Xen project Mailing List

[PATCH 2/2] VT-d: avoid infinite recursion on domain_context_mapping_one() error path

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Date: Wed, 6 Apr 2022 14:25:13 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yucVFPGauWfslPNN5yRCj46l5cke1hJdmEdynBbWakE=; b=EYPTyFNgGSW5YNjn3w85cUAKqq7Mmob5yZelliLBaXXs+iMA8AJ1gcNjYE82EC48Yo0//5fqfEqW4GYvNS+TKmNhKtbfhDBIquZlwz91fY+qC1t1lx/APytnZOgxOzZMfksgHVtUFvp9AEIkfip5sOd8DcWoPaq4i7e58R/E0A/4DrJcmNTAoPdopFEudQhPVn73yA+Md0inYVRPXE0oa33Ob2ryNQvjnaP36fc9L67Wm02BLu0qMfFbhZFzLZWleQ+r1gSEQl/HNs+h1EEh3mT4N2it5fDhCy/i8/6gIo1tBw9TXSmd0XAxlot5qni3DrSgiE2s0EHgdX2c+Ugvog==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jFv+KzQxgT2zWYy9ZiL3EvQqHJ772/EolD1dyTuK56r7UTtdQdtmrZXN2p6mnVNXt9EbJh99Q/84ozMka8nVL7eXhKTUxmFFGv/7YScWKOvp0BxeG6ea2gvc17qDPJSHx2AXS30NBZUMbvqDUHuIu6+DFyjnwFDstaHNVhcaBT6ZVBZ1kNaNMSWp9w6ByMOKCo3ayRTK3sWWxYaVoStwIhp1B0sUWPeM2sBUHr561A2ZseSMKs/wL0ckuKxPpyyCV+yiw4iKjWVb/ONv6ZZMtyBYn9lFMnSIx0RmUQZY0Aj9uuQd7oNxAs0dFBEENWeJ01uc4l4hGH0fIi9jDhDIow==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Paul Durrant <paul@xxxxxxx>

Delivery-date: Wed, 06 Apr 2022 12:25:24 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Despite the comment there infinite recursion was still possible, by flip-flopping between two domains. This is because prev_dom is derived from the DID found in the context entry, which was already updated by the time error recovery is invoked. Simply introduce yet another mode flag to detect the situation and cancel further recursion attempts. Fixes: 8f41e481b485 ("VT-d: re-assign devices directly") Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> --- a/xen/drivers/passthrough/vtd/iommu.c +++ b/xen/drivers/passthrough/vtd/iommu.c @@ -1608,11 +1608,13 @@ int domain_context_mapping_one( */ (prev_dom == dom_io && !pdev) ) ret = domain_context_unmap_one(domain, iommu, bus, devfn); - else if ( prev_dom != domain ) /* Avoid infinite recursion. */ + /* Avoid infinite recursion. */ + else if ( prev_dom != domain && !(mode & MAP_ERROR_RECOVERY) ) ret = domain_context_mapping_one(prev_dom, iommu, bus, devfn, pdev, DEVICE_DOMID(prev_dom, pdev), DEVICE_PGTABLE(prev_dom, pdev), - mode & MAP_WITH_RMRR) < 0; + (mode & MAP_WITH_RMRR) | + MAP_ERROR_RECOVERY) < 0; else ret = 1; --- a/xen/drivers/passthrough/vtd/vtd.h +++ b/xen/drivers/passthrough/vtd/vtd.h @@ -29,7 +29,8 @@ #define MAP_WITH_RMRR (1u << 0) #define MAP_OWNER_DYING (1u << 1) #define MAP_SINGLE_DEVICE (1u << 2) -#define UNMAP_ME_PHANTOM_FUNC (1u << 3) +#define MAP_ERROR_RECOVERY (1u << 3) +#define UNMAP_ME_PHANTOM_FUNC (1u << 4) /* Allow for both IOAPIC and IOSAPIC. */ #define IO_xAPIC_route_entry IO_APIC_route_entry

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.