xenbits.xensource.com Git - people/iwj/xen.git/commit

author	Julien Grall <julien.grall@arm.com>
	Tue, 20 Jun 2017 12:41:55 +0000 (14:41 +0200)
committer	Jan Beulich <jbeulich@suse.com>
	Tue, 20 Jun 2017 12:41:55 +0000 (14:41 +0200)
commit	c84e4b2dd4050ef3eecc13fcfa6842373ba4519c
tree	bb25f90d2c153a51040fc03f5864b5480dd2bd5e	tree
parent	a0cce6048d010a30ac82f8db7787bbf9aada64f4	commit \| diff

arm: vgic: Don't update the LR when the IRQ is not enabled

gic_raise_inflight_irq will be called if the IRQ is already inflight
(i.e the IRQ is injected to the guest). If the IRQ is already already in
the LRs, then the associated LR will be updated.

To know if the interrupt is already in the LR, the function check if the
interrupt is queued. However, if the interrupt is not enabled then the
interrupt may not be queued nor in the LR. So gic_update_one_lr may be
called (if we inject on the current vCPU) and read the LR.

Because the interrupt is not in the LR, Xen will either read:
    * LR 0 if the interrupt was never injected before
    * LR 255 (GIC_INVALID_LR) if the interrupt was injected once. This
    is because gic_update_one_lr will reset p->lr.

Reading LR 0 will result to potentially update the wrong interrupt and
not keep the LRs in sync with Xen.

Reading LR 255 will result to:
    * Crash Xen on GICv3 as the LR index is bigger than supported (see
    gicv3_ich_read_lr).
    * Read/write always GICH_LR + 255 * 4 that is not part of the memory
    mapped.

The problem can be prevented by checking whether the interrupt is
enabled in gic_raise_inflight_irq before calling gic_update_one_lr.

A follow-up of this patch is expected to mitigate the issue in the
future.

This is XSA-223.

Signed-off-by: Julien Grall <julien.grall@arm.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>