[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.8] IOMMU/x86: fix type ref-counting race upon IOMMU page table construction

To: xen-changelog@xxxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Tue, 09 Jul 2019 19:22:13 +0000
Delivery-date: Tue, 09 Jul 2019 19:22:18 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xenproject.org>

commit f51d8e54960127ed5a3042417758eab49e05774c
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Mar 5 15:41:08 2019 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Mar 5 15:41:08 2019 +0100

    IOMMU/x86: fix type ref-counting race upon IOMMU page table construction
    
    When arch_iommu_populate_page_table() gets invoked for an already
    running guest, simply looking at page types once isn't enough, as they
    may change at any time. Add logic to re-check the type after having
    mapped the page, unmapping it again if needed.
    
    This is XSA-285.
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Tentatively-Acked-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    master commit: 1f0b0bb7773d537bcf169e021495d0986d9809fc
    master date: 2019-03-05 13:47:36 +0100
---
 xen/drivers/passthrough/x86/iommu.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/xen/drivers/passthrough/x86/iommu.c 
b/xen/drivers/passthrough/x86/iommu.c
index 69cd6c597d..954a1a616c 100644
--- a/xen/drivers/passthrough/x86/iommu.c
+++ b/xen/drivers/passthrough/x86/iommu.c
@@ -68,6 +68,27 @@ int arch_iommu_populate_page_table(struct domain *d)
                 rc = hd->platform_ops->map_page(d, gfn, mfn,
                                                 IOMMUF_readable |
                                                 IOMMUF_writable);
+
+                /*
+                 * We may be working behind the back of a running guest, which
+                 * may change the type of a page at any time.  We can't prevent
+                 * this (for instance, by bumping the type count while mapping
+                 * the page) without causing legitimate guest type-change
+                 * operations to fail.  So after adding the page to the IOMMU,
+                 * check again to make sure this is still valid.  NB that the
+                 * writable entry in the iommu is harmless until later, when
+                 * the actual device gets assigned.
+                 */
+                if ( !rc && !is_hvm_domain(d) &&
+                     ((page->u.inuse.type_info & PGT_type_mask) !=
+                      PGT_writable_page) )
+                {
+                    rc = hd->platform_ops->unmap_page(d, gfn);
+                    /* If the type changed yet again, simply force a retry. */
+                    if ( !rc && ((page->u.inuse.type_info & PGT_type_mask) ==
+                                 PGT_writable_page) )
+                        rc = -ERESTART;
+                }
             }
             if ( rc )
             {
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.8

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

Prev by Date: [Xen-changelog] [xen stable-4.8] gnttab: set page refcount for copy-on-grant-transfer
Next by Date: [Xen-changelog] [xen stable-4.8] steal_page: Get rid of bogus struct page states
Previous by thread: [Xen-changelog] [xen stable-4.8] gnttab: set page refcount for copy-on-grant-transfer
Next by thread: [Xen-changelog] [xen stable-4.8] steal_page: Get rid of bogus struct page states
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.