[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Nonsensical XSM Flask denial
- To: Jason Andryuk <jandryuk@xxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
- Date: Thu, 17 Mar 2022 18:14:39 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dVE8PLr6JI/Nd2ykEKLVHl0Y75xEmROfphuKRhYshvA=; b=QdWzTm2EbKZdpYy93GXue4EppGSQqEZsRbboVX6pAFDehLyaHCBdWshLltkf8zn52+8oTdTJy/KKWm3Wr93jW7mb89RS8U1AMl+mnbFUD9qm+1Bhwdo4mxhm6R9REW9zH1lxFO/2Pk2rhqEd8gv+8Q5mslRzlRVWP3Q+ZUOVtfAv/hn1r3aAqvf5yLmoh17Qt+8HERbIp4hHEFDVh4oRk4tNY+gvLuDhXVvuD0iI1Gnf6ZPzefkj1v/6SFHUPXNvX3MEoBtb1IT5EidYpOa4rY/BLkCCYFFD83mgXjqXWn8WLhYqQ6pOPZ96uJs0d9Kw9b9j/M90IC5t+D/AW/ESQQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gv/Ck6Z+WigWEcGnzn4H17CRlObCqqV2e19mYu59ZI1ESlfoWWvfFxSZovyuaJb8wd2b1cM3G+AAayJ9J1kdD4bGMa8/aep3igQWSXOhzNTtx2XEGDISme5lTOcjEbjUcU6OLTOWVGlUjAHWVfYMJQxbajBwOcXGQRY+ImFAkfbyYuRXohZmrVlWSwjM13HtED6ciI7pljzseUamH+SmAQWNbmCSyrUAosmNW6KVF5efsgslAkeeglR9+dn8RNHwsZBkIFQwaW57VE1m6ytVFJL85U3v4MtgfebxALbK1IB4ESdbNmvcFZaeOe1Lntil9Z7jNii1f0jZTaMhcc9h1g==
- Authentication-results: esa5.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
- Delivery-date: Thu, 17 Mar 2022 18:14:55 +0000
- Ironport-data: A9a23:xYcWpahCr+Z7fKY3Om3Px9xnX161aRAKZh0ujC45NGQN5FlHY01je htvXm3QbvyPZmujedEjbN/n9ElV7JCEzN83QAFvrShmFXwb9cadCdqndUqhZCn6wu8v7a5EA 2fyTvGacajYm1eF/k/F3oDJ9CU6jefSLlbFILas1hpZHGeIcw98z0M78wIFqtQw24LhWFrS4 YmaT/D3YzdJ5RYlagr41IrbwP9flKyaVOQw5wFWiVhj5TcyplFNZH4tDfjZw0jQG+G4KtWSV efbpIxVy0uCl/sb5nFJpZ6gGqECaua60QFjERO6UYD66vRJjnRaPqrWqJPwwKqY4tmEt4kZ9 TlDiXC/YQtzY/PVvM0yagJROgFjAaF4yYXrGEHq5KR/z2WeG5ft6/BnDUVwNowE4OdnR2pJ8 JT0KhhUMErF3bjvhuvmFK883azPL+GyVG8bklhmwSvUErANRpfbTr+RzdRZwC0xloZFGvO2i 88xN2c+PUuaP0Mn1lE/LqMUvOuQmVrESjhnrGqNhYkezTjo9VkkuFTqGIWMIYHbLSlPpW6Iq 2SD82nnDxUyMN2E1SHD4n+qnvXIny7wRMQVDrLQ3vxjhlGJ13EQIBITXFq/5/K+jyaDt8l3c hJOvHB09O5rqRLtHoKVswCETGCsskRBBcN0OsID8wik6rfo7zioPEQ9d2sUADA5j/MeSTsv3 16PutrmAz1zrbGYIU6gGqeoQSCaYnZMczJbDcMQZU5cuoS4/tlv5v7aZow7eJNZmOEZDt0ZL 9qiiCElz4segscQv0lQ1QCW2mn8znQlo+Nc2+k2Yo5Hxl4hDGJGT9bxgbQ+0RqmBNzFJrVml CJY8/VyFMhUUfmweNWlGY3h5o2B6fefKyH7ilVyBZQn/DnF0yf9Id8MvW4nfhkxbZtsldrVj Kn74185CHh7ZifCUEOKS9jpV5RCIVbISLwJqcw4nvIRO8MsJWdrDQllZFKK3nCFraTfufpXB HtvSu71VSxyIf0+lFKeHr5BuZd2lnFW7T6CHvjTkkX4uYdykVbIEN/pxnPVNbtnhE5FyS2Im +ti2zyikEwODrehPnGJreb+7zkidBAGOHw/kOQOHsarKQt6AmAxTfjXxLIqYYt+mKpJ0OzP+ xmAtoVwkjITWVWvxd22V01e
- Ironport-hdrordr: A9a23:j1wniau96nS7FLw1139RWgrq7skCwYMji2hC6mlwRA09TyXGra +TdaUguSMc1gx9ZJh5o6H7BEEZKUmsuaKdkrNhQItKOzOW91dATbsSoLcKpgePJ8SQzJ866U 4NSdkcNDS0NykAsS+Y2nj3Lz9D+qj/zEnAv463pB0NLT2CKZsQlzuRYjzrSnGeLzM2YKbRYa Dsgfav0ADQHUj/AP7LZEUtbqzmnZnmhZjmaRkJC1oM8w+Vlw6l77b8Dlyxwgoeeykn+8ZizU H11yjCoomzufCyzRHRk0XJ6Y5NpdfnwtxfQOSRl8kuLCn2gArAXvUgZ1TChkF3nAic0idurD D+mWZlAy210QKXQoiBm2qu5+An6kdp15at8y7AvZKpm72EeNtzMbs/uWseSGqD16NohqAM7E oAtVjpyaZ/HFfOmj/w6MPPUAwvnk2ooWA6mepWlHBHV5ACAYUh5bD30XklZqvoJhiKobzP0d Meef309bJTaxeXfnrZtm5gzJilWWkyBA6PRgwHttaO2zZbkXhlxw9ArfZv1Eso5dY4Ud1J9u 7EOqNnmPVHSdIXd7t0AKMETdGsAmLATBrQOCaZIEjhFqsAJ3XRwqSHq4kd9aWvYtgF3ZEykJ POXBdRsnMzYVvnDYmU0JhC4nn2MRKAtPTWu7VjDrRCy87BreDQQF2+oXgV4rmdn8k=
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
- Thread-index: AQHYOifTdUK/S2+tpU+tNQxc6h7KEazD4WoA
- Thread-topic: Nonsensical XSM Flask denial
On 17/03/2022 17:52, Jason Andryuk wrote:
> I shut down a domU (HVM dom9 w/ Linux stubdom dom10) with a single PCI
> device assigned. Xen logged the following Flask denial for a second
> PVH dom5 (uivm) without any PCI devices assigned. This is Xen 4.14.4.
>
> (XEN) avc: denied { remove_irq } for domid=5 irq=17
> scontext=system_u:system_r:uivm_t
> tcontext=system_u:object_r:shared_irq_t tclass=resource
>
> Domain 5 as uivm_t and irq 17 as shared_irq_t both look correct. But
> it doesn't make sense that uivm would make a hypercall for an irq.
>
> Could this be from RCU calling complete_domain_destroy() when current
> is dom5 (uivm)? What would current be set to when RCU runs its
> callbacks?
RCU runs in softirq context, so yes - (almost) any use of current would
be bogus.
But I can't spot any overlap between the physdevop_unmap_pirq XSM check,
and complete_domain_destroy().
Any chance you can reproduce this with a WARN() in the AVC denied path,
so we can see what's going on here?
~Andrew
|