virtio: disable notification hardening by default

This fixes a regression in 5.19-rc1.

2 files changed, 149 insertions, 0 deletions

diff --git a/debian/patches/bugfix/all/virtio-disable-notification-hardening-by-default.patch b/debian/patches/bugfix/all/virtio-disable-notification-hardening-by-default.patch
new file mode 100644
index 000000000..6bd37c6fd
--- /dev/null
+++ b/debian/patches/bugfix/all/virtio-disable-notification-hardening-by-default.patch
@@ -0,0 +1,148 @@
+From: Jason Wang <jasowang@redhat.com>
+Subject: [PATCH V2] virtio: disable notification hardening by default
+Date: Mon, 20 Jun 2022 10:41:58 +0800
+Origin: https://lore.kernel.org/lkml/20220620024158.2505-1-jasowang@redhat.com/
+
+We try to harden virtio device notifications in 8b4ec69d7e09 ("virtio:
+harden vring IRQ"). It works with the assumption that the driver or
+core can properly call virtio_device_ready() at the right
+place. Unfortunately, this seems to be not true and uncover various
+bugs of the existing drivers, mainly the issue of using
+virtio_device_ready() incorrectly.
+
+So let's having a Kconfig option and disable it by default. It gives
+us a breath to fix the drivers and then we can consider to enable it
+by default.
+
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+Changes since V1:
+- tweak the Kconfig prompt
+- don't hold spinlock for IRQ path in s390
+---
+ drivers/s390/virtio/virtio_ccw.c |  4 ++++
+ drivers/virtio/Kconfig           | 11 +++++++++++
+ drivers/virtio/virtio.c          |  2 ++
+ drivers/virtio/virtio_ring.c     | 12 ++++++++++++
+ include/linux/virtio_config.h    |  2 ++
+ 5 files changed, 31 insertions(+)
+
+--- a/drivers/s390/virtio/virtio_ccw.c
++++ b/drivers/s390/virtio/virtio_ccw.c
+@@ -1136,8 +1136,10 @@ static void virtio_ccw_int_handler(struc
+ 			vcdev->err = -EIO;
+ 	}
+ 	virtio_ccw_check_activity(vcdev, activity);
++#ifdef CONFIG_VIRTIO_HARDEN_NOTIFICATION
+ 	/* Interrupts are disabled here */
+ 	read_lock(&vcdev->irq_lock);
++#endif
+ 	for_each_set_bit(i, indicators(vcdev),
+ 			 sizeof(*indicators(vcdev)) * BITS_PER_BYTE) {
+ 		/* The bit clear must happen before the vring kick. */
+@@ -1146,7 +1148,9 @@ static void virtio_ccw_int_handler(struc
+ 		vq = virtio_ccw_vq_by_ind(vcdev, i);
+ 		vring_interrupt(0, vq);
+ 	}
++#ifdef CONFIG_VIRTIO_HARDEN_NOTIFICATION
+ 	read_unlock(&vcdev->irq_lock);
++#endif
+ 	if (test_bit(0, indicators2(vcdev))) {
+ 		virtio_config_changed(&vcdev->vdev);
+ 		clear_bit(0, indicators2(vcdev));
+--- a/drivers/virtio/Kconfig
++++ b/drivers/virtio/Kconfig
+@@ -29,6 +29,17 @@ menuconfig VIRTIO_MENU
+ 
+ if VIRTIO_MENU
+ 
++config VIRTIO_HARDEN_NOTIFICATION
++        bool "Harden virtio notification"
++        help
++          Enable this to harden the device notifications and supress
++          the ones that are illegal.
++
++          Experimental: not all drivers handle this correctly at this
++          point.
++
++          If unsure, say N.
++
+ config VIRTIO_PCI
+ 	tristate "PCI driver for virtio devices"
+ 	depends on PCI
+--- a/drivers/virtio/virtio.c
++++ b/drivers/virtio/virtio.c
+@@ -219,6 +219,7 @@ static int virtio_features_ok(struct vir
+  * */
+ void virtio_reset_device(struct virtio_device *dev)
+ {
++#ifdef CONFIG_VIRTIO_HARDEN_NOTIFICATION
+ 	/*
+ 	 * The below virtio_synchronize_cbs() guarantees that any
+ 	 * interrupt for this line arriving after
+@@ -227,6 +228,7 @@ void virtio_reset_device(struct virtio_d
+ 	 */
+ 	virtio_break_device(dev);
+ 	virtio_synchronize_cbs(dev);
++#endif
+ 
+ 	dev->config->reset(dev);
+ }
+--- a/drivers/virtio/virtio_ring.c
++++ b/drivers/virtio/virtio_ring.c
+@@ -1688,7 +1688,11 @@ static struct virtqueue *vring_create_vi
+ 	vq->we_own_ring = true;
+ 	vq->notify = notify;
+ 	vq->weak_barriers = weak_barriers;
++#ifdef CONFIG_VIRTIO_HARDEN_NOTIFICATION
+ 	vq->broken = true;
++#else
++	vq->broken = false;
++#endif
+ 	vq->last_used_idx = 0;
+ 	vq->event_triggered = false;
+ 	vq->num_added = 0;
+@@ -2135,9 +2139,13 @@ irqreturn_t vring_interrupt(int irq, voi
+ 	}
+ 
+ 	if (unlikely(vq->broken)) {
++#ifdef CONFIG_VIRTIO_HARDEN_NOTIFICATION
+ 		dev_warn_once(&vq->vq.vdev->dev,
+ 			      "virtio vring IRQ raised before DRIVER_OK");
+ 		return IRQ_NONE;
++#else
++		return IRQ_HANDLED;
++#endif
+ 	}
+ 
+ 	/* Just a hint for performance: so it's ok that this can be racy! */
+@@ -2180,7 +2188,11 @@ struct virtqueue *__vring_new_virtqueue(
+ 	vq->we_own_ring = false;
+ 	vq->notify = notify;
+ 	vq->weak_barriers = weak_barriers;
++#ifdef CONFIG_VIRTIO_HARDEN_NOTIFICATION
+ 	vq->broken = true;
++#else
++	vq->broken = false;
++#endif
+ 	vq->last_used_idx = 0;
+ 	vq->event_triggered = false;
+ 	vq->num_added = 0;
+--- a/include/linux/virtio_config.h
++++ b/include/linux/virtio_config.h
+@@ -257,6 +257,7 @@ void virtio_device_ready(struct virtio_d
+ 
+ 	WARN_ON(status & VIRTIO_CONFIG_S_DRIVER_OK);
+ 
++#ifdef CONFIG_VIRTIO_HARDEN_NOTIFICATION
+ 	/*
+ 	 * The virtio_synchronize_cbs() makes sure vring_interrupt()
+ 	 * will see the driver specific setup if it sees vq->broken
+@@ -264,6 +265,7 @@ void virtio_device_ready(struct virtio_d
+ 	 */
+ 	virtio_synchronize_cbs(dev);
+ 	__virtio_unbreak_device(dev);
++#endif
+ 	/*
+ 	 * The transport should ensure the visibility of vq->broken
+ 	 * before setting DRIVER_OK. See the comments for the transport
diff --git a/debian/patches/series b/debian/patches/series
index 0996d4691..1f9a55b6d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -79,6 +79,7 @@ features/x86/x86-make-x32-syscall-support-conditional.patch
 # Miscellaneous bug fixes
 bugfix/all/disable-some-marvell-phys.patch
 bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
+bugfix/all/virtio-disable-notification-hardening-by-default.patch
 
 # Miscellaneous features