[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen staging] x86/hvm/ioreq: MMIO range checking completely ignores direction flag

To: xen-changelog@xxxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Wed, 15 Aug 2018 12:22:05 +0000
Delivery-date: Wed, 15 Aug 2018 12:22:10 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xenproject.org>

commit 60a56dc0064a00830663ffe48215dcd080cb9504
Author:     Paul Durrant <paul.durrant@xxxxxxxxxx>
AuthorDate: Wed Aug 15 14:14:06 2018 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Wed Aug 15 14:14:06 2018 +0200

    x86/hvm/ioreq: MMIO range checking completely ignores direction flag
    
    hvm_select_ioreq_server() is used to route an ioreq to the appropriate
    ioreq server. For MMIO this is done by comparing the range of the ioreq
    to the ranges registered by the device models of each ioreq server.
    Unfortunately the calculation of the range if the ioreq completely ignores
    the direction flag and thus may calculate the wrong range for comparison.
    Thus the ioreq may either be routed to the wrong server or erroneously
    terminated by null_ops.
    
    NOTE: The patch also fixes whitespace in the switch statement to make it
          style compliant.
    
    Signed-off-by: Paul Durrant <paul.durrant@xxxxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 xen/arch/x86/hvm/ioreq.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/xen/arch/x86/hvm/ioreq.c b/xen/arch/x86/hvm/ioreq.c
index 7c515b3ef7..940a2c9728 100644
--- a/xen/arch/x86/hvm/ioreq.c
+++ b/xen/arch/x86/hvm/ioreq.c
@@ -1353,20 +1353,25 @@ struct hvm_ioreq_server *hvm_select_ioreq_server(struct 
domain *d,
 
         switch ( type )
         {
-            unsigned long end;
+            unsigned long start, end;
 
         case XEN_DMOP_IO_RANGE_PORT:
-            end = addr + p->size - 1;
-            if ( rangeset_contains_range(r, addr, end) )
+            start = addr;
+            end = start + p->size - 1;
+            if ( rangeset_contains_range(r, start, end) )
                 return s;
 
             break;
+
         case XEN_DMOP_IO_RANGE_MEMORY:
-            end = addr + (p->size * p->count) - 1;
-            if ( rangeset_contains_range(r, addr, end) )
+            start = hvm_mmio_first_byte(p);
+            end = hvm_mmio_last_byte(p);
+
+            if ( rangeset_contains_range(r, start, end) )
                 return s;
 
             break;
+
         case XEN_DMOP_IO_RANGE_PCI:
             if ( rangeset_contains_singleton(r, addr >> 32) )
             {
--
generated by git-patchbot for /home/xen/git/xen.git#staging

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

Prev by Date: [Xen-changelog] [qemu-xen staging] main loop: Big hammer to fix logfile disk DoS in Xen setups
Next by Date: [Xen-changelog] [xen staging] x86: write to correct variable in parse_pv_l1tf()
Previous by thread: [Xen-changelog] [qemu-xen staging] main loop: Big hammer to fix logfile disk DoS in Xen setups
Next by thread: [Xen-changelog] [xen staging] x86: write to correct variable in parse_pv_l1tf()
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.