From patchwork Wed Apr 6 12:24:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Beulich X-Patchwork-Id: 12803328 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id E15E5C433EF for ; Wed, 6 Apr 2022 12:24:55 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.299831.511049 (Exim 4.92) (envelope-from ) id 1nc4iG-0006rP-6r; Wed, 06 Apr 2022 12:24:40 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 299831.511049; Wed, 06 Apr 2022 12:24:40 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nc4iG-0006rI-3p; Wed, 06 Apr 2022 12:24:40 +0000 Received: by outflank-mailman (input) for mailman id 299831; Wed, 06 Apr 2022 12:24:38 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nc4iE-0006rC-OJ for xen-devel@lists.xenproject.org; Wed, 06 Apr 2022 12:24:38 +0000 Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [194.104.111.102]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 86175df8-b5a4-11ec-a405-831a346695d4; Wed, 06 Apr 2022 14:24:37 +0200 (CEST) Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04lp2053.outbound.protection.outlook.com [104.47.14.53]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id de-mta-26-i0tqvcT5NP2GDc_Fn25qFA-1; Wed, 06 Apr 2022 14:24:35 +0200 Received: from DU2PR04MB8616.eurprd04.prod.outlook.com (2603:10a6:10:2db::16) by PAXPR04MB9326.eurprd04.prod.outlook.com (2603:10a6:102:2b8::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5144.21; Wed, 6 Apr 2022 12:24:34 +0000 Received: from DU2PR04MB8616.eurprd04.prod.outlook.com ([fe80::914d:e08d:7798:8476]) by DU2PR04MB8616.eurprd04.prod.outlook.com ([fe80::914d:e08d:7798:8476%7]) with mapi id 15.20.5123.031; Wed, 6 Apr 2022 12:24:34 +0000 X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 86175df8-b5a4-11ec-a405-831a346695d4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=mimecast20200619; t=1649247877; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=D1H79nwsMeW3yxZjDR3qBFbh8QW9Tvu6xAmwomlRz84=; b=eND6D2zGIOQcj1HJ4LRJfrDO6ycyzDO9L+zN/eMJl56UVwIoMxF0ru2P9tkzvKOG5XwkZ5 T0fH//jflxUSrCCwrHVAONWHXx+rps51uucmXVqvXbzhe6zxQJ0AdtvCKIiMJOsDcU2ITF 69en9OkBwjvoCbA/VIwCZ+yLTEEqmoc= X-MC-Unique: i0tqvcT5NP2GDc_Fn25qFA-1 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AvGLn0QSXzHU/kbCVpRHZUVil0sBDFA3w0fdumkuRGxlDihk7b/HsbmdOMsIUtieHdAm7UUbBvNr5b71/T4H7v7agwgBxIV9tYc7slpquOvMCC5LQRJT7wLWT+takgHBa50tnnnucad6d6vhkPKb7K3cumTbJMryUy4Ve0gx/i+etIaHIz69SI7b/jZh1vN+mNCC3Or+wKRwKsaOAXnBO9+URvbbbCoucfelJD4+vWgUsk2aTnJMPK13rL1E8HAwkOuz/7fCkQPzfS6c2p5Ma923ShPPvniBvD7ihtekW4MDusetR2tOCRofnprZSTRFtc6S33B75LDRS4QgyRKUnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=D1H79nwsMeW3yxZjDR3qBFbh8QW9Tvu6xAmwomlRz84=; b=higyzMtdPQU4xDsL+aovMUgTgl6u/o4rlS5ntv4MDXjU5SbTQOeOpjJJNx6WqlK6H82gJpTJUCmrlGC8uwf/MDxnI6+/oLB/jAtQID3R1ECOevwWPtIrY2ZkS9jc9HzAXiW+gHwHnIq/1KnTS25vdZYyG76DEJqokIgduG1Nhy6cN9tibFd5bJFOXi5asiTrVcSL2NlFo6LeHgrD+f+1+TuIOkiw/7+pqWE50WFdOZ76KwM5uO48co2zKkUBJuIeJ3AeepAoOtbvrDC0DiQbMKRByhXIPLfNAWsmwb7EzC/5IkBKmib0GOFedcubmDhPJd/7mzZ0CIw84Vvu8dGhJw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com; Message-ID: Date: Wed, 6 Apr 2022 14:24:32 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: [PATCH 1/2] VT-d: avoid NULL deref on domain_context_mapping_one() error paths Content-Language: en-US From: Jan Beulich To: "xen-devel@lists.xenproject.org" Cc: =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Kevin Tian , Paul Durrant , Andrew Cooper , George Dunlap , Julien Grall , Stefano Stabellini , Wei Liu References: In-Reply-To: X-ClientProxiedBy: FR3P281CA0053.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:4a::6) To DU2PR04MB8616.eurprd04.prod.outlook.com (2603:10a6:10:2db::16) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e67ae826-38f2-419f-bead-08da17c86881 X-MS-TrafficTypeDiagnostic: PAXPR04MB9326:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: AEr2ZtqU/y3UibKYS4HcLP9S7D9zaGD2EYhJ9xKq2EZSgfdiYOrkWaB0uGnbbDv8zCqRztllXdwlpXNQKS+yuIU5ZmxOWZrv+dZmnWESbqjKmh+66GbzsWeFAoh2S8rPErFoY2slfsajUazwdM7oJqbm0x+NLWfILBmWFgHj/cZsOBou+wjEz1euwF7S6nxolcu0ZYgOx7WfcShn1hazkk9QnIInXgZjXc5cp7T0fVVvKnqSXhZTzZm6lHTetRk4dw3ecSBguMCMCPgoto3X+plPxkCGSx5D2RuGmIhtp9xykMjjkLR+97JEm1usbGFe35u/IBZs2m3UICuOMcXb5mhlqGDD4JKkBKM7oGXuIAflC/RrZuK1Y3o1UBcxBISRmNF6r/rAaR8AvI4gzw5urcwAEoTVWTyLoYGwn6cb93UktA/hLF+Jevasm1JNWj6MT5+nRn8QvEA2FfjwAqDhqEuGZlXqaHIZDYPYd3ytDZn2kduKf4+EKTpDTNmS60Od2v7vffX6B7APLCUN6Uqx44i4FySKkqIw02tPgqkznvIvkjo1THpVbS3zQCR4TJ08T0zEEi/rrqb86Qi51kn46PrwuGhY8dUyohvM9IKtgp218K9x+r/d13vguOThDuHGnt7uRCJKRH1PQa8gzZejqYuVvK4aiqWTySCkwl9vWUL7S2LCizUN7l3w11hHoW4xngFdh5vbFr7WO2/RdaMs2zVs/9oluyYXjfJ8/4Qcc+B5yUtxw590NAonZBRiG5XK X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU2PR04MB8616.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(186003)(26005)(316002)(2616005)(6506007)(6512007)(31686004)(36756003)(6486002)(54906003)(6916009)(508600001)(2906002)(31696002)(86362001)(66476007)(8676002)(4326008)(66556008)(66946007)(38100700002)(83380400001)(5660300002)(8936002)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?LBAnyXqTgK5UhRiGqAqSmDX5BesI?= =?utf-8?q?Rz3k5dsECEEv2WkSod06Wb7xrGMeq34oLGdT13vBpGbDKOxMp8CgLdFMVgj/mTz0w?= =?utf-8?q?tHTYdpEyf9mLq8LbCUXAyVMtg+NxwiRz3s0qaIApFKLdgIqkT68F/E0e80nyEa+Q+?= =?utf-8?q?NMwG5BQ4IBxwyxHlha6VDMib7HD1nh28FPbH3lckhCLxJhe1Z+7ejBiD9GvyIjFwO?= =?utf-8?q?4zGa52Nm02G77igqir7WtOIierpXR1e5bk7fpiWhKspNCv8M4ckzGRAyA4TsG5xh9?= =?utf-8?q?ljk5iWmUYaLC9uda9ILVfqa9mTIN3kLuE9i7T7BMINOb4X6p9lnGmbFmEyxkr5EVz?= =?utf-8?q?pePmW957w1KpeeoOC5KcbUpA0wi7Gc7Sr/TL75zTglcEsquLUMl/A0vlRLQ5+i4JS?= =?utf-8?q?pVsje7BI9dXzRRRbUph0KcL1tM+uZ9JqROZndzmqhapaYAFteefV6hyrJpDzGCGTc?= =?utf-8?q?z6D0rMNjUh0gMFcWeL+4ZvwJeALKOns545Vt5Ulr907Mg8mz3UAFqheq1dd6Mcip9?= =?utf-8?q?zYZWZ9PElrEFMVG+NhxSIxh+8BIv1VwE4QWs9anioV86uo8ftuvMlmzBqbrAbY9PC?= =?utf-8?q?m0dXO2VFdql0BjbpFPbAMgLNFLZe09al7N9YbZpcFHjyy+Az8GDSmc8Z39fBafANi?= =?utf-8?q?Cn4+69DHynROvtTzwW8MJ5aTAwLiZqZ8pV5NBJCnhZdmEVyfL2Jw5X7bKYnLTikPW?= =?utf-8?q?WbF96dZg+OR8DuEl37XMZumVgZPsyJrn4Ebj9cwOfF6JOrMJhvcT+2nhwBvpNqPEw?= =?utf-8?q?5DdN9sp2xMxITR7gcE9KFF7wm1Yu9puZ4BmfCTIIlyAabrRuvFeuU/9P5c43pAwiZ?= =?utf-8?q?jn9m3XmPl4AooO0GhQGUiumXWC2hvTyT9W4CMHbUAsEdpgPcDS7sccRDAAKOWonPf?= =?utf-8?q?o5RGcjLMU5HfROhDNAjfRhnLK9ozYQVepQhpGASF/1t/2wAiApoOHccNw4TmKL2wQ?= =?utf-8?q?12BgGtXL2GV+akMpOoZ+szm0E+NEydvLrhwapfR97u4u3NxNsT+ORLOfxc8C2jmAn?= =?utf-8?q?7cEXInXrPiSg6f4b5S/1N1hvOkbSDOFlXEPLK/K0k/+UUS+VSrFq1P9X722H+KaqN?= =?utf-8?q?gYM5emoymqtjIzRo/lnCM7bBeAI6tZn9FNjamTbPDqN5/rScFvWrAoAUqQf5X11YA?= =?utf-8?q?Asve42arvC1X3zM9WsCxfqyjbOSgOCFccd+hssf1rTez3ZrKvCkELHOao0MKICK4Q?= =?utf-8?q?CQEmBDD/LbY1CMz4CjE1Fa8ZKd00JqliHsG3AC8pV7ExlTSd8/iveN2BBXFkqRDLO?= =?utf-8?q?4CCnWjvskXBRTp+l4FpMiHJE18C2L2gJOcFlIQ9p9LSj8RrgWmcw58K0pXUpj+wLa?= =?utf-8?q?6vU8cRBsNAS53nfKC9ApHhCX4+8sLL2ZZIo8QHAUXCEasq8VY7IJVPxZT2JsC51sy?= =?utf-8?q?lG87dqRGuqZ4kpeb40EXWbEXHXAIwUkojwWjD7zjT8j+qUN76F4ohRpiQFRm/u5Y8?= =?utf-8?q?IJvXvR+6GFJJbDN0wYPmp/QiQIrzUz2fvssub2I7pT3rWqELgnV5f8mJbxQFnKmvt?= =?utf-8?q?If9GRPWCn4rmdyGSb+ILYtCftaZXJhVDv4pyehdI/4yMvrlX3P211DRjoBYTXxQuJ?= =?utf-8?q?lricFE2z4xGHG89Pq8pTdG6gFdIk6dkSb7WiX4UiSIPYdLAgKZLboVDjsICFYVEZB?= =?utf-8?q?s0obN9q2KAOVg6fjVhwB1dFIoss+Y37A=3D=3D?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: e67ae826-38f2-419f-bead-08da17c86881 X-MS-Exchange-CrossTenant-AuthSource: DU2PR04MB8616.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2022 12:24:34.2140 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: /IfpHeMbB0sanWakkvum4kPAsxjl+46m2wxNR1Ft/hzmhXeWnBmXi3TdqkDwewdW9D0ClSmd3wvkN2ImVBxbHQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR04MB9326 First there's a printk() which actually wrongly uses pdev in the first place: We want to log the coordinates of the (perhaps fake) device acted upon, which may not be pdev. Then it was quite pointless for eb19326a328d ("VT-d: prepare for per- device quarantine page tables (part I)") to add a domid_t parameter to domain_context_unmap_one(): It's only used to pass back here via me_wifi_quirk() -> map_me_phantom_function(). Drop the parameter again. Finally there's the invocation of domain_context_mapping_one(), which needs to be passed the correct domain ID. Avoid taking that path when pdev is NULL and the quarantine state is what would need restoring to. This means we can't security-support PCI devices with RMRRs (if such exist in practice) any longer. Fixes: 8f41e481b485 ("VT-d: re-assign devices directly") Fixes: 14dd241aad8a ("IOMMU/x86: use per-device page tables for quarantining") Coverity ID: 1503784 Reported-by: Andrew Cooper Signed-off-by: Jan Beulich --- a/SUPPORT.md +++ b/SUPPORT.md @@ -750,6 +750,10 @@ However, this feature can still confer s when used to remove drivers and backends from domain 0 (i.e., Driver Domains). +On VT-d (Intel hardware) passing through plain PCI (or PCI-X) devices +when they have associated Reserved Memory Regions (RMRRs) +is not security supported, if such a combination exists in the first place. + ### x86/Multiple IOREQ servers An IOREQ server provides emulated devices to HVM and PVH guests. --- a/xen/drivers/passthrough/vtd/extern.h +++ b/xen/drivers/passthrough/vtd/extern.h @@ -85,7 +85,7 @@ int domain_context_mapping_one(struct do const struct pci_dev *pdev, domid_t domid, paddr_t pgd_maddr, unsigned int mode); int domain_context_unmap_one(struct domain *domain, struct vtd_iommu *iommu, - uint8_t bus, uint8_t devfn, domid_t domid); + uint8_t bus, uint8_t devfn); int cf_check intel_iommu_get_reserved_device_memory( iommu_grdm_t *func, void *ctxt); --- a/xen/drivers/passthrough/vtd/iommu.c +++ b/xen/drivers/passthrough/vtd/iommu.c @@ -1533,7 +1533,7 @@ int domain_context_mapping_one( check_cleanup_domid_map(domain, pdev, iommu); printk(XENLOG_ERR "%pp: unexpected context entry %016lx_%016lx (expected %016lx_%016lx)\n", - &PCI_SBDF3(pdev->seg, pdev->bus, devfn), + &PCI_SBDF3(seg, bus, devfn), (uint64_t)(res >> 64), (uint64_t)res, (uint64_t)(old >> 64), (uint64_t)old); rc = -EILSEQ; @@ -1601,9 +1601,13 @@ int domain_context_mapping_one( if ( rc ) { - if ( !prev_dom ) - ret = domain_context_unmap_one(domain, iommu, bus, devfn, - DEVICE_DOMID(domain, pdev)); + if ( !prev_dom || + /* + * Unmapping here means PCI devices with RMRRs (if such exist) + * will cause problems if such a region was actually accessed. + */ + (prev_dom == dom_io && !pdev) ) + ret = domain_context_unmap_one(domain, iommu, bus, devfn); else if ( prev_dom != domain ) /* Avoid infinite recursion. */ ret = domain_context_mapping_one(prev_dom, iommu, bus, devfn, pdev, DEVICE_DOMID(prev_dom, pdev), @@ -1809,7 +1813,7 @@ static int domain_context_mapping(struct int domain_context_unmap_one( struct domain *domain, struct vtd_iommu *iommu, - uint8_t bus, uint8_t devfn, domid_t domid) + uint8_t bus, uint8_t devfn) { struct context_entry *context, *context_entries; u64 maddr; @@ -1867,7 +1871,8 @@ int domain_context_unmap_one( unmap_vtd_domain_page(context_entries); if ( !iommu->drhd->segment && !rc ) - rc = me_wifi_quirk(domain, bus, devfn, domid, 0, UNMAP_ME_PHANTOM_FUNC); + rc = me_wifi_quirk(domain, bus, devfn, DOMID_INVALID, 0, + UNMAP_ME_PHANTOM_FUNC); if ( rc && !is_hardware_domain(domain) && domain != dom_io ) { @@ -1916,8 +1921,7 @@ static const struct acpi_drhd_unit *doma if ( iommu_debug ) printk(VTDPREFIX "%pd:PCIe: unmap %pp\n", domain, &PCI_SBDF3(seg, bus, devfn)); - ret = domain_context_unmap_one(domain, iommu, bus, devfn, - DEVICE_DOMID(domain, pdev)); + ret = domain_context_unmap_one(domain, iommu, bus, devfn); if ( !ret && devfn == pdev->devfn && ats_device(pdev, drhd) > 0 ) disable_ats_device(pdev); @@ -1930,8 +1934,7 @@ static const struct acpi_drhd_unit *doma if ( iommu_debug ) printk(VTDPREFIX "%pd:PCI: unmap %pp\n", domain, &PCI_SBDF3(seg, bus, devfn)); - ret = domain_context_unmap_one(domain, iommu, bus, devfn, - DEVICE_DOMID(domain, pdev)); + ret = domain_context_unmap_one(domain, iommu, bus, devfn); if ( ret ) break; @@ -1954,12 +1957,10 @@ static const struct acpi_drhd_unit *doma break; } - ret = domain_context_unmap_one(domain, iommu, tmp_bus, tmp_devfn, - DEVICE_DOMID(domain, pdev)); + ret = domain_context_unmap_one(domain, iommu, tmp_bus, tmp_devfn); /* PCIe to PCI/PCIx bridge */ if ( !ret && pdev_type(seg, tmp_bus, tmp_devfn) == DEV_TYPE_PCIe2PCI_BRIDGE ) - ret = domain_context_unmap_one(domain, iommu, secbus, 0, - DEVICE_DOMID(domain, pdev)); + ret = domain_context_unmap_one(domain, iommu, secbus, 0); break; --- a/xen/drivers/passthrough/vtd/quirks.c +++ b/xen/drivers/passthrough/vtd/quirks.c @@ -427,7 +427,7 @@ static int __must_check map_me_phantom_f domid, pgd_maddr, mode); else rc = domain_context_unmap_one(domain, drhd->iommu, 0, - PCI_DEVFN(dev, 7), domid); + PCI_DEVFN(dev, 7)); return rc; }