Xen project Mailing List

Re: [Xen-devel] [PATCH] x86/msi: Validate the guest-identified PCI devices in pci_prepare_msix()

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

From: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>

Date: Tue, 21 Jan 2014 23:31:29 -0500

Cc: George Dunlap <george.dunlap@xxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Wed, 22 Jan 2014 04:33:21 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Wed, Jan 22, 2014 at 12:24:11AM +0000, Andrew Cooper wrote: > As of c/s 1035bb64fd7fd9f05c510466d98566fd82e37ad9 > "PCI: break MSI-X data out of struct pci_dev_info" > > pdev->msix is now conditional on whether the device actually has MSI-X > capabilities or not, so validate it before blindly dereferencing what amounts > to a guest-controlled parameter. > > Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > CC: Jan Beulich <JBeulich@xxxxxxxx> > CC: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx> Reported-and-Tested-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx> > CC: George Dunlap <george.dunlap@xxxxxxxxxxxxx> > > --- > > This has only been compile tested, but is quite obviously needed to prevent > the NULL structure dereference. And it does fix that particular problem. Now I have another crash. See attached (and relevant part inlined). .. [ 19.223716] xen: registering gsi 19 triggering 0 polarity 1 [ 19.229300] Already setup the GSI :19 (XEN) [2014-01-22 12:27:07] ----[ Xen-4.4-rc2 x86_64 debug=y Tainted: C ]---- (XEN) [2014-01-22 12:27:07] CPU: 0 (XEN0000000000000 (XEN) [2014-01-22 12:27:07] rdx: 00000000f1e80000 rsi: 0000000000000200 rdi: ffff82d080281f20 (XEN) [2014-01-22 12:27:07] rbp: ffff82d0802cfca8 rsp: ffff82d0802cfc08 r8: 000000000000001c (XEN) [2014-01-22 12:27:07] r9: 00000000ffffffff r10: ffff82d080238f20 r11: 0000000000000202 (XEN) [2014-01-22 12:27:07] r12: 0000000000000000 r13: ffff83023f65db70 r14: ffff82d0802cfe98 (XEN) [2014-01-22 12:27:07] r15: 0000000000000000 cr0: 0000000080050033 cr4: 00000000001526f0 (XEN) [2014-01-22 12:27:07] cr3: 000000021db62000 cr2: 0000000000000004 (XEN) [2014-01-22 12:27:07] ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e010 cs: e008 (XEN) [2014-01-22 12:27:07] Xen stack trace from rsp=ffff82d0802cfc08: (XEN) [2014-01-22 12:27:07] 000000050004fc38 ffff82d0802cfd88 00000072043a6340 80050070ffffffff (XEN) [2014-01-22 12:27:07] 0000000000000000 0000000000000000 0000000000000005 0000000000000070 (XEN) [2014-01-22 12:27:07] 0000000500000000 0000000000000000 00000000f1e80000 ffff82d000000005 (XEN) [2014-01-22 12:27:07] ffff82d000000003 80050070117fbb70 ffff82d0802cfe98 ffff82d0802cfe98 (XEN) [2014-01-22 12:27:07] ffff82d0802cfd88 ffff83023946e700 0000000000000005 0000000000000000 (XEN) [2014-01-22 12:27:07] ffff82d0802cfd28 ffff82d080168987 0000000000000246 ffff82d0802cfcd8 (XEN) [2014-01-22 12:27:07] ffff82d080129d68 0000000000000000 ffff82d0802cfd28 ffff82d0801473d9 (XEN) [2014-01-22 12:27:07] ffff82d0802cfd18 ffff8302337fbb70 000000000000010c ffff830233748000 (XEN) [2014-01-22 12:27:07] 000000000000010c 0000000000000025 00000000ffffffed ffff830239402500 (XEN) [2014-01-22 12:27:07] ffff82d0802cfdc8 ffff82d08016c65c ffff83023f65db00 000000000000010c (XEN) [2014-01-22 12:27:07] 000000000000010c ffff8302337480e0 ffff82d0802cfd98 ffff82d0801047ed (XEN) [2014-01-22 12:27:07] 0000010c01402500 ffff82d0802cfe98 ffff8302337480e0 ffff83023946e700 (XEN) [2014-01-22 12:27:07] ffff82d0802cfe98 ffff83023f65db00 ffff82d0802cfdc8 ffff830233748000 (XEN) [2014-01-22 12:27:07] 00000000fffffffd 0000000000000000 ffff82d0802cfe98 ffff82d0802cfe70 (XEN) [2014-01-22 12:27:07] ffff82d0802cfe48 ffff82d08017f104 ffff82d0802cff18 ffffffff8154ea06 (XEN) [2014-01-22 12:27:07] ffff82d0802cfe98 ffff8302337480b8 ffff82d00000010c ffff82d08018bcb0 (XEN) [2014-01-22 12:27:07] 000000250000f800 ffff82d0802cfe74 ffff820040005000 000000000000000d (XEN) [2014-01-22 12:27:07] ffff88006ca859b8 ffff8300b7313000 ffff88006c35cc00 0000000000000000 (XEN) [2014-01-22 12:27:07] ffff82d0802cfef8 ffff82d08017f814 0000000000000000 0000000700000004 (XEN) [2014-01-22 12:27:07] 0000000000007ff0 ffffffffffffffff 0000000000000005 0000000000000000 (XEN) [2014-01-22 12:27:07] Xen call trace: (XEN) [2014-01-22 12:27:07] [<ffff82d0801683a2>] msix_capability_init+0x1dc/0x603 (XEN) [2014-01-22 12:27:07] [<ffff82d080168987>] pci_enable_msi+0x1be/0x4d7 (XEN) [2014-01-22 12:27:07] [<ffff82d08016c65c>] map_domain_pirq+0x222/0x5ad (XEN) [2014-01-22 12:27:07] [<ffff82d08017f104>] physdev_map_pirq+0x507/0x5d1 (XEN) [2014-01-22 12:27:07] [<ffff82d08017f814>] do_physdev_op+0x646/0x119e (XEN) [2014-01-22 12:27:07] [<ffff82d08022231b>] syscall_enter+0xeb/0x145 (XEN) [2014-01-22 12:27:07] (XEN) [2014-01-22 12:27:07] Pagetable walk from 0000000000000004: (XEN) [2014-01-22 12:27:07] L4[0x000] = 000000021db66067 000000000006cb75 (XEN) [2014-01-22 12:27:07] L3[0x000] = 000000021db65067 000000000006cb76 (XEN) [2014-01-22 12:27:07] L2[0x000] = 0000000000000000 ffffffffffffffff (XEN) [2014-01-22 12:27:07] (XEN) [2014-01-22 12:27:07] **************************************** (XEN) [2014-01-22 12:27:07] Panic on CPU 0: (XEN) [2014-01-22 12:27:07] FATAL PAGE FAULT (XEN) [2014-01-22 12:27:07] [error_code=0000] (XEN) [2014-01-22 12:27:07] Faulting linear address: 0000000000000004 (XEN) [2014-01-22 12:27:07] **************************************** (XEN) [2014-01-22 12:27:07] (XEN) [2014-01-22 12:27:07] Manual reset required ('noreboot' specified)

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.