renegade-project/linux-next
2
0
Fork 0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-26 22:24:09 +08:00
Code
a396f3a210
linux-next/drivers
History
Konrad Rzeszutek Wilk a396f3a210 xen/pciback: Do not install an IRQ handler for MSI interrupts. 
Otherwise an guest can subvert the generic MSI code to trigger
an BUG_ON condition during MSI interrupt freeing:

 for (i = 0; i < entry->nvec_used; i++)
        BUG_ON(irq_has_action(entry->irq + i));

Xen PCI backed installs an IRQ handler (request_irq) for
the dev->irq whenever the guest writes PCI_COMMAND_MEMORY
(or PCI_COMMAND_IO) to the PCI_COMMAND register. This is
done in case the device has legacy interrupts the GSI line
is shared by the backend devices.

To subvert the backend the guest needs to make the backend
to change the dev->irq from the GSI to the MSI interrupt line,
make the backend allocate an interrupt handler, and then command
the backend to free the MSI interrupt and hit the BUG_ON.

Since the backend only calls 'request_irq' when the guest
writes to the PCI_COMMAND register the guest needs to call
XEN_PCI_OP_enable_msi before any other operation. This will
cause the generic MSI code to setup an MSI entry and
populate dev->irq with the new PIRQ value.

Then the guest can write to PCI_COMMAND PCI_COMMAND_MEMORY
and cause the backend to setup an IRQ handler for dev->irq
(which instead of the GSI value has the MSI pirq). See
'xen_pcibk_control_isr'.

Then the guest disables the MSI: XEN_PCI_OP_disable_msi
which ends up triggering the BUG_ON condition in 'free_msi_irqs'
as there is an IRQ handler for the entry->irq (dev->irq).

Note that this cannot be done using MSI-X as the generic
code does not over-write dev->irq with the MSI-X PIRQ values.

The patch inhibits setting up the IRQ handler if MSI or
MSI-X (for symmetry reasons) code had been called successfully.

P.S.
Xen PCIBack when it sets up the device for the guest consumption
ends up writting 0 to the PCI_COMMAND (see xen_pcibk_reset_device).
XSA-120 addendum patch removed that - however when upstreaming said
addendum we found that it caused issues with qemu upstream. That
has now been fixed in qemu upstream.

This is part of XSA-157

CC: stable@vger.kernel.org
Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2015-12-18 10:48:34 -05:00
..
accessibility
acpi ACPICA: Tables: Fix FADT dependency regression 2015-10-14 22:48:13 +02:00
amba
android mm: mark most vm_operations_struct const 2015-09-10 13:29:01 -07:00
ata Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2015-09-03 16:55:55 -07:00
atm solos-pci: Increase headroom on received packets 2015-09-17 21:29:07 -07:00
auxdisplay
base PM / Domains: Fix validation of latency constraints in genpd governor 2015-10-14 02:34:43 +02:00
bcma
block xen-blkback: read from indirect descriptors only once 2015-12-18 10:00:37 -05:00
bluetooth Bluetooth: hci_bcm: Fix crash on suspend 2015-08-28 21:09:14 +02:00
bus arm-cci500: Don't enable PMU driver by default 2015-09-28 16:31:17 -07:00
cdrom
char Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2015-09-26 21:05:23 -04:00
clk Partially revert "clk: mvebu: Convert to clk_hw based provider APIs" 2015-10-14 11:28:17 -07:00
clocksource clocksource/drivers/keystone: Fix bad NO_IRQ usage 2015-09-29 14:33:51 +02:00
connector
cpufreq cpufreq: intel_pstate: Fix divide by zero on Knights Landing (KNL) 2015-10-15 22:46:33 +02:00
cpuidle Additional power management and ACPI material for v4.3-rc1 2015-09-11 19:11:06 -07:00
crypto Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2015-09-26 21:05:23 -04:00
dca
devfreq PM / devfreq: fix double kfree 2015-10-02 11:05:58 +09:00
dio
dma dmaengine fixes for 4.3-rc4 2015-10-02 14:46:15 -04:00
dma-buf
edac edac updates for v4.3-rc1 2015-09-11 16:21:12 -07:00
eisa
extcon extcon: Fix attached value returned by is_extcon_changed 2015-09-21 15:07:19 +09:00
firewire
firmware arm64/efi: Fix boot crash by not padding between EFI_MEMORY_RUNTIME regions 2015-10-01 12:51:28 +02:00
fmc
gpio Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-09-18 08:11:42 -07:00
gpu drm/virtio: use %llu format string form atomic64_t 2015-10-16 11:36:36 +10:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2015-09-04 12:02:11 -07:00
hsi mm: mark most vm_operations_struct const 2015-09-10 13:29:01 -07:00
hv Drivers: hv: vmbus: fix init_vp_index() for reloading hv_netvsc 2015-09-20 22:44:51 -07:00
hwmon hwmon: (pwm-fan) Fix module autoload for OF platform driver 2015-09-20 17:50:19 -07:00
hwspinlock
hwtracing/coresight
i2c i2c: designware: Do not use parameters from ACPI on Dell Inspiron 7348 2015-10-18 14:11:08 +02:00
ide
idle intel_idle: Skylake Client Support - updated 2015-09-10 14:03:44 -04:00
iio This is the bulk of GPIO changes for the v4.3 kernel cycle: 2015-09-04 10:07:45 -07:00
infiniband Changes for 4.3-rc5 2015-10-15 13:44:35 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2015-10-16 17:39:27 -07:00
iommu IOMMU Fixes for Linux v4.3-rc5 2015-10-13 10:09:59 -07:00
ipack
irqchip Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-10-04 11:40:09 +01:00
isdn libnvdimm for 4.3: 2015-09-08 14:35:59 -07:00
leds leds:lp55xx: Correct Kconfig dependency for f/w user helper 2015-09-17 10:02:20 +02:00
lguest
macintosh powerpc updates for 4.3 2015-09-03 16:41:38 -07:00
mailbox Merge branch 'mailbox-for-next' of git://git.linaro.org/landing-teams/working/fujitsu/integration 2015-09-05 18:11:04 -07:00
mcb mcb: Fix error handling in mcb_pci_probe() 2015-10-05 05:10:01 +01:00
md dm thin: fix missing pool reference count decrement in pool_ctr error path 2015-10-13 12:20:55 -04:00
media media updates for v4.3-rc1 2015-09-11 16:42:39 -07:00
memory IOMMU Updates for Linux v4.3 2015-09-08 17:22:35 -07:00
memstick
message mptfusion: prevent some memory corruption 2015-08-26 07:11:45 -07:00
mfd mfd: max77843: Fix max77843_chg_init() return on error 2015-10-01 16:31:42 +01:00
misc powerpc fixes for 4.3 #3 2015-10-16 12:07:43 -07:00
mmc mmc: sdhci-of-at91: use SDHCI_QUIRK2_NEED_DELAY_AFTER_INT_CLK_RST quirk 2015-10-08 19:55:05 +02:00
mtd A few MTD fixes: 2015-10-07 09:35:15 +01:00
net xen-netback: use RING_COPY_REQUEST() throughout 2015-12-18 10:00:28 -05:00
nfc This is the bulk of GPIO changes for the v4.3 kernel cycle: 2015-09-04 10:07:45 -07:00
ntb NTB: Fix range check on memory window index 2015-09-07 15:27:12 -04:00
nubus
nvdimm pmem: add proper fencing to pmem_rw_page() 2015-09-17 11:49:28 -04:00
nvmem nvmem: sunxi: Check for memory allocation failure 2015-10-04 12:09:43 +01:00
of Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-09-26 06:01:33 -04:00
oprofile
parisc PCI: Revert "PCI: Call pci_read_bridge_bases() from core instead of arch code" 2015-09-15 13:18:04 -05:00
parport
pci genirq/msi: Do not use pci_msi_[un]mask_irq as default methods 2015-10-16 12:40:43 +02:00
pcmcia pcmcia: soc_common: remove skt_dev_info's clk pointer 2015-09-03 16:01:03 +01:00
perf
phy phy: berlin-sata: Fix module autoload for OF platform driver 2015-09-25 17:01:14 +05:30
pinctrl pinctrl: uniphier: fix input enable settings for PH1-sLD8 2015-10-02 04:06:26 -07:00
platform platform-drivers-x86 for 4.3-2 2015-09-17 21:41:02 -07:00
pnp
power power supply and reset fixes for the v4.3 series 2015-09-17 12:25:42 -07:00
powercap powercap / RAPL: disable the 2nd power limit properly 2015-08-29 01:46:40 +02:00
pps
ps3
ptp
pwm pwm: Changes for v4.3-rc1 2015-09-09 10:55:32 -07:00
rapidio
ras
regulator Merge remote-tracking branch 'regulator/fix/axp20x' into regulator-linus 2015-10-06 12:00:42 +01:00
remoteproc
reset reset: ath79: Fix missing spin_lock_init 2015-09-01 14:48:40 +02:00
rpmsg
rtc rtc: abx80x: fix RTC write bit 2015-09-05 19:37:31 +02:00
s390 virtio: fixes on top of 4.3-rc1 2015-09-18 09:28:20 -07:00
sbus
scsi SCSI fixes on 20151010 2015-10-11 10:02:30 -07:00
sfi
sh SH Drivers Updates for v4.3 2015-09-21 12:02:27 -07:00
sn
soc genirq: Remove irq argument from irq flow handlers 2015-09-16 15:47:51 +02:00
spi Merge remote-tracking branches 'spi/fix/davinci' and 'spi/fix/sh-msiof' into spi-linus 2015-10-07 11:43:39 +01:00
spmi genirq: Remove irq argument from irq flow handlers 2015-09-16 15:47:51 +02:00
ssb
staging mm, fs: obey gfp_mapping for add_to_page_cache() 2015-10-16 11:42:28 -07:00
target iscsi-target: Avoid OFMarker + IFMarker negotiation 2015-09-24 23:24:46 -07:00
tc
thermal thermal: avoid division by zero in power allocator 2015-10-01 21:42:35 -04:00
thunderbolt thunderbolt: Allow loading of module on recent Apple MacBooks with thunderbolt 2 controller 2015-09-20 15:20:11 -07:00
tty tty/hvc: xen: Use xen page definition 2015-10-23 14:20:37 +01:00
uio
usb usb: Add device quirk for Logitech PTZ cameras 2015-10-04 11:01:13 +01:00
uwb
vfio
vhost virtio: fixes on top of 4.3-rc1 2015-09-18 09:28:20 -07:00
video video: of: fix memory leak 2015-10-07 14:13:59 +03:00
virt
virtio virtio_balloon: do not change memory amount visible via /proc/meminfo 2015-09-08 13:32:11 +03:00
vlynq
vme
w1 Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2015-09-01 18:46:42 -07:00
watchdog watchdog: iTCO: Fix dependencies on I2C 2015-09-28 10:56:10 +02:00
xen xen/pciback: Do not install an IRQ handler for MSI interrupts. 2015-12-18 10:48:34 -05:00
zorro
Kconfig Merge branch 'for-linus' of git://ftp.arm.linux.org.uk/~rmk/linux-arm 2015-09-03 16:27:01 -07:00
Makefile This is the bulk of pin control changes for the v4.3 development 2015-09-04 10:22:09 -07:00