[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH V3 1/1] amd/iommu: Fix infinite loop due to ivrs_bdf_entries larger than 16-bit value



On 12/29/2013 06:34 PM, suravee.suthikulpanit@xxxxxxx wrote:
From: Suravee Suthikulpanit <suravee.suthikulpanit@xxxxxxx>

Certain AMD systems could have upto 0x10000 ivrs_bdf_entries.
However, the loop variable (bdf) is declared as u16 which causes
inifinite loop when parsing IOMMU event log with IO_PAGE_FAULT event.
This patch changes the variable to u32 instead.

Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@xxxxxxx>
Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
V3:
        - More places found in iommu_acpi.c
        - Add signed off message.
V2:
        - Fix in more places as pointed out by Andrew
  xen/drivers/passthrough/amd/iommu_acpi.c |   17 +++++++++++------
  xen/drivers/passthrough/amd/iommu_init.c |   13 +++++++------
  2 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/xen/drivers/passthrough/amd/iommu_acpi.c 
b/xen/drivers/passthrough/amd/iommu_acpi.c
index fca2037..b396e0e 100644
--- a/xen/drivers/passthrough/amd/iommu_acpi.c
+++ b/xen/drivers/passthrough/amd/iommu_acpi.c
@@ -159,7 +159,7 @@ static int __init register_exclusion_range_for_all_devices(
      int seg = 0; /* XXX */
      unsigned long range_top, iommu_top, length;
      struct amd_iommu *iommu;
-    u16 bdf;
+    u32 bdf;
/* is part of exclusion range inside of IOMMU virtual address space? */
      /* note: 'limit' parameter is assumed to be page-aligned */
@@ -237,7 +237,8 @@ static int __init 
register_exclusion_range_for_iommu_devices(
      unsigned long base, unsigned long limit, u8 iw, u8 ir)
  {
      unsigned long range_top, iommu_top, length;
-    u16 bdf, req;
+    u32 bdf;
+    u16 req;
/* is part of exclusion range inside of IOMMU virtual address space? */
      /* note: 'limit' parameter is assumed to be page-aligned */
@@ -292,7 +293,8 @@ static int __init parse_ivmd_device_range(
      const struct acpi_ivrs_memory *ivmd_block,
      unsigned long base, unsigned long limit, u8 iw, u8 ir)
  {
-    u16 first_bdf, last_bdf, bdf;
+    u16 first_bdf, last_bdf;
+    u32 bdf;
      int error;

Shouldn't first_bdf and last_bdf be u32 as well?

There is, for example, a loop in this routine

    for ( bdf = first_bdf, error = 0; (bdf <= last_bdf) && !error; bdf++ )

And in routines below as well.


-boris

first_bdf = ivmd_block->header.device_id;
@@ -430,7 +432,8 @@ static u16 __init parse_ivhd_device_range(
      const struct acpi_ivhd_device_range *range,
      u16 header_length, u16 block_length, struct amd_iommu *iommu)
  {
-    u16 dev_length, first_bdf, last_bdf, bdf;
+    u16 dev_length, first_bdf, last_bdf;
+    u32 bdf;
dev_length = sizeof(*range);
      if ( header_length < (block_length + dev_length) )
@@ -511,7 +514,8 @@ static u16 __init parse_ivhd_device_alias_range(
      u16 header_length, u16 block_length, struct amd_iommu *iommu)
  {
- u16 dev_length, first_bdf, last_bdf, alias_id, bdf;
+    u16 dev_length, first_bdf, last_bdf, alias_id;
+    u32 bdf;
dev_length = sizeof(*range);
      if ( header_length < (block_length + dev_length) )
@@ -590,7 +594,8 @@ static u16 __init parse_ivhd_device_extended_range(
      const struct acpi_ivhd_device_extended_range *range,
      u16 header_length, u16 block_length, struct amd_iommu *iommu)
  {
-    u16 dev_length, first_bdf, last_bdf, bdf;
+    u16 dev_length, first_bdf, last_bdf;
+    u32 bdf;
dev_length = sizeof(*range);
      if ( header_length < (block_length + dev_length) )
diff --git a/xen/drivers/passthrough/amd/iommu_init.c 
b/xen/drivers/passthrough/amd/iommu_init.c
index b431d16..c410465 100644
--- a/xen/drivers/passthrough/amd/iommu_init.c
+++ b/xen/drivers/passthrough/amd/iommu_init.c
@@ -524,8 +524,8 @@ static hw_irq_controller iommu_maskable_msi_type = {
static void parse_event_log_entry(struct amd_iommu *iommu, u32 entry[])
  {
-    u16 domain_id, device_id, bdf, flags;
-    u32 code;
+    u16 domain_id, device_id, flags;
+    u32 code, bdf;
      u64 *addr;
      int count = 0;
      static const char *const event_str[] = {
@@ -1103,7 +1103,7 @@ int iterate_ivrs_entries(int (*handler)(u16 seg, struct 
ivrs_mappings *))
do {
          struct ivrs_mappings *map;
-        int bdf;
+        u32 bdf;
if ( !radix_tree_gang_lookup(&ivrs_maps, (void **)&map, seg, 1) )
              break;
@@ -1118,7 +1118,7 @@ int iterate_ivrs_entries(int (*handler)(u16 seg, struct 
ivrs_mappings *))
  static int __init alloc_ivrs_mappings(u16 seg)
  {
      struct ivrs_mappings *ivrs_mappings;
-    int bdf;
+    u32 bdf;
BUG_ON( !ivrs_bdf_entries ); @@ -1156,7 +1156,7 @@ static int __init alloc_ivrs_mappings(u16 seg)
  static int __init amd_iommu_setup_device_table(
      u16 seg, struct ivrs_mappings *ivrs_mappings)
  {
-    int bdf;
+    u32 bdf;
      void *intr_tb, *dte;
BUG_ON( (ivrs_bdf_entries == 0) );
@@ -1306,7 +1306,8 @@ static void invalidate_all_domain_pages(void)
  static int _invalidate_all_devices(
      u16 seg, struct ivrs_mappings *ivrs_mappings)
  {
-    int bdf, req_id;
+    u32 bdf;
+    u16 req_id;
      unsigned long flags;
      struct amd_iommu *iommu;


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.