xenbits.xensource.com Git - xen.git/commit

author	Roger Pau Monné <roger.pau@citrix.com>
	Tue, 15 Dec 2020 13:14:34 +0000 (14:14 +0100)
committer	Jan Beulich <jbeulich@suse.com>
	Tue, 15 Dec 2020 13:14:34 +0000 (14:14 +0100)
commit	d785e076b36111899ef9ee2340f2da9375afc9f5
tree	1d270c2dbeb8f2ea2adac37b696b93ac16c08229	tree
parent	d8f08a44bc8da1401a9731667daecdb9b213c073	commit \| diff

x86/irq: fix infinite loop in irq_move_cleanup_interrupt

If Xen enters irq_move_cleanup_interrupt with a dynamic vector below
IRQ_MOVE_CLEANUP_VECTOR pending in IRR (0x20 or 0x21) that's also
designated for a cleanup it will enter a loop where
irq_move_cleanup_interrupt continuously sends a cleanup IPI (vector
0x22) to itself while waiting for the vector with lower priority to be
injected - which will never happen because IRQ_MOVE_CLEANUP_VECTOR
takes precedence and it's always injected first.

Fix this by making sure vectors below IRQ_MOVE_CLEANUP_VECTOR are
marked as used and thus not available for APs. Also add some logic to
assert and prevent irq_move_cleanup_interrupt from entering such an
infinite loop, albeit that should never happen given the current code.

This is XSA-356 / CVE-2020-29567.

Fixes: 3fba06ba9f8 ('x86/IRQ: re-use legacy vector ranges on APs')
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
master commit: ca85682e8c16361fdf3814c9b25a2ec3ff4f8bed
master date: 2020-12-15 13:42:16 +0100