[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v3 1/7] x86/vioapic: Add ioapic_check() to validate IO-APIC state before restore

To: xen-devel@xxxxxxxxxxxxxxxxxxxx
From: "Julian Vetter" <julian.vetter@xxxxxxxxxx>
Date: Mon, 09 Mar 2026 12:31:02 +0000
Cc: "Jan Beulich" <jbeulich@xxxxxxxx>, "Andrew Cooper" <andrew.cooper3@xxxxxxxxxx>, "Roger Pau Monné" <roger.pau@xxxxxxxxxx>, "Anthony PERARD" <anthony.perard@xxxxxxxxxx>, "Michal Orzel" <michal.orzel@xxxxxxx>, "Stefano Stabellini" <sstabellini@xxxxxxxxxx>, "Juergen Gross" <jgross@xxxxxxxx>, "Julien Grall" <julien@xxxxxxx>, "Julian Vetter" <julian.vetter@xxxxxxxxxx>
Delivery-date: Mon, 09 Mar 2026 12:31:11 +0000
Feedback-id: 30504962:30504962.20260309:md
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Register a check callback for the IOAPIC HVM save/restore entry,
following the pattern established by vpic_check() for the virtual PIC.
The function first verifies the target domain actually has a virtual
IO-APIC, returning -ENODEV otherwise. It then iterates all redirection
table entries and rejects any saved state where reserved bit fields are
non-zero, ensuring the state being loaded, represents actually reachable
hardware state before the restore is committed.

Signed-off-by: Julian Vetter <julian.vetter@xxxxxxxxxx>
---
Changes in V3:
- As suggested by Jan, added new patch that does a generic check of the
  vIOAPIC state before migration
---
 xen/arch/x86/hvm/vioapic.c | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/xen/arch/x86/hvm/vioapic.c b/xen/arch/x86/hvm/vioapic.c
index 7c725f9e47..b9acdd8af6 100644
--- a/xen/arch/x86/hvm/vioapic.c
+++ b/xen/arch/x86/hvm/vioapic.c
@@ -594,6 +594,35 @@ int vioapic_get_trigger_mode(const struct domain *d, 
unsigned int gsi)
     return vioapic->redirtbl[pin].fields.trig_mode;
 }
 
+static int cf_check ioapic_check(const struct domain *d, hvm_domain_context_t 
*h)
+{
+    const HVM_SAVE_TYPE(IOAPIC) *s;
+    unsigned int i;
+
+    if ( !has_vioapic(d) )
+        return -ENODEV;
+
+    s = hvm_get_entry(IOAPIC, h);
+    if ( !s )
+        return -ENODATA;
+
+    for ( i = 0; i < ARRAY_SIZE(s->redirtbl); i++ )
+    {
+        const union vioapic_redir_entry *e = &s->redirtbl[i];
+
+        /*
+         * Check to-be-loaded values are within valid range, for them to
+         * represent actually reachable state.
+         */
+        if ( e->fields.reserve ||
+             e->fields.reserved[0] || e->fields.reserved[1] ||
+             e->fields.reserved[2] || e->fields.reserved[3] )
+            return -EINVAL;
+    }
+
+    return 0;
+}
+
 static int cf_check ioapic_save(struct vcpu *v, hvm_domain_context_t *h)
 {
     const struct domain *d = v->domain;
-- 
2.51.0



--
 | Vates

XCP-ng & Xen Orchestra - Vates solutions

web: https://vates.tech

Follow-Ups:
- Re: [PATCH v3 1/7] x86/vioapic: Add ioapic_check() to validate IO-APIC state before restore
  - From: Jan Beulich
- [PATCH v3 6/7] x86/dmop: Add XEN_DMOP_enable_ext_dest_id DM op
  - From: Julian Vetter
- [PATCH v3 5/7] x86/dmop: Add XEN_DMOP_{bind,unbind}_pt_msi_irq DM ops
  - From: Julian Vetter
- [PATCH v3 3/7] x86/hvm: Support extended destination IDs in virtual MSI and IO-APIC
  - From: Julian Vetter
- [PATCH v3 4/7] x86/passthrough: Use extended destination ID in PT MSI bind/unbind
  - From: Julian Vetter
- [PATCH v3 7/7] x86/cpuid: Advertise XEN_HVM_CPUID_EXT_DEST_ID when device model opts in
  - From: Julian Vetter
- [PATCH v3 2/7] x86/msi: Define extended destination ID masks and IO-APIC RTE fields
  - From: Julian Vetter

Prev by Date: [PATCH v3 2/7] x86/msi: Define extended destination ID masks and IO-APIC RTE fields
Next by Date: [PATCH v3 7/7] x86/cpuid: Advertise XEN_HVM_CPUID_EXT_DEST_ID when device model opts in
Previous by thread: [PATCH 0/2] Allow using BGRT table under Xen dom0
Next by thread: [PATCH v3 2/7] x86/msi: Define extended destination ID masks and IO-APIC RTE fields
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.