9e9b5acb9c
5604f239-x86-PV-properly-populate-descriptor-tables.patch 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-0.patch 561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch 561d20a0-x86-hide-MWAITX-from-PV-domains.patch 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-handling.patch - bsc#951845 - VUL-0: CVE-2015-7972: xen: x86: populate-on-demand balloon size inaccuracy can crash guests (XSA-153) xsa153-libxl.patch - bsc#950703 - VUL-1: CVE-2015-7969: xen: leak of main per-domain vcpu pointer array (DoS) (XSA-149) xsa149.patch - bsc#950705 - VUL-1: CVE-2015-7969: xen: x86: leak of per-domain profiling-related vcpu pointer array (DoS) (XSA-151) xsa151.patch - bsc#950706 - VUL-0: CVE-2015-7971: xen: x86: some pmu and profiling hypercalls log without rate limiting (XSA-152) xsa152.patch - Dropped 55dc7937-x86-IO-APIC-don-t-create-pIRQ-mapping-from-masked-RTE.patch 5604f239-x86-PV-properly-populate-descriptor-tables.patch - bsc#932267 - VUL-1: CVE-2015-4037: qemu,kvm,xen: insecure temporary file use in /net/slirp.c CVE-2015-4037-qemuu-smb-config-dir-name.patch CVE-2015-4037-qemut-smb-config-dir-name.patch - bsc#877642 - VUL-0: CVE-2014-0222: qemu: qcow1: validate L2 table size to avoid integer overflows OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=382
121 lines
3.9 KiB
Diff
121 lines
3.9 KiB
Diff
References: bsc#907514 bsc#910258 bsc#918984 bsc#923967
|
|
|
|
# Commit a88b72fddd046a0978242411276861039ec99ad0
|
|
# Date 2015-07-23 10:13:12 +0200
|
|
# Author Jan Beulich <jbeulich@suse.com>
|
|
# Committer Jan Beulich <jbeulich@suse.com>
|
|
x86/PCI: add config space abstract write intercept logic
|
|
|
|
This is to be used by MSI code, and later to also be hooked up to
|
|
MMCFG accesses by Dom0.
|
|
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
|
|
--- a/xen/arch/x86/msi.c
|
|
+++ b/xen/arch/x86/msi.c
|
|
@@ -1108,6 +1108,12 @@ void pci_cleanup_msi(struct pci_dev *pde
|
|
msi_free_irqs(pdev);
|
|
}
|
|
|
|
+int pci_msi_conf_write_intercept(struct pci_dev *pdev, unsigned int reg,
|
|
+ unsigned int size, uint32_t *data)
|
|
+{
|
|
+ return 0;
|
|
+}
|
|
+
|
|
int pci_restore_msi_state(struct pci_dev *pdev)
|
|
{
|
|
unsigned long flags;
|
|
--- a/xen/arch/x86/pci.c
|
|
+++ b/xen/arch/x86/pci.c
|
|
@@ -67,3 +67,28 @@ void pci_conf_write(uint32_t cf8, uint8_
|
|
|
|
spin_unlock_irqrestore(&pci_config_lock, flags);
|
|
}
|
|
+
|
|
+int pci_conf_write_intercept(unsigned int seg, unsigned int bdf,
|
|
+ unsigned int reg, unsigned int size,
|
|
+ uint32_t *data)
|
|
+{
|
|
+ struct pci_dev *pdev;
|
|
+ int rc = 0;
|
|
+
|
|
+ /*
|
|
+ * Avoid expensive operations when no hook is going to do anything
|
|
+ * for the access anyway.
|
|
+ */
|
|
+ if ( reg < 64 || reg >= 256 )
|
|
+ return 0;
|
|
+
|
|
+ spin_lock(&pcidevs_lock);
|
|
+
|
|
+ pdev = pci_get_pdev(seg, PCI_BUS(bdf), PCI_DEVFN2(bdf));
|
|
+ if ( pdev )
|
|
+ rc = pci_msi_conf_write_intercept(pdev, reg, size, data);
|
|
+
|
|
+ spin_unlock(&pcidevs_lock);
|
|
+
|
|
+ return rc;
|
|
+}
|
|
--- a/xen/arch/x86/traps.c
|
|
+++ b/xen/arch/x86/traps.c
|
|
@@ -1708,8 +1708,8 @@ static int admin_io_okay(
|
|
return ioports_access_permitted(v->domain, port, port + bytes - 1);
|
|
}
|
|
|
|
-static bool_t pci_cfg_ok(struct domain *currd, bool_t write,
|
|
- unsigned int start, unsigned int size)
|
|
+static bool_t pci_cfg_ok(struct domain *currd, unsigned int start,
|
|
+ unsigned int size, uint32_t *write)
|
|
{
|
|
uint32_t machine_bdf;
|
|
|
|
@@ -1741,8 +1741,12 @@ static bool_t pci_cfg_ok(struct domain *
|
|
start |= CF8_ADDR_HI(currd->arch.pci_cf8);
|
|
}
|
|
|
|
- return !xsm_pci_config_permission(XSM_HOOK, currd, machine_bdf,
|
|
- start, start + size - 1, write);
|
|
+ if ( xsm_pci_config_permission(XSM_HOOK, currd, machine_bdf,
|
|
+ start, start + size - 1, !!write) != 0 )
|
|
+ return 0;
|
|
+
|
|
+ return !write ||
|
|
+ pci_conf_write_intercept(0, machine_bdf, start, size, write) >= 0;
|
|
}
|
|
|
|
uint32_t guest_io_read(
|
|
@@ -1796,7 +1800,7 @@ uint32_t guest_io_read(
|
|
size = min(bytes, 4 - (port & 3));
|
|
if ( size == 3 )
|
|
size = 2;
|
|
- if ( pci_cfg_ok(v->domain, 0, port & 3, size) )
|
|
+ if ( pci_cfg_ok(v->domain, port & 3, size, NULL) )
|
|
sub_data = pci_conf_read(v->domain->arch.pci_cf8, port & 3, size);
|
|
}
|
|
|
|
@@ -1869,7 +1873,7 @@ void guest_io_write(
|
|
size = min(bytes, 4 - (port & 3));
|
|
if ( size == 3 )
|
|
size = 2;
|
|
- if ( pci_cfg_ok(v->domain, 1, port & 3, size) )
|
|
+ if ( pci_cfg_ok(v->domain, port & 3, size, &data) )
|
|
pci_conf_write(v->domain->arch.pci_cf8, port & 3, size, data);
|
|
}
|
|
|
|
--- a/xen/include/asm-x86/pci.h
|
|
+++ b/xen/include/asm-x86/pci.h
|
|
@@ -15,4 +15,11 @@ struct arch_pci_dev {
|
|
vmask_t used_vectors;
|
|
};
|
|
|
|
+struct pci_dev;
|
|
+int pci_conf_write_intercept(unsigned int seg, unsigned int bdf,
|
|
+ unsigned int reg, unsigned int size,
|
|
+ uint32_t *data);
|
|
+int pci_msi_conf_write_intercept(struct pci_dev *, unsigned int reg,
|
|
+ unsigned int size, uint32_t *data);
|
|
+
|
|
#endif /* __X86_PCI_H__ */
|