Xen Security Advisory CVE-2013-1919 / XSA-46
version 3
Several access permission issues with IRQs for unprivileged guests
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
Various IRQ related access control operations may not have the
intended effect, thus potentially permitting a stub domain to grant
its client domain access to an IRQ it doesn't have access to itself.
IMPACT
======
Malicious or buggy stub domains kernels can mount a denial of service
attack possibly affecting the whole system.
VULNERABLE SYSTEMS
==================
Only Xen systems using stub domains are vulnerable.
Only guests with passed-through IRQs or PCI devices are able to
exploit the vulnerability.
It is remotely possible that PV guests with passthrough IRQs or
devices may also be able to exploit this vulnerability, although we
think this is unlikely.
MITIGATION
==========
Servicing HVM guests with passthrough IRQs or PCI devices in dom0 (ie,
not using a stub domain device model) should avoid this vulnerability.
Reconfiguring the system to disable IRQ/PCI passthrough and instead
providing the guests with appropriate paravirtualised facilities will
avoid this vulnerability.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa46-4.1.patch Xen 4.1.x
xsa46-4.2.patch Xen 4.2.x
xsa46-unstable.patch xen-unstable
$ sha256sum xsa46*.patch
3b2ea317c1cf2ba428cc14946d030d38294747fef2beeb16eba30bcf3b1bc2cc xsa46-4.1.patch
822da2303f1fc69648d7a29eb72fdda8e64baab3edc0e1548456d31e66ed1d7c xsa46-4.2.patch
6987201720ef8af89a4682bddc33f639e1f87dc12f1ea7aee1f2e0481b1e909c xsa46-unstable.patch
$
xsa46-4.1.patch
Description:
x86: fix various issues with handling guest IRQs
- properly revoke IRQ access in map_domain_pirq() error path
- don't permit replacing an in use IRQ
- don't accept inputs in the GSI range for MAP_PIRQ_TYPE_MSI
- track IRQ access permission in host IRQ terms, not guest IRQ ones
(and with that, also disallow Dom0 access to IRQ0)
This is CVE-2013-1919 / XSA-46.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
--- a/tools/python/xen/xend/server/irqif.py
+++ b/tools/python/xen/xend/server/irqif.py
@@ -73,6 +73,12 @@ class IRQController(DevController):
pirq = get_param('irq')
+ rc = xc.physdev_map_pirq(domid = self.getDomid(),
+ index = pirq,
+ pirq = pirq)
+ if rc < 0:
+ raise VmError('irq: Failed to map irq %x' % (pirq))
+
rc = xc.domain_irq_permission(domid = self.getDomid(),
pirq = pirq,
allow_access = True)
@@ -81,12 +87,6 @@ class IRQController(DevController):
#todo non-fatal
raise VmError(
'irq: Failed to configure irq: %d' % (pirq))
- rc = xc.physdev_map_pirq(domid = self.getDomid(),
- index = pirq,
- pirq = pirq)
- if rc < 0:
- raise VmError(
- 'irq: Failed to map irq %x' % (pirq))
back = dict([(k, config[k]) for k in self.valid_cfg if k in config])
return (self.allocateDeviceID(), back, {})
--- a/xen/arch/x86/domain_build.c
+++ b/xen/arch/x86/domain_build.c
@@ -1201,7 +1201,7 @@ int __init construct_dom0(
/* DOM0 is permitted full I/O capabilities. */
rc |= ioports_permit_access(dom0, 0, 0xFFFF);
rc |= iomem_permit_access(dom0, 0UL, ~0UL);
- rc |= irqs_permit_access(dom0, 0, d->nr_pirqs - 1);
+ rc |= irqs_permit_access(dom0, 1, nr_irqs_gsi - 1);
/*
* Modify I/O port access permissions.
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -908,9 +908,13 @@ long arch_do_domctl(
goto bind_out;
ret = -EPERM;
- if ( !IS_PRIV(current->domain) &&
- !irq_access_permitted(current->domain, bind->machine_irq) )
- goto bind_out;
+ if ( !IS_PRIV(current->domain) )
+ {
+ int irq = domain_pirq_to_irq(d, bind->machine_irq);
+
+ if ( irq <= 0 || !irq_access_permitted(current->domain, irq) )
+ goto bind_out;
+ }
ret = -ESRCH;
if ( iommu_enabled )
@@ -938,9 +942,13 @@ long arch_do_domctl(
bind = &(domctl->u.bind_pt_irq);
ret = -EPERM;
- if ( !IS_PRIV(current->domain) &&
- !irq_access_permitted(current->domain, bind->machine_irq) )
- goto unbind_out;
+ if ( !IS_PRIV(current->domain) )
+ {
+ int irq = domain_pirq_to_irq(d, bind->machine_irq);
+
+ if ( irq <= 0 || !irq_access_permitted(current->domain, irq) )
+ goto unbind_out;
+ }
if ( iommu_enabled )
{
--- a/xen/arch/x86/irq.c
+++ b/xen/arch/x86/irq.c
@@ -174,6 +174,15 @@ int create_irq(void)
out:
spin_unlock_irqrestore(&vector_lock, flags);
+ if ( irq > 0 && dom0 )
+ {
+ ret = irq_permit_access(dom0, irq);
+ if ( ret )
+ printk(XENLOG_G_ERR
+ "Could not grant Dom0 access to IRQ%d (error %d)\n",
+ irq, ret);
+ }
+
return irq;
}
@@ -258,6 +267,17 @@ void clear_irq_vector(int irq)
void destroy_irq(unsigned int irq)
{
BUG_ON(!MSI_IRQ(irq));
+
+ if ( dom0 )
+ {
+ int err = irq_deny_access(dom0, irq);
+
+ if ( err )
+ printk(XENLOG_G_ERR
+ "Could not revoke Dom0 access to IRQ%u (error %d)\n",
+ irq, err);
+ }
+
dynamic_irq_cleanup(irq);
clear_irq_vector(irq);
}
@@ -1604,7 +1624,7 @@ int map_domain_pirq(
if ( !IS_PRIV(current->domain) &&
!(IS_PRIV_FOR(current->domain, d) &&
- irq_access_permitted(current->domain, pirq)))
+ irq_access_permitted(current->domain, irq)))
return -EPERM;
if ( pirq < 0 || pirq >= d->nr_pirqs || irq < 0 || irq >= nr_irqs )
@@ -1625,11 +1645,12 @@ int map_domain_pirq(
return 0;
}
- ret = irq_permit_access(d, pirq);
+ ret = irq_permit_access(d, irq);
if ( ret )
{
- dprintk(XENLOG_G_ERR, "dom%d: could not permit access to irq %d\n",
- d->domain_id, pirq);
+ printk(XENLOG_G_ERR
+ "dom%d: could not permit access to IRQ%d (pirq %d)\n",
+ d->domain_id, irq, pirq);
return ret;
}
@@ -1651,8 +1672,14 @@ int map_domain_pirq(
spin_lock_irqsave(&desc->lock, flags);
if ( desc->handler != &no_irq_type )
+ {
+ spin_unlock_irqrestore(&desc->lock, flags);
dprintk(XENLOG_G_ERR, "dom%d: irq %d in use\n",
d->domain_id, irq);
+ pci_disable_msi(msi_desc);
+ ret = -EBUSY;
+ goto done;
+ }
desc->handler = &pci_msi_type;
if ( opt_irq_vector_map == OPT_IRQ_VECTOR_MAP_PERDEV
&& !desc->chip_data->used_vectors )
@@ -1680,6 +1707,10 @@ int map_domain_pirq(
}
done:
+ if ( ret && irq_deny_access(d, irq) )
+ printk(XENLOG_G_ERR
+ "dom%d: could not revoke access to IRQ%d (pirq %d)\n",
+ d->domain_id, irq, pirq);
return ret;
}
@@ -1736,10 +1767,11 @@ int unmap_domain_pirq(struct domain *d,
if (msi_desc)
msi_free_irq(msi_desc);
- ret = irq_deny_access(d, pirq);
+ ret = irq_deny_access(d, irq);
if ( ret )
- dprintk(XENLOG_G_ERR, "dom%d: could not deny access to irq %d\n",
- d->domain_id, pirq);
+ printk(XENLOG_G_ERR
+ "dom%d: could not deny access to IRQ%d (pirq %d)\n",
+ d->domain_id, irq, pirq);
if ( desc->handler == &pci_msi_type )
desc->handler = &no_irq_type;
--- a/xen/arch/x86/physdev.c
+++ b/xen/arch/x86/physdev.c
@@ -147,7 +147,7 @@ static int physdev_map_pirq(struct physd
if ( irq == -1 )
irq = create_irq();
- if ( irq < 0 || irq >= nr_irqs )
+ if ( irq < nr_irqs_gsi || irq >= nr_irqs )
{
dprintk(XENLOG_G_ERR, "dom%d: can't create irq for msi!\n",
d->domain_id);
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -854,9 +854,9 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
if ( pirq >= d->nr_pirqs )
ret = -EINVAL;
else if ( op->u.irq_permission.allow_access )
- ret = irq_permit_access(d, pirq);
+ ret = pirq_permit_access(d, pirq);
else
- ret = irq_deny_access(d, pirq);
+ ret = pirq_deny_access(d, pirq);
rcu_unlock_domain(d);
}
--- a/xen/common/event_channel.c
+++ b/xen/common/event_channel.c
@@ -331,7 +331,7 @@ static long evtchn_bind_pirq(evtchn_bind
if ( (pirq < 0) || (pirq >= d->nr_pirqs) )
return -EINVAL;
- if ( !is_hvm_domain(d) && !irq_access_permitted(d, pirq) )
+ if ( !is_hvm_domain(d) && !pirq_access_permitted(d, pirq) )
return -EPERM;
spin_lock(&d->event_lock);
--- a/xen/include/xen/iocap.h
+++ b/xen/include/xen/iocap.h
@@ -28,4 +28,22 @@
#define irq_access_permitted(d, i) \
rangeset_contains_singleton((d)->irq_caps, i)
+#define pirq_permit_access(d, i) ({ \
+ struct domain *d__ = (d); \
+ int i__ = domain_pirq_to_irq(d__, i); \
+ i__ > 0 ? rangeset_add_singleton(d__->irq_caps, i__)\
+ : -EINVAL; \
+})
+#define pirq_deny_access(d, i) ({ \
+ struct domain *d__ = (d); \
+ int i__ = domain_pirq_to_irq(d__, i); \
+ i__ > 0 ? rangeset_remove_singleton(d__->irq_caps, i__)\
+ : -EINVAL; \
+})
+#define pirq_access_permitted(d, i) ({ \
+ struct domain *d__ = (d); \
+ rangeset_contains_singleton(d__->irq_caps, \
+ domain_pirq_to_irq(d__, i));\
+})
+
#endif /* __XEN_IOCAP_H__ */
xsa46-4.2.patch
Description:
x86: fix various issues with handling guest IRQs
- properly revoke IRQ access in map_domain_pirq() error path
- don't permit replacing an in use IRQ
- don't accept inputs in the GSI range for MAP_PIRQ_TYPE_MSI
- track IRQ access permission in host IRQ terms, not guest IRQ ones
(and with that, also disallow Dom0 access to IRQ0)
This is CVE-2013-1919 / XSA-46.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
--- a/tools/libxl/libxl_create.c
+++ b/tools/libxl/libxl_create.c
@@ -968,14 +968,16 @@ static void domcreate_launch_dm(libxl__e
}
for (i = 0; i < d_config->b_info.num_irqs; i++) {
- uint32_t irq = d_config->b_info.irqs[i];
+ int irq = d_config->b_info.irqs[i];
- LOG(DEBUG, "dom%d irq %"PRIx32, domid, irq);
+ LOG(DEBUG, "dom%d irq %d", domid, irq);
- ret = xc_domain_irq_permission(CTX->xch, domid, irq, 1);
+ ret = irq >= 0 ? xc_physdev_map_pirq(CTX->xch, domid, irq, &irq)
+ : -EOVERFLOW;
+ if (!ret)
+ ret = xc_domain_irq_permission(CTX->xch, domid, irq, 1);
if ( ret<0 ){
- LOGE(ERROR,
- "failed give dom%d access to irq %"PRId32, domid, irq);
+ LOGE(ERROR, "failed give dom%d access to irq %d", domid, irq);
ret = ERROR_FAIL;
}
}
--- a/tools/python/xen/xend/server/irqif.py
+++ b/tools/python/xen/xend/server/irqif.py
@@ -73,6 +73,12 @@ class IRQController(DevController):
pirq = get_param('irq')
+ rc = xc.physdev_map_pirq(domid = self.getDomid(),
+ index = pirq,
+ pirq = pirq)
+ if rc < 0:
+ raise VmError('irq: Failed to map irq %x' % (pirq))
+
rc = xc.domain_irq_permission(domid = self.getDomid(),
pirq = pirq,
allow_access = True)
@@ -81,12 +87,6 @@ class IRQController(DevController):
#todo non-fatal
raise VmError(
'irq: Failed to configure irq: %d' % (pirq))
- rc = xc.physdev_map_pirq(domid = self.getDomid(),
- index = pirq,
- pirq = pirq)
- if rc < 0:
- raise VmError(
- 'irq: Failed to map irq %x' % (pirq))
back = dict([(k, config[k]) for k in self.valid_cfg if k in config])
return (self.allocateDeviceID(), back, {})
--- a/xen/arch/x86/domain_build.c
+++ b/xen/arch/x86/domain_build.c
@@ -1219,7 +1219,7 @@ int __init construct_dom0(
/* DOM0 is permitted full I/O capabilities. */
rc |= ioports_permit_access(dom0, 0, 0xFFFF);
rc |= iomem_permit_access(dom0, 0UL, ~0UL);
- rc |= irqs_permit_access(dom0, 0, d->nr_pirqs - 1);
+ rc |= irqs_permit_access(dom0, 1, nr_irqs_gsi - 1);
/*
* Modify I/O port access permissions.
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -772,9 +772,13 @@ long arch_do_domctl(
goto bind_out;
ret = -EPERM;
- if ( !IS_PRIV(current->domain) &&
- !irq_access_permitted(current->domain, bind->machine_irq) )
- goto bind_out;
+ if ( !IS_PRIV(current->domain) )
+ {
+ int irq = domain_pirq_to_irq(d, bind->machine_irq);
+
+ if ( irq <= 0 || !irq_access_permitted(current->domain, irq) )
+ goto bind_out;
+ }
ret = -ESRCH;
if ( iommu_enabled )
@@ -803,9 +807,13 @@ long arch_do_domctl(
bind = &(domctl->u.bind_pt_irq);
ret = -EPERM;
- if ( !IS_PRIV(current->domain) &&
- !irq_access_permitted(current->domain, bind->machine_irq) )
- goto unbind_out;
+ if ( !IS_PRIV(current->domain) )
+ {
+ int irq = domain_pirq_to_irq(d, bind->machine_irq);
+
+ if ( irq <= 0 || !irq_access_permitted(current->domain, irq) )
+ goto unbind_out;
+ }
if ( iommu_enabled )
{
--- a/xen/arch/x86/irq.c
+++ b/xen/arch/x86/irq.c
@@ -184,6 +184,14 @@ int create_irq(int node)
desc->arch.used = IRQ_UNUSED;
irq = ret;
}
+ else if ( dom0 )
+ {
+ ret = irq_permit_access(dom0, irq);
+ if ( ret )
+ printk(XENLOG_G_ERR
+ "Could not grant Dom0 access to IRQ%d (error %d)\n",
+ irq, ret);
+ }
return irq;
}
@@ -280,6 +288,17 @@ void clear_irq_vector(int irq)
void destroy_irq(unsigned int irq)
{
BUG_ON(!MSI_IRQ(irq));
+
+ if ( dom0 )
+ {
+ int err = irq_deny_access(dom0, irq);
+
+ if ( err )
+ printk(XENLOG_G_ERR
+ "Could not revoke Dom0 access to IRQ%u (error %d)\n",
+ irq, err);
+ }
+
dynamic_irq_cleanup(irq);
clear_irq_vector(irq);
}
@@ -1858,7 +1877,7 @@ int map_domain_pirq(
if ( !IS_PRIV(current->domain) &&
!(IS_PRIV_FOR(current->domain, d) &&
- irq_access_permitted(current->domain, pirq)))
+ irq_access_permitted(current->domain, irq)))
return -EPERM;
if ( pirq < 0 || pirq >= d->nr_pirqs || irq < 0 || irq >= nr_irqs )
@@ -1887,17 +1906,18 @@ int map_domain_pirq(
return ret;
}
- ret = irq_permit_access(d, pirq);
+ ret = irq_permit_access(d, irq);
if ( ret )
{
- dprintk(XENLOG_G_ERR, "dom%d: could not permit access to irq %d\n",
- d->domain_id, pirq);
+ printk(XENLOG_G_ERR
+ "dom%d: could not permit access to IRQ%d (pirq %d)\n",
+ d->domain_id, irq, pirq);
return ret;
}
ret = prepare_domain_irq_pirq(d, irq, pirq, &info);
if ( ret )
- return ret;
+ goto revoke;
desc = irq_to_desc(irq);
@@ -1921,8 +1941,14 @@ int map_domain_pirq(
spin_lock_irqsave(&desc->lock, flags);
if ( desc->handler != &no_irq_type )
+ {
+ spin_unlock_irqrestore(&desc->lock, flags);
dprintk(XENLOG_G_ERR, "dom%d: irq %d in use\n",
d->domain_id, irq);
+ pci_disable_msi(msi_desc);
+ ret = -EBUSY;
+ goto done;
+ }
setup_msi_handler(desc, msi_desc);
if ( opt_irq_vector_map == OPT_IRQ_VECTOR_MAP_PERDEV
@@ -1951,7 +1977,14 @@ int map_domain_pirq(
done:
if ( ret )
+ {
cleanup_domain_irq_pirq(d, irq, info);
+ revoke:
+ if ( irq_deny_access(d, irq) )
+ printk(XENLOG_G_ERR
+ "dom%d: could not revoke access to IRQ%d (pirq %d)\n",
+ d->domain_id, irq, pirq);
+ }
return ret;
}
@@ -2017,10 +2050,11 @@ int unmap_domain_pirq(struct domain *d,
if ( !forced_unbind )
cleanup_domain_irq_pirq(d, irq, info);
- ret = irq_deny_access(d, pirq);
+ ret = irq_deny_access(d, irq);
if ( ret )
- dprintk(XENLOG_G_ERR, "dom%d: could not deny access to irq %d\n",
- d->domain_id, pirq);
+ printk(XENLOG_G_ERR
+ "dom%d: could not deny access to IRQ%d (pirq %d)\n",
+ d->domain_id, irq, pirq);
done:
return ret;
--- a/xen/arch/x86/physdev.c
+++ b/xen/arch/x86/physdev.c
@@ -147,7 +147,7 @@ int physdev_map_pirq(domid_t domid, int
if ( irq == -1 )
irq = create_irq(NUMA_NO_NODE);
- if ( irq < 0 || irq >= nr_irqs )
+ if ( irq < nr_irqs_gsi || irq >= nr_irqs )
{
dprintk(XENLOG_G_ERR, "dom%d: can't create irq for msi!\n",
d->domain_id);
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -25,6 +25,7 @@
#include <xen/paging.h>
#include <xen/hypercall.h>
#include <asm/current.h>
+#include <asm/irq.h>
#include <asm/page.h>
#include <public/domctl.h>
#include <xsm/xsm.h>
@@ -897,9 +898,9 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
else if ( xsm_irq_permission(d, pirq, allow) )
ret = -EPERM;
else if ( allow )
- ret = irq_permit_access(d, pirq);
+ ret = pirq_permit_access(d, pirq);
else
- ret = irq_deny_access(d, pirq);
+ ret = pirq_deny_access(d, pirq);
rcu_unlock_domain(d);
}
--- a/xen/common/event_channel.c
+++ b/xen/common/event_channel.c
@@ -369,7 +369,7 @@ static long evtchn_bind_pirq(evtchn_bind
if ( (pirq < 0) || (pirq >= d->nr_pirqs) )
return -EINVAL;
- if ( !is_hvm_domain(d) && !irq_access_permitted(d, pirq) )
+ if ( !is_hvm_domain(d) && !pirq_access_permitted(d, pirq) )
return -EPERM;
spin_lock(&d->event_lock);
--- a/xen/include/xen/iocap.h
+++ b/xen/include/xen/iocap.h
@@ -28,4 +28,22 @@
#define irq_access_permitted(d, i) \
rangeset_contains_singleton((d)->irq_caps, i)
+#define pirq_permit_access(d, i) ({ \
+ struct domain *d__ = (d); \
+ int i__ = domain_pirq_to_irq(d__, i); \
+ i__ > 0 ? rangeset_add_singleton(d__->irq_caps, i__)\
+ : -EINVAL; \
+})
+#define pirq_deny_access(d, i) ({ \
+ struct domain *d__ = (d); \
+ int i__ = domain_pirq_to_irq(d__, i); \
+ i__ > 0 ? rangeset_remove_singleton(d__->irq_caps, i__)\
+ : -EINVAL; \
+})
+#define pirq_access_permitted(d, i) ({ \
+ struct domain *d__ = (d); \
+ rangeset_contains_singleton(d__->irq_caps, \
+ domain_pirq_to_irq(d__, i));\
+})
+
#endif /* __XEN_IOCAP_H__ */
xsa46-unstable.patch
Description:
x86: fix various issues with handling guest IRQs
- properly revoke IRQ access in map_domain_pirq() error path
- don't permit replacing an in use IRQ
- don't accept inputs in the GSI range for MAP_PIRQ_TYPE_MSI
- track IRQ access permission in host IRQ terms, not guest IRQ ones
(and with that, also disallow Dom0 access to IRQ0)
This is CVE-2013-1919 / XSA-46.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
--- a/tools/libxl/libxl_create.c
+++ b/tools/libxl/libxl_create.c
@@ -958,14 +958,16 @@ static void domcreate_launch_dm(libxl__e
}
for (i = 0; i < d_config->b_info.num_irqs; i++) {
- uint32_t irq = d_config->b_info.irqs[i];
+ int irq = d_config->b_info.irqs[i];
- LOG(DEBUG, "dom%d irq %"PRIx32, domid, irq);
+ LOG(DEBUG, "dom%d irq %d", domid, irq);
- ret = xc_domain_irq_permission(CTX->xch, domid, irq, 1);
+ ret = irq >= 0 ? xc_physdev_map_pirq(CTX->xch, domid, irq, &irq)
+ : -EOVERFLOW;
+ if (!ret)
+ ret = xc_domain_irq_permission(CTX->xch, domid, irq, 1);
if (ret < 0) {
- LOGE(ERROR,
- "failed give dom%d access to irq %"PRId32, domid, irq);
+ LOGE(ERROR, "failed give dom%d access to irq %d", domid, irq);
ret = ERROR_FAIL;
}
}
--- a/tools/python/xen/xend/server/irqif.py
+++ b/tools/python/xen/xend/server/irqif.py
@@ -73,6 +73,12 @@ class IRQController(DevController):
pirq = get_param('irq')
+ rc = xc.physdev_map_pirq(domid = self.getDomid(),
+ index = pirq,
+ pirq = pirq)
+ if rc < 0:
+ raise VmError('irq: Failed to map irq %x' % (pirq))
+
rc = xc.domain_irq_permission(domid = self.getDomid(),
pirq = pirq,
allow_access = True)
@@ -81,12 +87,6 @@ class IRQController(DevController):
#todo non-fatal
raise VmError(
'irq: Failed to configure irq: %d' % (pirq))
- rc = xc.physdev_map_pirq(domid = self.getDomid(),
- index = pirq,
- pirq = pirq)
- if rc < 0:
- raise VmError(
- 'irq: Failed to map irq %x' % (pirq))
back = dict([(k, config[k]) for k in self.valid_cfg if k in config])
return (self.allocateDeviceID(), back, {})
--- a/xen/arch/x86/domain_build.c
+++ b/xen/arch/x86/domain_build.c
@@ -1080,7 +1080,7 @@ int __init construct_dom0(
/* DOM0 is permitted full I/O capabilities. */
rc |= ioports_permit_access(dom0, 0, 0xFFFF);
rc |= iomem_permit_access(dom0, 0UL, ~0UL);
- rc |= irqs_permit_access(dom0, 0, d->nr_pirqs - 1);
+ rc |= irqs_permit_access(dom0, 1, nr_irqs_gsi - 1);
/*
* Modify I/O port access permissions.
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -578,9 +578,13 @@ long arch_do_domctl(
break;
ret = -EPERM;
- if ( !IS_PRIV(current->domain) &&
- !irq_access_permitted(current->domain, bind->machine_irq) )
- break;
+ if ( !IS_PRIV(current->domain) )
+ {
+ int irq = domain_pirq_to_irq(d, bind->machine_irq);
+
+ if ( irq <= 0 || !irq_access_permitted(current->domain, irq) )
+ break;
+ }
ret = -ESRCH;
if ( iommu_enabled )
@@ -602,9 +606,13 @@ long arch_do_domctl(
bind = &(domctl->u.bind_pt_irq);
ret = -EPERM;
- if ( !IS_PRIV(current->domain) &&
- !irq_access_permitted(current->domain, bind->machine_irq) )
- break;
+ if ( !IS_PRIV(current->domain) )
+ {
+ int irq = domain_pirq_to_irq(d, bind->machine_irq);
+
+ if ( irq <= 0 || !irq_access_permitted(current->domain, irq) )
+ break;
+ }
ret = xsm_unbind_pt_irq(XSM_HOOK, d, bind);
if ( ret )
--- a/xen/arch/x86/irq.c
+++ b/xen/arch/x86/irq.c
@@ -184,6 +184,14 @@ int create_irq(int node)
desc->arch.used = IRQ_UNUSED;
irq = ret;
}
+ else if ( dom0 )
+ {
+ ret = irq_permit_access(dom0, irq);
+ if ( ret )
+ printk(XENLOG_G_ERR
+ "Could not grant Dom0 access to IRQ%d (error %d)\n",
+ irq, ret);
+ }
return irq;
}
@@ -280,6 +288,17 @@ void clear_irq_vector(int irq)
void destroy_irq(unsigned int irq)
{
BUG_ON(!MSI_IRQ(irq));
+
+ if ( dom0 )
+ {
+ int err = irq_deny_access(dom0, irq);
+
+ if ( err )
+ printk(XENLOG_G_ERR
+ "Could not revoke Dom0 access to IRQ%u (error %d)\n",
+ irq, err);
+ }
+
dynamic_irq_cleanup(irq);
clear_irq_vector(irq);
}
@@ -1872,7 +1891,7 @@ int map_domain_pirq(
ASSERT(spin_is_locked(&d->event_lock));
if ( !IS_PRIV(current->domain) &&
- !irq_access_permitted(current->domain, pirq))
+ !irq_access_permitted(current->domain, irq))
return -EPERM;
if ( pirq < 0 || pirq >= d->nr_pirqs || irq < 0 || irq >= nr_irqs )
@@ -1901,17 +1920,18 @@ int map_domain_pirq(
return ret;
}
- ret = irq_permit_access(d, pirq);
+ ret = irq_permit_access(d, irq);
if ( ret )
{
- dprintk(XENLOG_G_ERR, "dom%d: could not permit access to irq %d\n",
- d->domain_id, pirq);
+ printk(XENLOG_G_ERR
+ "dom%d: could not permit access to IRQ%d (pirq %d)\n",
+ d->domain_id, irq, pirq);
return ret;
}
ret = prepare_domain_irq_pirq(d, irq, pirq, &info);
if ( ret )
- return ret;
+ goto revoke;
desc = irq_to_desc(irq);
@@ -1935,8 +1955,14 @@ int map_domain_pirq(
spin_lock_irqsave(&desc->lock, flags);
if ( desc->handler != &no_irq_type )
+ {
+ spin_unlock_irqrestore(&desc->lock, flags);
dprintk(XENLOG_G_ERR, "dom%d: irq %d in use\n",
d->domain_id, irq);
+ pci_disable_msi(msi_desc);
+ ret = -EBUSY;
+ goto done;
+ }
setup_msi_handler(desc, msi_desc);
if ( opt_irq_vector_map == OPT_IRQ_VECTOR_MAP_PERDEV
@@ -1965,7 +1991,14 @@ int map_domain_pirq(
done:
if ( ret )
+ {
cleanup_domain_irq_pirq(d, irq, info);
+ revoke:
+ if ( irq_deny_access(d, irq) )
+ printk(XENLOG_G_ERR
+ "dom%d: could not revoke access to IRQ%d (pirq %d)\n",
+ d->domain_id, irq, pirq);
+ }
return ret;
}
@@ -2036,10 +2069,11 @@ int unmap_domain_pirq(struct domain *d,
if ( !forced_unbind )
cleanup_domain_irq_pirq(d, irq, info);
- ret = irq_deny_access(d, pirq);
+ ret = irq_deny_access(d, irq);
if ( ret )
- dprintk(XENLOG_G_ERR, "dom%d: could not deny access to irq %d\n",
- d->domain_id, pirq);
+ printk(XENLOG_G_ERR
+ "dom%d: could not deny access to IRQ%d (pirq %d)\n",
+ d->domain_id, irq, pirq);
done:
return ret;
--- a/xen/arch/x86/physdev.c
+++ b/xen/arch/x86/physdev.c
@@ -144,7 +144,7 @@ int physdev_map_pirq(domid_t domid, int
if ( irq == -1 )
irq = create_irq(NUMA_NO_NODE);
- if ( irq < 0 || irq >= nr_irqs )
+ if ( irq < nr_irqs_gsi || irq >= nr_irqs )
{
dprintk(XENLOG_G_ERR, "dom%d: can't create irq for msi!\n",
d->domain_id);
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -25,6 +25,7 @@
#include <xen/paging.h>
#include <xen/hypercall.h>
#include <asm/current.h>
+#include <asm/irq.h>
#include <asm/page.h>
#include <public/domctl.h>
#include <xsm/xsm.h>
@@ -723,9 +724,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe
else if ( xsm_irq_permission(XSM_HOOK, d, pirq, allow) )
ret = -EPERM;
else if ( allow )
- ret = irq_permit_access(d, pirq);
+ ret = pirq_permit_access(d, pirq);
else
- ret = irq_deny_access(d, pirq);
+ ret = pirq_deny_access(d, pirq);
}
break;
--- a/xen/common/event_channel.c
+++ b/xen/common/event_channel.c
@@ -369,7 +369,7 @@ static long evtchn_bind_pirq(evtchn_bind
if ( (pirq < 0) || (pirq >= d->nr_pirqs) )
return -EINVAL;
- if ( !is_hvm_domain(d) && !irq_access_permitted(d, pirq) )
+ if ( !is_hvm_domain(d) && !pirq_access_permitted(d, pirq) )
return -EPERM;
spin_lock(&d->event_lock);
--- a/xen/include/xen/iocap.h
+++ b/xen/include/xen/iocap.h
@@ -28,4 +28,22 @@
#define irq_access_permitted(d, i) \
rangeset_contains_singleton((d)->irq_caps, i)
+#define pirq_permit_access(d, i) ({ \
+ struct domain *d__ = (d); \
+ int i__ = domain_pirq_to_irq(d__, i); \
+ i__ > 0 ? rangeset_add_singleton(d__->irq_caps, i__)\
+ : -EINVAL; \
+})
+#define pirq_deny_access(d, i) ({ \
+ struct domain *d__ = (d); \
+ int i__ = domain_pirq_to_irq(d__, i); \
+ i__ > 0 ? rangeset_remove_singleton(d__->irq_caps, i__)\
+ : -EINVAL; \
+})
+#define pirq_access_permitted(d, i) ({ \
+ struct domain *d__ = (d); \
+ rangeset_contains_singleton(d__->irq_caps, \
+ domain_pirq_to_irq(d__, i));\
+})
+
#endif /* __XEN_IOCAP_H__ */