[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [BUG] x86/hvm/vioapic: 8-Bit IOREGSEL write does not work

On 05/09/17 19:26, Christian Prochaska wrote:
> I've seen this problem with Xen 4.6.5 from the Xubuntu 16.04
> distribution and from a quick look over the current vioapic code it
> seems to be still present.
> From the IOAPIC datasheet [1]: "To reference an IOAPIC register, a byte
> memory write that the PIIX3 decodes for the IOAPIC loads the IOREGSEL
> Register with an 8-bit value that specifies the IOAPIC register (address
> offset in Table 3.2) to be accessed."
> But the 'vioapic_write()' function does not consider the 'length' argument
> and always copies 4 Bytes from the unsigned long 'val' argument into the
> virtual 32-Bit IOREGSEL register. In the error case I've seen, 'length'
> was 1 and 'val' was 0xffff8300bb0cf801 and the IOAPIC version register
> with address offset 0x01 was not read correctly.

That looks suspiciously like a Xen pointer, not a plausible val.

Irrespective, it is an error for the guest to issue anything other than
a 4 byte write into the IOREGSEL field, so we ought to be rejecting
length-1 accesses.

What instruction is the guest using to cause this behaviour to occur?


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.