1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
From c61d4264d26d1ffb26563bfb6dc2f0b06cd72128 Mon Sep 17 00:00:00 2001
From: Teddy Astie <teddy.astie@vates.tech>
Date: Tue, 13 Aug 2024 16:47:19 +0200
Subject: [PATCH 11/35] x86/IOMMU: move tracking in iommu_identity_mapping()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If for some reason xmalloc() fails after having mapped the reserved
regions, an error is reported, but the regions remain mapped in the P2M.
Similarly if an error occurs during set_identity_p2m_entry() (except on
the first call), the partial mappings of the region would be retained
without being tracked anywhere, and hence without there being a way to
remove them again from the domain's P2M.
Move the setting up of the list entry ahead of trying to map the region.
In cases other than the first mapping failing, keep record of the full
region, such that a subsequent unmapping request can be properly torn
down.
To compensate for the potentially excess unmapping requests, don't log a
warning from p2m_remove_identity_entry() when there really was nothing
mapped at a given GFN.
This is XSA-460 / CVE-2024-31145.
Fixes: 2201b67b9128 ("VT-d: improve RMRR region handling")
Fixes: c0e19d7c6c42 ("IOMMU: generalize VT-d's tracking of mapped RMRR regions")
Signed-off-by: Teddy Astie <teddy.astie@vates.tech>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
master commit: beadd68b5490ada053d72f8a9ce6fd696d626596
master date: 2024-08-13 16:36:40 +0200
---
xen/arch/x86/mm/p2m.c | 8 +++++---
xen/drivers/passthrough/x86/iommu.c | 30 ++++++++++++++++++++---------
2 files changed, 26 insertions(+), 12 deletions(-)
diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index e7e327d6a6..1739133fc2 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -1267,9 +1267,11 @@ int p2m_remove_identity_entry(struct domain *d, unsigned long gfn_l)
else
{
gfn_unlock(p2m, gfn, 0);
- printk(XENLOG_G_WARNING
- "non-identity map d%d:%lx not cleared (mapped to %lx)\n",
- d->domain_id, gfn_l, mfn_x(mfn));
+ if ( (p2mt != p2m_invalid && p2mt != p2m_mmio_dm) ||
+ a != p2m_access_n || !mfn_eq(mfn, INVALID_MFN) )
+ printk(XENLOG_G_WARNING
+ "non-identity map %pd:%lx not cleared (mapped to %lx)\n",
+ d, gfn_l, mfn_x(mfn));
ret = 0;
}
diff --git a/xen/drivers/passthrough/x86/iommu.c b/xen/drivers/passthrough/x86/iommu.c
index cc0062b027..8b1e0596b8 100644
--- a/xen/drivers/passthrough/x86/iommu.c
+++ b/xen/drivers/passthrough/x86/iommu.c
@@ -267,24 +267,36 @@ int iommu_identity_mapping(struct domain *d, p2m_access_t p2ma,
if ( p2ma == p2m_access_x )
return -ENOENT;
- while ( base_pfn < end_pfn )
- {
- int err = set_identity_p2m_entry(d, base_pfn, p2ma, flag);
-
- if ( err )
- return err;
- base_pfn++;
- }
-
map = xmalloc(struct identity_map);
if ( !map )
return -ENOMEM;
+
map->base = base;
map->end = end;
map->access = p2ma;
map->count = 1;
+
+ /*
+ * Insert into list ahead of mapping, so the range can be found when
+ * trying to clean up.
+ */
list_add_tail(&map->list, &hd->arch.identity_maps);
+ for ( ; base_pfn < end_pfn; ++base_pfn )
+ {
+ int err = set_identity_p2m_entry(d, base_pfn, p2ma, flag);
+
+ if ( !err )
+ continue;
+
+ if ( (map->base >> PAGE_SHIFT_4K) == base_pfn )
+ {
+ list_del(&map->list);
+ xfree(map);
+ }
+ return err;
+ }
+
return 0;
}
--
2.46.1
|
GitWeb