[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging-4.15] VT-d: fix deassign of device with RMRR

commit 3b98d9f35a9edd2502ff9466341132baa6664cc3
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Fri Oct 1 15:05:42 2021 +0200
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Oct 5 19:49:03 2021 +0100

    VT-d: fix deassign of device with RMRR
    Ignoring a specific error code here was not meant to short circuit
    deassign to _just_ the unmapping of RMRRs. This bug was previously
    hidden by the bogus (potentially indefinite) looping in
    pci_release_devices(), until f591755823a7 ("IOMMU/PCI: don't let domain
    cleanup continue when device de-assignment failed") fixed that loop.
    This is CVE-2021-28702 / XSA-386.
    Fixes: 8b99f4400b69 ("VT-d: fix RMRR related error handling")
    Reported-by: Ivan Kardykov <kardykov@xxxxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Tested-by: Ivan Kardykov <kardykov@xxxxxxxxx>
    (cherry picked from commit 24ebe875a77833696bbe5c9372e9e1590a7e7101)
 xen/drivers/passthrough/vtd/iommu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/drivers/passthrough/vtd/iommu.c 
index 3dac8ad79f..affdf88b7e 100644
--- a/xen/drivers/passthrough/vtd/iommu.c
+++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -2387,7 +2387,7 @@ static int reassign_device_ownership(
                 ret = iommu_identity_mapping(source, p2m_access_x,
                                              rmrr->end_address, 0);
-                if ( ret != -ENOENT )
+                if ( ret && ret != -ENOENT )
                     return ret;
generated by git-patchbot for /home/xen/git/xen.git#staging-4.15



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.