diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2022-05-26 17:47:47 +0200 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2022-05-26 17:47:47 +0200 |
commit | f4a19c0819f182d5278cc6415989fce5da330c63 (patch) | |
tree | ac4943fed31ade2146449d15fb2f702564aa1835 /debian/patches | |
parent | 1be71e246c5564a650cf22f1d0721981b6abc7d2 (diff) | |
download | linux-debian-f4a19c0819f182d5278cc6415989fce5da330c63.tar.gz |
Revert "ixgbe: add improvement for MDD response functionality (CVE-2021-33061)"
This reverts commit 1be71e246c5564a650cf22f1d0721981b6abc7d2.
We have actually depending changes so we cannot pick this up for 5.17.y.
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/bugfix/all/ixgbe-add-improvement-for-MDD-response-functionality.patch | 162 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 0 insertions, 163 deletions
diff --git a/debian/patches/bugfix/all/ixgbe-add-improvement-for-MDD-response-functionality.patch b/debian/patches/bugfix/all/ixgbe-add-improvement-for-MDD-response-functionality.patch deleted file mode 100644 index 2302c2aa9..000000000 --- a/debian/patches/bugfix/all/ixgbe-add-improvement-for-MDD-response-functionality.patch +++ /dev/null @@ -1,162 +0,0 @@ -From: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com> -Date: Tue, 1 Mar 2022 11:40:09 +0000 -Subject: ixgbe: add improvement for MDD response functionality -Origin: https://git.kernel.org/linus/008ca35f6e87be1d60b6af3d1ae247c6d5c2531d -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-33061 - -The 82599 PF driver disable VF driver after a special MDD event occurs. -Adds the option for administrators to control whether VFs are -automatically disabled after several MDD events. -The automatically disabling is now the default mode for 82599 PF driver, -as it is more reliable. - -This addresses CVE-2021-33061. - -Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com> -Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com> -Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> ---- - drivers/net/ethernet/intel/ixgbe/ixgbe.h | 4 +++ - .../net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 21 ++++++++++++++ - drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 28 ++++++++++++++++++- - 3 files changed, 52 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h -index c9bf18086d9c..921a4d977d65 100644 ---- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h -+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h -@@ -184,6 +184,7 @@ struct vf_data_storage { - u8 trusted; - int xcast_mode; - unsigned int vf_api; -+ u8 primary_abort_count; - }; - - enum ixgbevf_xcast_modes { -@@ -558,6 +559,8 @@ struct ixgbe_mac_addr { - #define IXGBE_TRY_LINK_TIMEOUT (4 * HZ) - #define IXGBE_SFP_POLL_JIFFIES (2 * HZ) /* SFP poll every 2 seconds */ - -+#define IXGBE_PRIMARY_ABORT_LIMIT 5 -+ - /* board specific private data structure */ - struct ixgbe_adapter { - unsigned long active_vlans[BITS_TO_LONGS(VLAN_N_VID)]; -@@ -616,6 +619,7 @@ struct ixgbe_adapter { - #define IXGBE_FLAG2_RX_LEGACY BIT(16) - #define IXGBE_FLAG2_IPSEC_ENABLED BIT(17) - #define IXGBE_FLAG2_VF_IPSEC_ENABLED BIT(18) -+#define IXGBE_FLAG2_AUTO_DISABLE_VF BIT(19) - - /* Tx fast path data */ - int num_tx_queues; -diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c -index f70967c32116..628d0eb0599f 100644 ---- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c -+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c -@@ -138,6 +138,8 @@ static const char ixgbe_priv_flags_strings[][ETH_GSTRING_LEN] = { - "legacy-rx", - #define IXGBE_PRIV_FLAGS_VF_IPSEC_EN BIT(1) - "vf-ipsec", -+#define IXGBE_PRIV_FLAGS_AUTO_DISABLE_VF BIT(2) -+ "mdd-disable-vf", - }; - - #define IXGBE_PRIV_FLAGS_STR_LEN ARRAY_SIZE(ixgbe_priv_flags_strings) -@@ -3510,6 +3512,9 @@ static u32 ixgbe_get_priv_flags(struct net_device *netdev) - if (adapter->flags2 & IXGBE_FLAG2_VF_IPSEC_ENABLED) - priv_flags |= IXGBE_PRIV_FLAGS_VF_IPSEC_EN; - -+ if (adapter->flags2 & IXGBE_FLAG2_AUTO_DISABLE_VF) -+ priv_flags |= IXGBE_PRIV_FLAGS_AUTO_DISABLE_VF; -+ - return priv_flags; - } - -@@ -3517,6 +3522,7 @@ static int ixgbe_set_priv_flags(struct net_device *netdev, u32 priv_flags) - { - struct ixgbe_adapter *adapter = netdev_priv(netdev); - unsigned int flags2 = adapter->flags2; -+ unsigned int i; - - flags2 &= ~IXGBE_FLAG2_RX_LEGACY; - if (priv_flags & IXGBE_PRIV_FLAGS_LEGACY_RX) -@@ -3526,6 +3532,21 @@ static int ixgbe_set_priv_flags(struct net_device *netdev, u32 priv_flags) - if (priv_flags & IXGBE_PRIV_FLAGS_VF_IPSEC_EN) - flags2 |= IXGBE_FLAG2_VF_IPSEC_ENABLED; - -+ flags2 &= ~IXGBE_FLAG2_AUTO_DISABLE_VF; -+ if (priv_flags & IXGBE_PRIV_FLAGS_AUTO_DISABLE_VF) { -+ if (adapter->hw.mac.type == ixgbe_mac_82599EB) { -+ /* Reset primary abort counter */ -+ for (i = 0; i < adapter->num_vfs; i++) -+ adapter->vfinfo[i].primary_abort_count = 0; -+ -+ flags2 |= IXGBE_FLAG2_AUTO_DISABLE_VF; -+ } else { -+ e_info(probe, -+ "Cannot set private flags: Operation not supported\n"); -+ return -EOPNOTSUPP; -+ } -+ } -+ - if (flags2 != adapter->flags2) { - adapter->flags2 = flags2; - -diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c -index 13df4e0f3796..c4a4954aa317 100644 ---- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c -+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c -@@ -7613,6 +7613,27 @@ static void ixgbe_watchdog_flush_tx(struct ixgbe_adapter *adapter) - } - - #ifdef CONFIG_PCI_IOV -+static void ixgbe_bad_vf_abort(struct ixgbe_adapter *adapter, u32 vf) -+{ -+ struct ixgbe_hw *hw = &adapter->hw; -+ -+ if (adapter->hw.mac.type == ixgbe_mac_82599EB && -+ adapter->flags2 & IXGBE_FLAG2_AUTO_DISABLE_VF) { -+ adapter->vfinfo[vf].primary_abort_count++; -+ if (adapter->vfinfo[vf].primary_abort_count == -+ IXGBE_PRIMARY_ABORT_LIMIT) { -+ ixgbe_set_vf_link_state(adapter, vf, -+ IFLA_VF_LINK_STATE_DISABLE); -+ adapter->vfinfo[vf].primary_abort_count = 0; -+ -+ e_info(drv, -+ "Malicious Driver Detection event detected on PF %d VF %d MAC: %pM mdd-disable-vf=on", -+ hw->bus.func, vf, -+ adapter->vfinfo[vf].vf_mac_addresses); -+ } -+ } -+} -+ - static void ixgbe_check_for_bad_vf(struct ixgbe_adapter *adapter) - { - struct ixgbe_hw *hw = &adapter->hw; -@@ -7644,8 +7665,10 @@ static void ixgbe_check_for_bad_vf(struct ixgbe_adapter *adapter) - continue; - pci_read_config_word(vfdev, PCI_STATUS, &status_reg); - if (status_reg != IXGBE_FAILED_READ_CFG_WORD && -- status_reg & PCI_STATUS_REC_MASTER_ABORT) -+ status_reg & PCI_STATUS_REC_MASTER_ABORT) { -+ ixgbe_bad_vf_abort(adapter, vf); - pcie_flr(vfdev); -+ } - } - } - -@@ -10746,6 +10769,9 @@ static int ixgbe_probe(struct pci_dev *pdev, const struct pci_device_id *ent) - if (err) - goto err_sw_init; - -+ if (adapter->hw.mac.type == ixgbe_mac_82599EB) -+ adapter->flags2 |= IXGBE_FLAG2_AUTO_DISABLE_VF; -+ - switch (adapter->hw.mac.type) { - case ixgbe_mac_X550: - case ixgbe_mac_X550EM_x: --- -2.36.1 - diff --git a/debian/patches/series b/debian/patches/series index 2ef3cd439..82bf77791 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -100,7 +100,6 @@ features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signatu debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch bugfix/x86/KVM-x86-mmu-fix-NULL-pointer-dereference-on-guest-IN.patch -bugfix/all/ixgbe-add-improvement-for-MDD-response-functionality.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch |