|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [Xen-devel] Xen Advisory 5 (CVE-2011-3131) IOMMU fault livelock
Catching up on an old thread ... If I understand correctly, the proposal is to check for VT-d faults in do_softirq() handler. If so, we probably don't even need to enable VT-d MSI interrupt at all if iommu_debug is not set, basically handling VT-d faults with polling method. This sounds fine to me as long as we still turn on VT-d MSI interrupt for iommu_debug case. Allen -----Original Message----- From: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Jan Beulich Sent: Tuesday, August 16, 2011 8:59 AM To: Tim Deegan Cc: xen-devel@xxxxxxxxxxxxxxxxxxx; Xen.org security team Subject: Re: [Xen-devel] Xen Advisory 5 (CVE-2011-3131) IOMMU fault livelock >>> On 16.08.11 at 17:06, Tim Deegan <tim@xxxxxxx> wrote: > At 08:03 +0100 on 16 Aug (1313481813), Jan Beulich wrote: >> >>> On 15.08.11 at 11:26, Tim Deegan <tim@xxxxxxx> wrote: >> > At 15:48 +0100 on 12 Aug (1313164084), Jan Beulich wrote: >> >> >>> On 12.08.11 at 16:09, Tim Deegan <tim@xxxxxxx> wrote: >> >> > At 14:53 +0100 on 12 Aug (1313160824), Jan Beulich wrote: >> >> >> > This issue is resolved in changeset 23762:537ed3b74b3f of >> >> >> > xen-unstable.hg, and 23112:84e3706df07a of xen-4.1-testing.hg. >> >> >> >> >> >> Do you really think this helps much? Direct control of the device means >> >> >> it could also (perhaps on a second vCPU) constantly re-enable the bus >> >> >> mastering bit. >> >> > >> >> > That path goes through qemu/pciback, so at least lets Xen schedule the >> >> > dom0 tools. >> >> >> >> Are you sure? If (as said) the guest uses a second vCPU for doing the >> >> config space accesses, I can't see how this would save the pCPU the >> >> fault storm is occurring on. >> > >> > Hmmm. Yes, I see what you mean. >> >> Actually, a second vCPU may not even be needed: Since the "fault" >> really is an external interrupt, if that one gets handled on a pCPU other >> than the one the guest's vCPU is running on, it could execute such a >> loop even in that case. >> >> As to yesterdays softirq-based handling thoughts - perhaps the clearing >> of the bus master bit on the device should still be done in the actual IRQ >> handler, while the processing of the fault records could be moved out to >> a softirq. > > Hmmm. I like the idea of using a softirq but in fact by the time we've > figured out which BDF to silence we've pretty much done handling the > fault. Ugly, but yes, indeed. > Reading the VTd docs it looks like we can just ack the IOMMU fault > interrupt and it won't send any more until we clear the log, so we can > leave the whole business to a softirq. Delaying that might cause the > log to overflow, but that's not necessarily the end of the world. > Looks like we can do the same on AMD by disabling interrupt generation > in the main handler and reenabling it in the softirq. > > Is there any situation where we rally care terribly about the IOfault > logs overflowing? As long as older entries don't get overwritten, I don't think that's going to be problematic. The more that we basically shut off the offending device(s). Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |