[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging-4.12] VT-d: fix deassign of device with RMRR



commit 95172a6347111247287ca6d7966aff69aa379965
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Fri Oct 1 15:05:42 2021 +0200
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Oct 5 19:49:16 2021 +0100

    VT-d: fix deassign of device with RMRR
    
    Ignoring a specific error code here was not meant to short circuit
    deassign to _just_ the unmapping of RMRRs. This bug was previously
    hidden by the bogus (potentially indefinite) looping in
    pci_release_devices(), until f591755823a7 ("IOMMU/PCI: don't let domain
    cleanup continue when device de-assignment failed") fixed that loop.
    
    This is CVE-2021-28702 / XSA-386.
    
    Fixes: 8b99f4400b69 ("VT-d: fix RMRR related error handling")
    Reported-by: Ivan Kardykov <kardykov@xxxxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Tested-by: Ivan Kardykov <kardykov@xxxxxxxxx>
    (cherry picked from commit 24ebe875a77833696bbe5c9372e9e1590a7e7101)
---
 xen/drivers/passthrough/vtd/iommu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/drivers/passthrough/vtd/iommu.c 
b/xen/drivers/passthrough/vtd/iommu.c
index ef33111fd0..d8393d31d8 100644
--- a/xen/drivers/passthrough/vtd/iommu.c
+++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -2353,7 +2353,7 @@ static int reassign_device_ownership(
                 ret = iommu_identity_mapping(source, p2m_access_x,
                                              rmrr->base_address,
                                              rmrr->end_address, 0);
-                if ( ret != -ENOENT )
+                if ( ret && ret != -ENOENT )
                     return ret;
             }
     }
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.12



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.