[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [BUG] x86/hvm/vioapic: 8-Bit IOREGSEL write does not work



On Tue, Sep 05, 2017 at 08:26:20PM +0200, Christian Prochaska wrote:
> I've seen this problem with Xen 4.6.5 from the Xubuntu 16.04
> distribution and from a quick look over the current vioapic code it
> seems to be still present.
> 
> From the IOAPIC datasheet [1]: "To reference an IOAPIC register, a byte
> memory write that the PIIX3 decodes for the IOAPIC loads the IOREGSEL
> Register with an 8-bit value that specifies the IOAPIC register (address
> offset in Table 3.2) to be accessed."

IOREGSEL is a 32bit field, with bits 31:8 marked as reserved.

> But the 'vioapic_write()' function does not consider the 'length' argument
> and always copies 4 Bytes from the unsigned long 'val' argument into the
> virtual 32-Bit IOREGSEL register. In the error case I've seen, 'length'
> was 1 and 'val' was 0xffff8300bb0cf801 and the IOAPIC version register
> with address offset 0x01 was not read correctly.

OK, so it means that the guest is writing garbage to the reserved
bits, which is against the spec.

The following patch should solve this, but keep in mind that your
guest is not well-behaved, it's writing this garbage to IOREGSEL, and
that's why it breaks.

Roger.
---8<---
diff --git a/xen/arch/x86/hvm/vioapic.c b/xen/arch/x86/hvm/vioapic.c
index 72cae935ac..4d8b5a4dbe 100644
--- a/xen/arch/x86/hvm/vioapic.c
+++ b/xen/arch/x86/hvm/vioapic.c
@@ -324,7 +324,7 @@ static int vioapic_write(
     switch ( addr & 0xff )
     {
     case VIOAPIC_REG_SELECT:
-        vioapic->ioregsel = val;
+        vioapic->ioregsel = val & 0xff;
         break;
 
     case VIOAPIC_REG_WINDOW:


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.