Re: [Xen-devel] [BUG] x86/hvm/vioapic: 8-Bit IOREGSEL write does not work

["Jan Beulich" <JBeulich@xxxxxxxx>]

>>> On 06.09.17 at 11:58, <andrew.cooper3@xxxxxxxxxx> wrote:
> On 05/09/17 19:26, Christian Prochaska wrote:
>> I've seen this problem with Xen 4.6.5 from the Xubuntu 16.04
>> distribution and from a quick look over the current vioapic code it
>> seems to be still present.
>>
>> From the IOAPIC datasheet [1]: "To reference an IOAPIC register, a byte
>> memory write that the PIIX3 decodes for the IOAPIC loads the IOREGSEL
>> Register with an 8-bit value that specifies the IOAPIC register (address
>> offset in Table 3.2) to be accessed."
>>
>> But the 'vioapic_write()' function does not consider the 'length' argument
>> and always copies 4 Bytes from the unsigned long 'val' argument into the
>> virtual 32-Bit IOREGSEL register. In the error case I've seen, 'length'
>> was 1 and 'val' was 0xffff8300bb0cf801 and the IOAPIC version register
>> with address offset 0x01 was not read correctly.
> 
> That looks suspiciously like a Xen pointer, not a plausible val.

Considering length is 1, I'd assume this is a Xen pointer with the
low 8 bits overwritten with the actual value to be written out.

> Irrespective, it is an error for the guest to issue anything other than
> a 4 byte write into the IOREGSEL field, so we ought to be rejecting
> length-1 accesses.

With what the referred to data sheet text says in mind I'm not
sure we shouldn't rather support 1-byte writes here. It
specifically also says "The IOWIN Register must be accessed
as a Dword quantity", so the same relaxation should not be
done there.

Even checking much newer data sheets (ICH10, C600) they still
describe the register as an 8-bit one.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel