[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.9] arm: vgic: Don't update the LR when the IRQ is not enabled



commit 471d9ca43cc1fa9eb9c7c7f39b3de8333d9521ef
Author:     Julien Grall <julien.grall@xxxxxxx>
AuthorDate: Tue Jun 20 15:46:38 2017 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Jun 20 15:46:38 2017 +0200

    arm: vgic: Don't update the LR when the IRQ is not enabled
    
    gic_raise_inflight_irq will be called if the IRQ is already inflight
    (i.e the IRQ is injected to the guest). If the IRQ is already already in
    the LRs, then the associated LR will be updated.
    
    To know if the interrupt is already in the LR, the function check if the
    interrupt is queued. However, if the interrupt is not enabled then the
    interrupt may not be queued nor in the LR. So gic_update_one_lr may be
    called (if we inject on the current vCPU) and read the LR.
    
    Because the interrupt is not in the LR, Xen will either read:
        * LR 0 if the interrupt was never injected before
        * LR 255 (GIC_INVALID_LR) if the interrupt was injected once. This
        is because gic_update_one_lr will reset p->lr.
    
    Reading LR 0 will result to potentially update the wrong interrupt and
    not keep the LRs in sync with Xen.
    
    Reading LR 255 will result to:
        * Crash Xen on GICv3 as the LR index is bigger than supported (see
        gicv3_ich_read_lr).
        * Read/write always GICH_LR + 255 * 4 that is not part of the memory
        mapped.
    
    The problem can be prevented by checking whether the interrupt is
    enabled in gic_raise_inflight_irq before calling gic_update_one_lr.
    
    A follow-up of this patch is expected to mitigate the issue in the
    future.
    
    This is XSA-223.
    
    Signed-off-by: Julien Grall <julien.grall@xxxxxxx>
    Reviewed-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
    master commit: c84e4b2dd4050ef3eecc13fcfa6842373ba4519c
    master date: 2017-06-20 14:41:55 +0200
---
 xen/arch/arm/gic.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/xen/arch/arm/gic.c b/xen/arch/arm/gic.c
index da19130..a88ca4b 100644
--- a/xen/arch/arm/gic.c
+++ b/xen/arch/arm/gic.c
@@ -417,6 +417,10 @@ void gic_raise_inflight_irq(struct vcpu *v, unsigned int 
virtual_irq)
 
     ASSERT(spin_is_locked(&v->arch.vgic.lock));
 
+    /* Don't try to update the LR if the interrupt is disabled */
+    if ( !test_bit(GIC_IRQ_GUEST_ENABLED, &n->status) )
+        return;
+
     if ( list_empty(&n->lr_queue) )
     {
         if ( v == current )
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.9

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.