xenbits.xensource.com Git - xen.git/commit

author	Jan Beulich <jbeulich@suse.com>
	Tue, 5 Apr 2022 12:17:42 +0000 (14:17 +0200)
committer	Jan Beulich <jbeulich@suse.com>
	Tue, 5 Apr 2022 12:17:42 +0000 (14:17 +0200)
commit	8f41e481b4852173909363b88c1ab3da747d3a05
tree	11d63c97647e627dc818b4f55fce48d7f8f79df6	tree
parent	a680b8134b2d1828bbbf443a97feea66e8a85c75	commit \| diff

VT-d: re-assign devices directly

Devices with RMRRs, due to it being unspecified how/when the specified
memory regions may get accessed, may not be left disconnected from their
respective mappings (as long as it's not certain that the device has
been fully quiesced). Hence rather than unmapping the old context and
then mapping the new one, re-assignment needs to be done in a single
step.

This is CVE-2022-26359 / part of XSA-400.

Reported-by: Roger Pau Monné <roger.pau@citrix.com>
Similarly quarantining scratch-page mode relies on page tables to be
continuously wired up.

To avoid complicating things more than necessary, treat all devices
mostly equally, i.e. regardless of their association with any RMRRs. The
main difference is when it comes to updating context entries, which need
to be atomic when there are RMRRs. Yet atomicity can only be achieved
with CMPXCHG16B, availability of which we can't take for given.

The seemingly complicated choice of non-negative return values for
domain_context_mapping_one() is to limit code churn: This way callers
passing NULL for pdev don't need fiddling with.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

xen/drivers/passthrough/vtd/extern.h		diff \| blob \| blame \| history
xen/drivers/passthrough/vtd/iommu.c		diff \| blob \| blame \| history
xen/drivers/passthrough/vtd/iommu.h		diff \| blob \| blame \| history
xen/drivers/passthrough/vtd/quirks.c		diff \| blob \| blame \| history
xen/drivers/passthrough/vtd/vtd.h		diff \| blob \| blame \| history