Xen project Mailing List

Re: [PATCH for-4.22? 8/9] x86/domctl: don't imply I/O port permissions from I/O port mapping

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Tue, 16 Jun 2026 12:09:35 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/2DM5oA962p0FCbZ79ZqsSjpfWuSDMGjke80jnPspQc=; b=anrUhWFCvJ8f4Fzp85xcumNQptEQmmA/dC+mBGx7b+G9+Ty3pv9siWQh8qO5EaQutLXJJN5u2u2EWh8UxfgvLfNG/DHCvJPUTm5CS+JpAqQqRk3hUs2QxP/uf9ipTiAm4gruSqsjSH23DSJySFLT8z3Kvr1YiN62DNcKR4RIfO2V6ZE8L1BRAuWRoUHkRHw7QJKqpM1Hv8NmH0ai1lSTgnCIu0Hx09pn3ZV2U2n91X0Aw2Uh6LLuQztjRnWa51qAToOJ3piyVmdhK30PaFpAF75LeSsqZ4ycBE4X3jekugk8aKgAX/Znat0M72njBB9fOahnw7hyPdqbghmB11lP8g==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=vAN5w2xCYg0kA3b9BXf4Vj6MegA95OHouTl1TQa/QS7XeVbeg37n0xy2o7Ec47A9tmtdMn6U6UcOtc9KPsrLWG+NGJU/C9H+aWYSikMDQFuaOUg+mL8t6yvp1VSKitaAW+E6Ntqgf7s9flniZ+9jcRER+PuTyy1k4od1kXPtEhIvr8lImjkW2akRYttAr6hYE6/GMiqCdEygxDH6esyPOESebslw4HLQA2caZ82IBhG0hkN3/c3tP+FBeKZHDzJuHXiXRFBZyRNM2aEyR+S7+V1QOb6AfM9iRMq3WsPyCEoLmd5HAra0ttue9YyFyaqcTD0B9eqHM7TMMLK4D5ur9A==

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=citrix.com header.i="@citrix.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>

Delivery-date: Tue, 16 Jun 2026 10:09:45 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Tue, Jun 16, 2026 at 11:36:53AM +0200, Jan Beulich wrote: > On 16.06.2026 11:21, Roger Pau Monné wrote: > > On Mon, Jun 15, 2026 at 04:16:11PM +0200, Jan Beulich wrote: > >> Rather than granting permissions when mapping (an operation that DM-s are > >> allowed to carry out, while they can't invoke ioport-permission), check > >> whether permissions actually were granted when adding a mapping. This then > >> also allows relaxing the necessary locking. > >> > >> Fixes: 192c4dabc344 ("domctl and p2m changes for PCI passthru") > >> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> > >> --- > >> libxl has libxl__grant_vga_iomem_permission(), but I can't spot any I/O > >> port equivalent (nor a revoke counterpart, btw). Everywhere else MMIO and > >> I/O ports look to be treated equally. > >> > >> Qemu uses both xc_domain_{iomem_permission,memory_mapping}() in > >> igd_write_opregion(), but only xc_domain_{memory,ioport}_mapping() in > >> xen_pt_region_update() and xen_pt_{,un}register_vga_regions(). Is the IGD > >> region special in any way? Clearly this can't work from a stubdom. > > Both of these remarks are relevant to your response below. I realize I should > have Cc-ed Anthony, for him to comment on them. Partially yes, but those are only for the callers we know. My comment was thinking about possible out-of-tree users. > >> --- a/xen/arch/x86/domctl.c > >> +++ b/xen/arch/x86/domctl.c > >> @@ -714,9 +714,14 @@ long arch_do_domctl( > >> break; > >> > >> hvm = &d->arch.hvm; > >> - iocaps_double_lock(d, true); > >> + /* > >> + * NB: The double lock isn't really needed when !add, but is used > >> anyway > >> + * to keep things simple. > >> + */ > >> + iocaps_double_lock(d, false); > >> > >> - if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) ) > >> + if ( !ioports_access_permitted(currd, fmp, fmp + np - 1) || > >> + (add && !ioports_access_permitted(d, fmp, fmp + np - 1)) ) > >> ret = -EPERM; > >> else if ( add ) > >> { > >> @@ -747,15 +752,6 @@ long arch_do_domctl( > >> list_add_tail(&g2m_ioport->list, &hvm->g2m_ioport_list); > >> } > >> write_unlock(&hvm->g2m_ioport_lock); > >> - if ( !ret ) > >> - ret = ioports_permit_access(d, fmp, fmp + np - 1); > >> - if ( ret && !found && g2m_ioport ) > >> - { > >> - write_lock(&hvm->g2m_ioport_lock); > >> - list_del(&g2m_ioport->list); > >> - write_unlock(&hvm->g2m_ioport_lock); > >> - xfree(g2m_ioport); > >> - } > >> } > >> else > >> { > >> @@ -772,15 +768,9 @@ long arch_do_domctl( > >> break; > >> } > >> write_unlock(&hvm->g2m_ioport_lock); > >> - > >> - ret = ioports_deny_access(d, fmp, fmp + np - 1); > >> - if ( ret && is_hardware_domain(currd) ) > >> - printk(XENLOG_ERR > >> - "ioport_map: error %ld denying dom%d access to > >> [%x,%x]\n", > >> - ret, d->domain_id, fmp, fmp + np - 1); > >> } > >> > >> - iocaps_double_unlock(d, true); > >> + iocaps_double_unlock(d, false); > > > > I think the new behavior is more sane, however the problematic aspect > > of this change is the removal case IMO: we cannot be sure whether > > existing callers rely on XEN_DOMCTL_ioport_mapping also removing the > > permissions, and hence Xen no longer removing the permissions might > > lead to leaks. > > > > This is a risk we might be willing to take, but it must be stated in > > the commit message. > > I've added > > "While no longer granting permissions upon mapping is "only" at risk of > breaking guests, no longer revoking permissions upon unmapping strictly > requires callers to additionally invoke XEN_DOMCTL_ioport_permission. Or > else a security issue would arise. In-tree code already does so." > > > And likely in a CHANGELOG entry so that external > > consumers are aware of this change and can adjust as necessary. > > Will do. Thanks, Roger.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.