[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.13] VT-d: avoid NULL deref on domain_context_mapping_one() error paths



commit d64d46685c776b39d5c640a0ad2727fa0938273c
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Fri Apr 8 15:21:33 2022 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Fri Apr 8 15:21:33 2022 +0200

    VT-d: avoid NULL deref on domain_context_mapping_one() error paths
    
    First there's a printk() which actually wrongly uses pdev in the first
    place: We want to log the coordinates of the (perhaps fake) device
    acted upon, which may not be pdev.
    
    Then it was quite pointless for eb19326a328d ("VT-d: prepare for per-
    device quarantine page tables (part I)") to add a domid_t parameter to
    domain_context_unmap_one(): It's only used to pass back here via
    me_wifi_quirk() -> map_me_phantom_function(). Drop the parameter again.
    
    Finally there's the invocation of domain_context_mapping_one(), which
    needs to be passed the correct domain ID. Avoid taking that path when
    pdev is NULL and the quarantine state is what would need restoring to.
    This means we can't security-support non-PCI-Express devices with RMRRs
    (if such exist in practice) any longer; note that as of trhe 1st of the
    two commits referenced below assigning them to DomU-s is unsupported
    anyway.
    
    Fixes: 8f41e481b485 ("VT-d: re-assign devices directly")
    Fixes: 14dd241aad8a ("IOMMU/x86: use per-device page tables for 
quarantining")
    Coverity ID: 1503784
    Reported-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
    master commit: 608394b906e71587f02e6662597bc985bad33a5a
    master date: 2022-04-07 12:30:19 +0200
---
 xen/drivers/passthrough/vtd/extern.h |  2 +-
 xen/drivers/passthrough/vtd/iommu.c  | 34 +++++++++++++++++++---------------
 xen/drivers/passthrough/vtd/quirks.c |  2 +-
 3 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/xen/drivers/passthrough/vtd/extern.h 
b/xen/drivers/passthrough/vtd/extern.h
index 897dcff9ff..fbe951b2fa 100644
--- a/xen/drivers/passthrough/vtd/extern.h
+++ b/xen/drivers/passthrough/vtd/extern.h
@@ -89,7 +89,7 @@ int domain_context_mapping_one(struct domain *domain, struct 
vtd_iommu *iommu,
                                const struct pci_dev *pdev, domid_t domid,
                                paddr_t pgd_maddr, unsigned int mode);
 int domain_context_unmap_one(struct domain *domain, struct vtd_iommu *iommu,
-                             uint8_t bus, uint8_t devfn, domid_t domid);
+                             uint8_t bus, uint8_t devfn);
 int intel_iommu_get_reserved_device_memory(iommu_grdm_t *func, void *ctxt);
 
 unsigned int io_apic_read_remap_rte(unsigned int apic, unsigned int reg);
diff --git a/xen/drivers/passthrough/vtd/iommu.c 
b/xen/drivers/passthrough/vtd/iommu.c
index 4b0d6a873c..cb3ba3e409 100644
--- a/xen/drivers/passthrough/vtd/iommu.c
+++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -1527,7 +1527,7 @@ int domain_context_mapping_one(
                 check_cleanup_domid_map(domain, pdev, iommu);
             printk(XENLOG_ERR
                    "%04x:%02x:%02x.%u: unexpected context entry %016lx_%016lx 
(expected %016lx_%016lx)\n",
-                   pdev->seg, pdev->bus, PCI_SLOT(devfn), PCI_FUNC(devfn),
+                   seg, bus, PCI_SLOT(devfn), PCI_FUNC(devfn),
                    (uint64_t)(res >> 64), (uint64_t)res,
                    (uint64_t)(old >> 64), (uint64_t)old);
             rc = -EILSEQ;
@@ -1595,9 +1595,14 @@ int domain_context_mapping_one(
 
     if ( rc )
     {
-        if ( !prev_dom )
-            domain_context_unmap_one(domain, iommu, bus, devfn,
-                                     DEVICE_DOMID(domain, pdev));
+        if ( !prev_dom ||
+             /*
+              * Unmapping here means DEV_TYPE_PCI devices with RMRRs (if such
+              * exist) would cause problems if such a region was actually
+              * accessed.
+              */
+             (prev_dom == dom_io && !pdev) )
+            domain_context_unmap_one(domain, iommu, bus, devfn);
         else if ( prev_dom != domain ) /* Avoid infinite recursion. */
             domain_context_mapping_one(prev_dom, iommu, bus, devfn, pdev,
                                        DEVICE_DOMID(prev_dom, pdev),
@@ -1734,7 +1739,9 @@ static int domain_context_mapping(struct domain *domain, 
u8 devfn,
          * Strictly speaking if the device is the only one behind this bridge
          * and the only one with this (secbus,0,0) tuple, it could be allowed
          * to be re-assigned regardless of RMRR presence.  But let's deal with
-         * that case only if it is actually found in the wild.
+         * that case only if it is actually found in the wild.  Note that
+         * dealing with this just here would still not render the operation
+         * secure.
          */
         else if ( prev_present && (mode & MAP_WITH_RMRR) &&
                   domain != pdev->domain )
@@ -1800,7 +1807,7 @@ static int domain_context_mapping(struct domain *domain, 
u8 devfn,
 int domain_context_unmap_one(
     struct domain *domain,
     struct vtd_iommu *iommu,
-    uint8_t bus, uint8_t devfn, domid_t domid)
+    uint8_t bus, uint8_t devfn)
 {
     struct context_entry *context, *context_entries;
     u64 maddr;
@@ -1852,7 +1859,8 @@ int domain_context_unmap_one(
     unmap_vtd_domain_page(context_entries);
 
     if ( !iommu->drhd->segment && !rc )
-        rc = me_wifi_quirk(domain, bus, devfn, domid, 0, 
UNMAP_ME_PHANTOM_FUNC);
+        rc = me_wifi_quirk(domain, bus, devfn, DOMID_INVALID, 0,
+                           UNMAP_ME_PHANTOM_FUNC);
 
     if ( rc && !is_hardware_domain(domain) && domain != dom_io )
     {
@@ -1906,8 +1914,7 @@ static const struct acpi_drhd_unit *domain_context_unmap(
             printk(VTDPREFIX "d%d:PCIe: unmap %04x:%02x:%02x.%u\n",
                    domain->domain_id, seg, bus,
                    PCI_SLOT(devfn), PCI_FUNC(devfn));
-        ret = domain_context_unmap_one(domain, iommu, bus, devfn,
-                                       DEVICE_DOMID(domain, pdev));
+        ret = domain_context_unmap_one(domain, iommu, bus, devfn);
         if ( !ret && devfn == pdev->devfn && ats_device(pdev, drhd) > 0 )
             disable_ats_device(pdev);
 
@@ -1917,8 +1924,7 @@ static const struct acpi_drhd_unit *domain_context_unmap(
         if ( iommu_debug )
             printk(VTDPREFIX "d%d:PCI: unmap %04x:%02x:%02x.%u\n",
                    domain->domain_id, seg, bus, PCI_SLOT(devfn), 
PCI_FUNC(devfn));
-        ret = domain_context_unmap_one(domain, iommu, bus, devfn,
-                                       DEVICE_DOMID(domain, pdev));
+        ret = domain_context_unmap_one(domain, iommu, bus, devfn);
         if ( ret )
             break;
 
@@ -1941,12 +1947,10 @@ static const struct acpi_drhd_unit 
*domain_context_unmap(
             break;
         }
 
-        ret = domain_context_unmap_one(domain, iommu, tmp_bus, tmp_devfn,
-                                       DEVICE_DOMID(domain, pdev));
+        ret = domain_context_unmap_one(domain, iommu, tmp_bus, tmp_devfn);
         /* PCIe to PCI/PCIx bridge */
         if ( !ret && pdev_type(seg, tmp_bus, tmp_devfn) == 
DEV_TYPE_PCIe2PCI_BRIDGE )
-            ret = domain_context_unmap_one(domain, iommu, secbus, 0,
-                                           DEVICE_DOMID(domain, pdev));
+            ret = domain_context_unmap_one(domain, iommu, secbus, 0);
 
         break;
 
diff --git a/xen/drivers/passthrough/vtd/quirks.c 
b/xen/drivers/passthrough/vtd/quirks.c
index 4d54c21136..2b8a2bd9c6 100644
--- a/xen/drivers/passthrough/vtd/quirks.c
+++ b/xen/drivers/passthrough/vtd/quirks.c
@@ -363,7 +363,7 @@ static int __must_check map_me_phantom_function(struct 
domain *domain,
                                         domid, pgd_maddr, mode);
     else
         rc = domain_context_unmap_one(domain, drhd->iommu, 0,
-                                      PCI_DEVFN(dev, 7), domid);
+                                      PCI_DEVFN(dev, 7));
 
     return rc;
 }
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.13



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.