[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging-4.20] domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock

commit f7ec26e3b703c509012a8937a32bc9be10223323
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Thu Jun 4 21:39:31 2026 +0100
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Thu Jun 4 21:39:53 2026 +0100

    domctl: handle XEN_DOMCTL_ioport_mapping without acquiring domctl lock
    
    With dedicated locking added, the domctl lock isn't required here anymore.
    As the handling is in arch-specific code (x86 only), almost no code is
    being moved, but a 2nd (extensible to other sub-ops) invocation of
    arch_do_domctl() is being added. Move just the re-purposed dedicated XSM
    check as early as possible.
    
    In flask_domctl() don't put #ifdef around the moved case label.
    
    This is part of XSA-492.
    
    Fixes: fda49f9b3fbb ("Add build option to allow more hypercalls from 
stubdoms")
    Reported-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
    Acked-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
    (cherry picked from commit 9ac94138a5f31b5325fe4401e5cd9e377bbedcdb)
---
 xen/arch/x86/domctl.c   | 9 ++++++---
 xen/common/domctl.c     | 4 ++++
 xen/include/xsm/dummy.h | 4 ++--
 xen/xsm/flask/hooks.c   | 2 +-
 4 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
index 4d680a9fa5..585a8a7601 100644
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -656,12 +656,15 @@ long arch_do_domctl(
             break;
         }
 
+        ret = xsm_ioport_mapping(XSM_DM_PRIV, d, fmp, fmp + np - 1, add);
+        if ( ret )
+            break;
+
         hvm = &d->arch.hvm;
         iocaps_double_lock(d, true);
 
-        if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ||
-             (ret = xsm_ioport_mapping(XSM_HOOK, d, fmp, fmp + np - 1, add)) )
-            ret = ret ?: -EPERM;
+        if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) )
+            ret = -EPERM;
         else if ( add )
         {
             printk(XENLOG_G_INFO
diff --git a/xen/common/domctl.c b/xen/common/domctl.c
index af54577bb8..3bd55e76f6 100644
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -427,6 +427,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
u_domctl)
         goto domctl_out_unlock_domonly;
     }
 
+    case XEN_DOMCTL_ioport_mapping:
+        ret = arch_do_domctl(op, d, u_domctl);
+        goto domctl_out_unlock_domonly;
+
     default:
         /* Everything else handled further down. */
         break;
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 1a8d692245..8a2c48ec14 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -167,12 +167,12 @@ static XSM_INLINE int cf_check xsm_domctl(
     XSM_ASSERT_ACTION(XSM_OTHER);
     switch ( cmd )
     {
-    case XEN_DOMCTL_ioport_mapping:
     case XEN_DOMCTL_bind_pt_irq:
     case XEN_DOMCTL_unbind_pt_irq:
         return xsm_default_action(XSM_DM_PRIV, current->domain, d);
 
     case XEN_DOMCTL_getdomaininfo:
+    case XEN_DOMCTL_ioport_mapping:
     case XEN_DOMCTL_memory_mapping:
         ASSERT_UNREACHABLE();
         return -EILSEQ;
@@ -771,7 +771,7 @@ static XSM_INLINE int cf_check xsm_ioport_permission(
 static XSM_INLINE int cf_check xsm_ioport_mapping(
     XSM_DEFAULT_ARG struct domain *d, uint32_t s, uint32_t e, uint8_t allow)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
+    XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index ae0e5c06a1..aaa42f083c 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -682,6 +682,7 @@ static int cf_check flask_domctl(struct domain *d, unsigned 
int cmd,
 
     /* These have individual XSM hooks and don't make it here. */
     case XEN_DOMCTL_getdomaininfo:
+    case XEN_DOMCTL_ioport_mapping:
     case XEN_DOMCTL_memory_mapping:
         ASSERT_UNREACHABLE();
         return -EILSEQ;
@@ -700,7 +701,6 @@ static int cf_check flask_domctl(struct domain *d, unsigned 
int cmd,
     /* These have individual XSM hooks (arch/x86/domctl.c) */
     case XEN_DOMCTL_shadow_op:
     case XEN_DOMCTL_ioport_permission:
-    case XEN_DOMCTL_ioport_mapping:
     case XEN_DOMCTL_gsi_permission:
 #endif
 #ifdef CONFIG_HAS_PASSTHROUGH
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.20

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.