x86/EFI: avoid IOMMU faults on [_end,__2M_rwdata_end) Commit c9a4a1c419 ("x86/layout: Correct Xen's idea of its own memory layout") didn't go far enough with the conversion, causing IOMMU faults when memory from that range was handed to a domain. We must not make this memory available for allocation (the change is benign to xen.gz at this point in time). Note that the change to tboot_shutdown() is fixing another issue at once: As it looks, the function so far skipped all memory below the Xen image. Signed-off-by: Jan Beulich --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -922,7 +922,7 @@ void __init noreturn __start_xen(unsigne 1UL << (PAGE_SHIFT + 32)) ) e = min(HYPERVISOR_VIRT_END - DIRECTMAP_VIRT_START, 1UL << (PAGE_SHIFT + 32)); -#define reloc_size ((__pa(&_end) + mask) & ~mask) +#define reloc_size ((__pa(__2M_rwdata_end) + mask) & ~mask) /* Is the region suitable for relocating Xen? */ if ( !xen_phys_start && e <= limit ) { @@ -1119,7 +1119,9 @@ void __init noreturn __start_xen(unsigne if ( !xen_phys_start ) panic("Not enough memory to relocate Xen."); - reserve_e820_ram(&boot_e820, __pa(&_start), __pa(&_end)); + + /* This needs to remain in sync with xen_in_range(). */ + reserve_e820_ram(&boot_e820, __pa(_stext), __pa(__2M_rwdata_end)); /* Late kexec reservation (dynamic start address). */ kexec_reserve_area(&boot_e820); @@ -1689,6 +1691,14 @@ int __hwdom_init xen_in_range(unsigned l /* S3 resume code (and other real mode trampoline code) */ xen_regions[region_s3].s = bootsym_phys(trampoline_start); xen_regions[region_s3].e = bootsym_phys(trampoline_end); + + /* + * This needs to remain in sync with the uses of the same symbols in + * - __start_xen() (above) + * - is_xen_fixed_mfn() + * - tboot_shutdown() + */ + /* hypervisor .text + .rodata */ xen_regions[region_ro].s = __pa(&_stext); xen_regions[region_ro].e = __pa(&__2M_rodata_end); --- a/xen/arch/x86/tboot.c +++ b/xen/arch/x86/tboot.c @@ -280,7 +280,7 @@ static void tboot_gen_xenheap_integrity( if ( !mfn_valid(_mfn(mfn)) ) continue; - if ( (mfn << PAGE_SHIFT) < __pa(&_end) ) + if ( is_xen_fixed_mfn(mfn) ) continue; /* skip Xen */ if ( (mfn >= PFN_DOWN(g_tboot_shared->tboot_base - 3 * PAGE_SIZE)) && (mfn < PFN_UP(g_tboot_shared->tboot_base @@ -361,7 +361,8 @@ void tboot_shutdown(uint32_t shutdown_ty if ( shutdown_type == TB_SHUTDOWN_S3 ) { /* - * Xen regions for tboot to MAC + * Xen regions for tboot to MAC. This needs to remain in sync with + * xen_in_range(). */ g_tboot_shared->num_mac_regions = 3; /* S3 resume code (and other real mode trampoline code) */ --- a/xen/arch/x86/xen.lds.S +++ b/xen/arch/x86/xen.lds.S @@ -298,7 +298,7 @@ SECTIONS } ASSERT(__image_base__ > XEN_VIRT_START || - _end <= XEN_VIRT_END - NR_CPUS * PAGE_SIZE, + __2M_rwdata_end <= XEN_VIRT_END - NR_CPUS * PAGE_SIZE, "Xen image overlaps stubs area") #ifdef CONFIG_KEXEC --- a/xen/include/asm-x86/mm.h +++ b/xen/include/asm-x86/mm.h @@ -252,8 +252,8 @@ struct spage_info #define is_xen_heap_mfn(mfn) \ (__mfn_valid(mfn) && is_xen_heap_page(__mfn_to_page(mfn))) #define is_xen_fixed_mfn(mfn) \ - ((((mfn) << PAGE_SHIFT) >= __pa(&_start)) && \ - (((mfn) << PAGE_SHIFT) <= __pa(&_end))) + ((((mfn) << PAGE_SHIFT) >= __pa(&_stext)) && \ + (((mfn) << PAGE_SHIFT) <= __pa(&__2M_rwdata_end))) #define PRtype_info "016lx"/* should only be used for printk's */