[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen master] x86/P2M: relax guarding of MMIO entries

To: xen-changelog@xxxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Wed, 08 Sep 2021 10:13:34 +0000
Delivery-date: Wed, 08 Sep 2021 10:13:36 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xenproject.org>

commit 111469cc7b3f586c2335e70205320ed3c828b89e
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Sep 7 09:39:38 2021 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Sep 7 09:39:38 2021 +0200

    x86/P2M: relax guarding of MMIO entries
    
    One of the changes comprising the fixes for XSA-378 disallows replacing
    MMIO mappings by code paths not intended for this purpose. At least in
    the case of PVH Dom0 hitting an RMRR covered by an E820 ACPI region,
    this is too strict. Generally short-circuit requests establishing the
    same kind of mapping (mfn, type), but allow permissions to differ.
    
    While there, also add a log message to the other domain_crash()
    invocation that did prevent PVH Dom0 from coming up after the XSA-378
    changes.
    
    Fixes: 753cb68e6530 ("x86/p2m: guard (in particular) identity mapping 
entries")
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Acked-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 xen/arch/x86/mm/p2m.c | 29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index 1d17499543..0be252cc4b 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -958,9 +958,13 @@ guest_physmap_add_entry(struct domain *d, gfn_t gfn, mfn_t 
mfn,
         if ( p2m_is_special(ot) )
         {
             /* Don't permit unmapping grant/foreign/direct-MMIO this way. */
-            domain_crash(d);
             p2m_unlock(p2m);
-            
+            printk(XENLOG_G_ERR
+                   "%pd: GFN %#lx (%#lx,%u,%u) -> (%#lx,%u,%u) not 
permitted\n",
+                   d, gfn_x(gfn) + i,
+                   mfn_x(omfn), ot, a,
+                   mfn_x(mfn) + i, t, p2m->default_access);
+            domain_crash(d);
             return -EPERM;
         }
         else if ( p2m_is_ram(ot) && !p2m_is_paged(ot) )
@@ -1302,9 +1306,24 @@ static int set_typed_p2m_entry(struct domain *d, 
unsigned long gfn_l,
     }
     if ( p2m_is_special(ot) )
     {
-        gfn_unlock(p2m, gfn, order);
-        domain_crash(d);
-        return -EPERM;
+        /* Special-case (almost) identical mappings. */
+        if ( !mfn_eq(mfn, omfn) || gfn_p2mt != ot )
+        {
+            gfn_unlock(p2m, gfn, order);
+            printk(XENLOG_G_ERR
+                   "%pd: GFN %#lx (%#lx,%u,%u,%u) -> (%#lx,%u,%u,%u) not 
permitted\n",
+                   d, gfn_l,
+                   mfn_x(omfn), cur_order, ot, a,
+                   mfn_x(mfn), order, gfn_p2mt, access);
+            domain_crash(d);
+            return -EPERM;
+        }
+
+        if ( access == a )
+        {
+            gfn_unlock(p2m, gfn, order);
+            return 0;
+        }
     }
     else if ( p2m_is_ram(ot) )
     {
--
generated by git-patchbot for /home/xen/git/xen.git#master

Prev by Date: [xen master] gnttab: maptrack handle shortage is not IOMMU related
Next by Date: [xen master] x86/cpuid: expose NullSelectorClearsBase CPUID bit to guests
Previous by thread: [xen master] gnttab: maptrack handle shortage is not IOMMU related
Next by thread: [xen master] x86/cpuid: expose NullSelectorClearsBase CPUID bit to guests
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.