675156] nouveau 0000:06:00.0: fifo: PBDMA9: 00000004 [HCE_PRIV] ch 1 00000300 00003386

This indicates that a copy push command triggered a Host Copy Engine Privileged error on channel 1 (Copy Engine channel). To address this issue, modify the Copy Engine channel to allow privileged push commands

Fixes: 6de125383a5c ("drm/nouveau/fifo: expose runlist topology info on all chipsets") Signed-off-by: Yonatan Maman Ymaman@Nvidia.com Signed-off-by: Gal Shalom GalShalom@Nvidia.com Co-developed-by: Gal Shalom GalShalom@Nvidia.com Reviewed-by: Ben Skeggs bskeggs@nvidia.com --- drivers/gpu/drm/nouveau/nouveau_drm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c index a58c31089613..0a75ce4c5021 100644 --- a/drivers/gpu/drm/nouveau/nouveau_drm.c +++ b/drivers/gpu/drm/nouveau/nouveau_drm.c @@ -356,7 +356,7 @@ nouveau_accel_ce_init(struct nouveau_drm *drm) return; }

- ret = nouveau_channel_new(drm, device, false, runm, NvDmaFB, NvDmaTT, &drm->cechan); + ret = nouveau_channel_new(drm, device, true, runm, NvDmaFB, NvDmaTT, &drm->cechan); if (ret) NV_ERROR(drm, "failed to create ce channel, %d\n", ret); }

-- 2.34.1

kernel test robot

8:23 a.m.

New subject: [PATCH v3 1/2] nouveau/dmem: Fix privileged error in copy engine channel

Hi,

Thanks for your patch.

FYI: kernel test robot notices the stable kernel rule is not satisfied.

The check is based on https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html#opti...

Rule: add the tag "Cc: stable@vger.kernel.org" in the sign-off area to have the patch automatically included in the stable tree. Subject: [PATCH v3 1/2] nouveau/dmem: Fix privileged error in copy engine channel Link: https://lore.kernel.org/stable/20241008073103.987926-2-ymaman%40nvidia.com

-- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

Danilo Krummrich

11:04 a.m.

New subject: [PATCH v3 1/2] nouveau/dmem: Fix privileged error in copy engine channel

On Tue, Oct 08, 2024 at 10:31:02AM +0300, Yonatan Maman wrote:

...

From: Yonatan Maman Ymaman@Nvidia.com

When `nouveau_dmem_copy_one` is called, the following error occurs:

[272146.675156] nouveau 0000:06:00.0: fifo: PBDMA9: 00000004 [HCE_PRIV] ch 1 00000300 00003386

This indicates that a copy push command triggered a Host Copy Engine Privileged error on channel 1 (Copy Engine channel). To address this issue, modify the Copy Engine channel to allow privileged push commands

Fixes: 6de125383a5c ("drm/nouveau/fifo: expose runlist topology info on all chipsets") Signed-off-by: Yonatan Maman Ymaman@Nvidia.com Signed-off-by: Gal Shalom GalShalom@Nvidia.com Co-developed-by: Gal Shalom GalShalom@Nvidia.com

'Co-developed-by' must be immediately followed by the corresponding 'Signed-off-by'.

This is just a nit, but it indicates you didn't run ./scripts/checkpatch.pl, did you?

...

Reviewed-by: Ben Skeggs bskeggs@nvidia.com

drivers/gpu/drm/nouveau/nouveau_drm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c index a58c31089613..0a75ce4c5021 100644 --- a/drivers/gpu/drm/nouveau/nouveau_drm.c +++ b/drivers/gpu/drm/nouveau/nouveau_drm.c @@ -356,7 +356,7 @@ nouveau_accel_ce_init(struct nouveau_drm *drm) return; }

ret = nouveau_channel_new(drm, device, false, runm, NvDmaFB, NvDmaTT, &drm->cechan);

ret = nouveau_channel_new(drm, device, true, runm, NvDmaFB, NvDmaTT, &drm->cechan);

This patch does not apply, it seems like it is based on some old or OOT version of the code.

Please make sure to rebase and test your patches against upstream code if you're submitting patches upstream.

...

if (ret) NV_ERROR(drm, "failed to create ce channel, %d\n", ret); } -- 2.34.1

Yonatan Maman

7:31 a.m.

New subject: [PATCH v3 2/2] nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error

From: Yonatan Maman Ymaman@Nvidia.com

The `nouveau_dmem_copy_one` function ensures that the copy push command is sent to the device firmware but does not track whether it was executed successfully.

In the case of a copy error (e.g., firmware or hardware failure), the copy push command will be sent via the firmware channel, and `nouveau_dmem_copy_one` will likely report success, leading to the `migrate_to_ram` function returning a dirty HIGH_USER page to the user.

This can result in a security vulnerability, as a HIGH_USER page that may contain sensitive or corrupted data could be returned to the user.

To prevent this vulnerability, we allocate a zero page. Thus, in case of an error, a non-dirty (zero) page will be returned to the user.

Fixes: 5be73b690875 ("drm/nouveau/dmem: device memory helpers for SVM") Signed-off-by: Yonatan Maman Ymaman@Nvidia.com Signed-off-by: Gal Shalom GalShalom@Nvidia.com Co-developed-by: Gal Shalom GalShalom@Nvidia.com Reviewed-by: Ben Skeggs bskeggs@nvidia.com Cc: stable@vger.kernel.org --- drivers/gpu/drm/nouveau/nouveau_dmem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/nouveau/nouveau_dmem.c b/drivers/gpu/drm/nouveau/nouveau_dmem.c index 6fb65b01d778..097bd3af0719 100644 --- a/drivers/gpu/drm/nouveau/nouveau_dmem.c +++ b/drivers/gpu/drm/nouveau/nouveau_dmem.c @@ -193,7 +193,7 @@ static vm_fault_t nouveau_dmem_migrate_to_ram(struct vm_fault *vmf) if (!spage || !(src & MIGRATE_PFN_MIGRATE)) goto done;

- dpage = alloc_page_vma(GFP_HIGHUSER, vmf->vma, vmf->address); + dpage = alloc_page_vma(GFP_HIGHUSER | __GFP_ZERO, vmf->vma, vmf->address); if (!dpage) goto done;

-- 2.34.1

days inactive

days old

linux-stable-mirror@lists.linaro.org

4 comments

participants

tags (0)

participants (3)

Danilo Krummrich
kernel test robot
Yonatan Maman