FEX-Emu/linux
1
0
Fork 0
mirror of https://github.com/FEX-Emu/linux.git synced 2024-12-28 20:37:27 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a396f3a210
linux/drivers/xen
History
Konrad Rzeszutek Wilk a396f3a210 xen/pciback: Do not install an IRQ handler for MSI interrupts. 
Otherwise an guest can subvert the generic MSI code to trigger
an BUG_ON condition during MSI interrupt freeing:

 for (i = 0; i < entry->nvec_used; i++)
        BUG_ON(irq_has_action(entry->irq + i));

Xen PCI backed installs an IRQ handler (request_irq) for
the dev->irq whenever the guest writes PCI_COMMAND_MEMORY
(or PCI_COMMAND_IO) to the PCI_COMMAND register. This is
done in case the device has legacy interrupts the GSI line
is shared by the backend devices.

To subvert the backend the guest needs to make the backend
to change the dev->irq from the GSI to the MSI interrupt line,
make the backend allocate an interrupt handler, and then command
the backend to free the MSI interrupt and hit the BUG_ON.

Since the backend only calls 'request_irq' when the guest
writes to the PCI_COMMAND register the guest needs to call
XEN_PCI_OP_enable_msi before any other operation. This will
cause the generic MSI code to setup an MSI entry and
populate dev->irq with the new PIRQ value.

Then the guest can write to PCI_COMMAND PCI_COMMAND_MEMORY
and cause the backend to setup an IRQ handler for dev->irq
(which instead of the GSI value has the MSI pirq). See
'xen_pcibk_control_isr'.

Then the guest disables the MSI: XEN_PCI_OP_disable_msi
which ends up triggering the BUG_ON condition in 'free_msi_irqs'
as there is an IRQ handler for the entry->irq (dev->irq).

Note that this cannot be done using MSI-X as the generic
code does not over-write dev->irq with the MSI-X PIRQ values.

The patch inhibits setting up the IRQ handler if MSI or
MSI-X (for symmetry reasons) code had been called successfully.

P.S.
Xen PCIBack when it sets up the device for the guest consumption
ends up writting 0 to the PCI_COMMAND (see xen_pcibk_reset_device).
XSA-120 addendum patch removed that - however when upstreaming said
addendum we found that it caused issues with qemu upstream. That
has now been fixed in qemu upstream.

This is part of XSA-157

CC: stable@vger.kernel.org
Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2015-12-18 10:48:34 -05:00
..
events xen/events/fifo: Consume unprocessed events when a CPU dies 2015-12-02 13:23:25 +00:00
xen-pciback xen/pciback: Do not install an IRQ handler for MSI interrupts. 2015-12-18 10:48:34 -05:00
xenbus xenbus: Support multiple grants ring with 64KB 2015-10-23 14:20:47 +01:00
xenfs xen: xensyms support 2015-08-20 12:24:25 +01:00
acpi.c xen / ACPI: notify xen when reduced hardware sleep is available 2013-07-31 14:22:35 +02:00
balloon.c xen/balloon: Use the correct sizeof when declaring frame_list 2015-10-23 14:20:44 +01:00
biomerge.c xen/biomerge: Don't allow biovec's to be merged when Linux is not using 4KB pages 2015-10-23 14:20:36 +01:00
cpu_hotplug.c xen, cpu_hotplug: call device_offline instead of cpu_down 2015-10-23 14:20:48 +01:00
dbgp.c xen: Use dev_is_pci() to check whether it is pci device 2014-01-07 09:53:33 -05:00
efi.c efi: dmi: add support for SMBIOS 3.0 UEFI configuration table 2014-11-05 09:03:16 +01:00
evtchn.c xen/evtchn: dynamically grow pending event channel ring 2015-11-26 18:49:54 +00:00
fallback.c xen-pciback: notify hypervisor about devices intended to be assigned to guests 2013-03-22 10:20:55 -04:00
features.c
gntalloc.c Merge branch 'akpm' (patches from Andrew) 2015-09-10 18:19:42 -07:00
gntdev.c xen/gntdev: Grant maps should not be subject to NUMA balancing 2015-11-26 17:47:35 +00:00
grant-table.c xen/grant-table: Add an helper to iterate over a specific number of grants 2015-10-23 14:20:46 +01:00
Kconfig xen/PMU: Sysfs interface for setting Xen PMU mode 2015-08-20 12:24:26 +01:00
Makefile xen/arm: Enable cpu_hotplug.c 2015-10-23 14:20:47 +01:00
manage.c xen: Use correctly the Xen memory terminologies 2015-09-08 18:03:49 +01:00
mcelog.c xen/mce: fix up xen_late_init_mcelog() error handling 2015-03-16 14:49:15 +00:00
pci.c xen/pci: Try harder to get PXM information for Xen 2015-04-15 10:57:28 +01:00
pcpu.c xen: pcpu: Use static attribute groups for sysfs entry 2015-03-16 14:49:13 +00:00
platform-pci.c drivers: xen: Mark function as static in platform-pci.c 2014-02-28 15:26:04 -05:00
preempt.c xen/preempt: use need_resched() instead of should_resched() 2015-08-20 12:24:14 +01:00
privcmd.c xen/privcmd: Add support for Linux 64KB page granularity 2015-10-23 14:20:42 +01:00
privcmd.h
swiotlb-xen.c xen/swiotlb: Add support for 64KB page granularity 2015-10-23 14:20:43 +01:00
sys-hypervisor.c xen/PMU: Sysfs interface for setting Xen PMU mode 2015-08-20 12:24:26 +01:00
tmem.c xen/tmem: Use xen_page_to_gfn rather than pfn_to_gfn 2015-09-08 18:03:52 +01:00
xen-acpi-cpuhotplug.c Xen / ACPI / processor: Remove unneeded NULL check 2015-05-13 23:28:15 +02:00
xen-acpi-memhotplug.c ACPICA: Resources: Provide common part for struct acpi_resource_address structures. 2015-01-26 16:09:56 +01:00
xen-acpi-pad.c ACPI / PAD / xen: use acpi_evaluate_ost() to replace open-coded version 2014-02-21 00:27:47 +01:00
xen-acpi-processor.c ACPI / processor: Drop an unused argument of a cleanup routine 2015-07-22 22:11:16 +02:00
xen-balloon.c xen: balloon: Use static attribute groups for sysfs entries 2015-03-16 14:49:13 +00:00
xen-scsiback.c xen-scsiback: safely copy requests 2015-12-18 10:00:41 -05:00
xen-selfballoon.c drivers:xen-selfballoon:reset 'frontswap_inertia_counter' after frontswap_shrink 2014-02-28 15:26:12 -05:00
xen-stub.c xen/acpi: remove redundant acpi/acpi_drivers.h include 2013-03-11 13:53:02 -04:00
xlate_mmu.c xen/privcmd: Add support for Linux 64KB page granularity 2015-10-23 14:20:42 +01:00