| Message ID | 163072204525.2250120.16615792476976546735.stgit@dwillia2-desk3.amr.corp.intel.com |
|---|---|
| State | Accepted |
| Commit | 9e56614c44b994b78fc9fcb2070bcbe3f5df0d7b |
| Headers | show |
| Series | cxl fixes for v5.15-rc1 | expand |
On Fri, Sep 3, 2021 at 8:57 PM Paul Moore <paul@paul-moore.com> wrote: > > On Fri, Sep 3, 2021 at 10:20 PM Dan Williams <dan.j.williams@intel.com> wrote: > > > > A proposed rework of security_locked_down() users identified that the > > cxl_pci driver was passing the wrong lockdown_reason. Update > > cxl_mem_raw_command_allowed() to fail raw command access when raw pci > > access is also disabled. > > > > Fixes: 13237183c735 ("cxl/mem: Add a "RAW" send command") > > Cc: Ben Widawsky <ben.widawsky@intel.com> > > Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com> > > Cc: <stable@vger.kernel.org> > > Cc: Ondrej Mosnacek <omosnace@redhat.com> > > Cc: Paul Moore <paul@paul-moore.com> > > Signed-off-by: Dan Williams <dan.j.williams@intel.com> > > --- > > drivers/cxl/pci.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > Hi Dan, > > Thanks for fixing this up. Would you mind if this was included in > Ondrej's patchset, or would you prefer to merge it via another tree > (e.g. cxl)? I was planning to merge this via the cxl tree for v5.15-rc1.
On Tue, Sep 7, 2021 at 1:39 PM Dan Williams <dan.j.williams@intel.com> wrote: > On Fri, Sep 3, 2021 at 8:57 PM Paul Moore <paul@paul-moore.com> wrote: > > > > On Fri, Sep 3, 2021 at 10:20 PM Dan Williams <dan.j.williams@intel.com> wrote: > > > > > > A proposed rework of security_locked_down() users identified that the > > > cxl_pci driver was passing the wrong lockdown_reason. Update > > > cxl_mem_raw_command_allowed() to fail raw command access when raw pci > > > access is also disabled. > > > > > > Fixes: 13237183c735 ("cxl/mem: Add a "RAW" send command") > > > Cc: Ben Widawsky <ben.widawsky@intel.com> > > > Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com> > > > Cc: <stable@vger.kernel.org> > > > Cc: Ondrej Mosnacek <omosnace@redhat.com> > > > Cc: Paul Moore <paul@paul-moore.com> > > > Signed-off-by: Dan Williams <dan.j.williams@intel.com> > > > --- > > > drivers/cxl/pci.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > Hi Dan, > > > > Thanks for fixing this up. Would you mind if this was included in > > Ondrej's patchset, or would you prefer to merge it via another tree > > (e.g. cxl)? > > I was planning to merge this via the cxl tree for v5.15-rc1. Okay, thanks. -- paul moore www.paul-moore.com
On Tue, Sep 7, 2021 at 9:47 PM Paul Moore <paul@paul-moore.com> wrote: > On Tue, Sep 7, 2021 at 1:39 PM Dan Williams <dan.j.williams@intel.com> wrote: > > On Fri, Sep 3, 2021 at 8:57 PM Paul Moore <paul@paul-moore.com> wrote: > > > > > > On Fri, Sep 3, 2021 at 10:20 PM Dan Williams <dan.j.williams@intel.com> wrote: > > > > > > > > A proposed rework of security_locked_down() users identified that the > > > > cxl_pci driver was passing the wrong lockdown_reason. Update > > > > cxl_mem_raw_command_allowed() to fail raw command access when raw pci > > > > access is also disabled. > > > > > > > > Fixes: 13237183c735 ("cxl/mem: Add a "RAW" send command") > > > > Cc: Ben Widawsky <ben.widawsky@intel.com> > > > > Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com> > > > > Cc: <stable@vger.kernel.org> > > > > Cc: Ondrej Mosnacek <omosnace@redhat.com> > > > > Cc: Paul Moore <paul@paul-moore.com> > > > > Signed-off-by: Dan Williams <dan.j.williams@intel.com> > > > > --- > > > > drivers/cxl/pci.c | 2 +- > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > Hi Dan, > > > > > > Thanks for fixing this up. Would you mind if this was included in > > > Ondrej's patchset, or would you prefer to merge it via another tree > > > (e.g. cxl)? > > > > I was planning to merge this via the cxl tree for v5.15-rc1. > > Okay, thanks. And I can see the patch is now in Linus' tree, so if Paul agrees I'll rebase the patch on top of v5.15-rc1 once it's tagged and do one more respin. There are a few other minor conflicts and one new security_locked_down() call to cover, anyway. Dan, is it okay if I preserve your Acked-by from the last version? There will be no other change in the cxl area than rebasing on top of this patch. Thank you for taking care of the fix! -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
On Fri, Sep 10, 2021 at 5:55 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > On Tue, Sep 7, 2021 at 9:47 PM Paul Moore <paul@paul-moore.com> wrote: > > On Tue, Sep 7, 2021 at 1:39 PM Dan Williams <dan.j.williams@intel.com> wrote: > > > On Fri, Sep 3, 2021 at 8:57 PM Paul Moore <paul@paul-moore.com> wrote: > > > > > > > > On Fri, Sep 3, 2021 at 10:20 PM Dan Williams <dan.j.williams@intel.com> wrote: > > > > > > > > > > A proposed rework of security_locked_down() users identified that the > > > > > cxl_pci driver was passing the wrong lockdown_reason. Update > > > > > cxl_mem_raw_command_allowed() to fail raw command access when raw pci > > > > > access is also disabled. > > > > > > > > > > Fixes: 13237183c735 ("cxl/mem: Add a "RAW" send command") > > > > > Cc: Ben Widawsky <ben.widawsky@intel.com> > > > > > Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com> > > > > > Cc: <stable@vger.kernel.org> > > > > > Cc: Ondrej Mosnacek <omosnace@redhat.com> > > > > > Cc: Paul Moore <paul@paul-moore.com> > > > > > Signed-off-by: Dan Williams <dan.j.williams@intel.com> > > > > > --- > > > > > drivers/cxl/pci.c | 2 +- > > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > Hi Dan, > > > > > > > > Thanks for fixing this up. Would you mind if this was included in > > > > Ondrej's patchset, or would you prefer to merge it via another tree > > > > (e.g. cxl)? > > > > > > I was planning to merge this via the cxl tree for v5.15-rc1. > > > > Okay, thanks. > > And I can see the patch is now in Linus' tree, so if Paul agrees I'll > rebase the patch on top of v5.15-rc1 once it's tagged and do one more > respin. There are a few other minor conflicts and one new > security_locked_down() call to cover, anyway. > > Dan, is it okay if I preserve your Acked-by from the last version? Sure. > There will be no other change in the cxl area than rebasing on top of > this patch. > > Thank you for taking care of the fix! Thanks for the patience as I circled back.
On Fri, Sep 10, 2021 at 8:55 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > And I can see the patch is now in Linus' tree, so if Paul agrees I'll > rebase the patch on top of v5.15-rc1 once it's tagged ... Please do, thanks. -- paul moore www.paul-moore.com
diff --git a/drivers/cxl/pci.c b/drivers/cxl/pci.c index 651e8d4ec974..37903259ee79 100644 --- a/drivers/cxl/pci.c +++ b/drivers/cxl/pci.c @@ -575,7 +575,7 @@ static bool cxl_mem_raw_command_allowed(u16 opcode) if (!IS_ENABLED(CONFIG_CXL_MEM_RAW_COMMANDS)) return false; - if (security_locked_down(LOCKDOWN_NONE)) + if (security_locked_down(LOCKDOWN_PCI_ACCESS)) return false; if (cxl_raw_allow_all)
A proposed rework of security_locked_down() users identified that the cxl_pci driver was passing the wrong lockdown_reason. Update cxl_mem_raw_command_allowed() to fail raw command access when raw pci access is also disabled. Fixes: 13237183c735 ("cxl/mem: Add a "RAW" send command") Cc: Ben Widawsky <ben.widawsky@intel.com> Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com> Cc: <stable@vger.kernel.org> Cc: Ondrej Mosnacek <omosnace@redhat.com> Cc: Paul Moore <paul@paul-moore.com> Signed-off-by: Dan Williams <dan.j.williams@intel.com> --- drivers/cxl/pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)