From patchwork Fri Jun 6 17:48:25 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefano Stabellini X-Patchwork-Id: 31502 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-la0-f71.google.com (mail-la0-f71.google.com [209.85.215.71]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id D53DB202DA for ; Fri, 6 Jun 2014 17:50:09 +0000 (UTC) Received: by mail-la0-f71.google.com with SMTP id mc6sf3676597lab.10 for ; Fri, 06 Jun 2014 10:50:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:delivered-to:from:to:date:message-id:in-reply-to :references:mime-version:cc:subject:precedence:list-id :list-unsubscribe:list-post:list-help:list-subscribe:sender :errors-to:x-original-sender:x-original-authentication-results :mailing-list:list-archive:content-type:content-transfer-encoding; bh=FFrHy22UzUphYPi4giVmdQmD+QfHGcXAQx/wtN6zZhc=; b=UYUPU8iuefQPcrFSLBeRhVmiLEIF0CbKjDnSZ2xqL34RUzNUmrrDALYCGICh7PoqFj RczOzr7VSORgGCoBOTsoukC7Vk2S1Z08+61s6np19D42mWpbF6ox6qWDNQfaNXC07Szk Fis6Zs/5daj/kaz86bXYerAinTH0JE8C89+swShha4G6qhLy8Bdq+/BojC06LVp9PJE/ Trygs3yevUA/SZn1lVtSPUDHqExdM2fJ/aROEb+CSaVHiWVYvbOwbKcCI2gxgRh4Ss2Y ZXSo6O3CiH3OhdA1EPbWA292RtWa7HBOf4KcfNMRHJAKVdA8zuZv7IaAlvCAxZ2xcuTO RkfA== X-Gm-Message-State: ALoCoQlLi7w3KMu0FsFiayLcd2k6uRTa4nUTDaKfVGPOA6X9kjPOeGKmh07Q5x5wMaafYjyb62a+ X-Received: by 10.14.1.129 with SMTP id 1mr2054526eed.1.1402077008648; Fri, 06 Jun 2014 10:50:08 -0700 (PDT) X-BeenThere: patchwork-forward@linaro.org Received: by 10.140.37.164 with SMTP id r33ls780055qgr.2.gmail; Fri, 06 Jun 2014 10:50:08 -0700 (PDT) X-Received: by 10.220.103.141 with SMTP id k13mr7288443vco.25.1402077008372; Fri, 06 Jun 2014 10:50:08 -0700 (PDT) Received: from mail-ve0-f172.google.com (mail-ve0-f172.google.com [209.85.128.172]) by mx.google.com with ESMTPS id sv4si6971204vdc.72.2014.06.06.10.50.08 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 06 Jun 2014 10:50:08 -0700 (PDT) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.128.172 as permitted sender) client-ip=209.85.128.172; Received: by mail-ve0-f172.google.com with SMTP id oz11so3642337veb.31 for ; Fri, 06 Jun 2014 10:50:08 -0700 (PDT) X-Received: by 10.58.186.207 with SMTP id fm15mr7775024vec.4.1402077008282; Fri, 06 Jun 2014 10:50:08 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.221.54.6 with SMTP id vs6csp123099vcb; Fri, 6 Jun 2014 10:50:08 -0700 (PDT) X-Received: by 10.58.85.65 with SMTP id f1mr7763239vez.20.1402077007940; Fri, 06 Jun 2014 10:50:07 -0700 (PDT) Received: from lists.xen.org (lists.xen.org. [50.57.142.19]) by mx.google.com with ESMTPS id y5si6961525vdv.103.2014.06.06.10.50.07 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 06 Jun 2014 10:50:07 -0700 (PDT) Received-SPF: none (google.com: xen-devel-bounces@lists.xen.org does not designate permitted sender hosts) client-ip=50.57.142.19; Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsyG8-0000l3-8n; Fri, 06 Jun 2014 17:48:56 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsyG5-0000jC-Gg for xen-devel@lists.xensource.com; Fri, 06 Jun 2014 17:48:53 +0000 Received: from [85.158.139.211:2057] by server-6.bemta-5.messagelabs.com id E4/D3-19576-40FF1935; Fri, 06 Jun 2014 17:48:52 +0000 X-Env-Sender: Stefano.Stabellini@citrix.com X-Msg-Ref: server-6.tower-206.messagelabs.com!1402076928!8574987!3 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 19315 invoked from network); 6 Jun 2014 17:48:51 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-6.tower-206.messagelabs.com with RC4-SHA encrypted SMTP; 6 Jun 2014 17:48:51 -0000 X-IronPort-AV: E=Sophos;i="4.98,990,1392163200"; d="scan'208";a="140457351" Received: from accessns.citrite.net (HELO FTLPEX01CL01.citrite.net) ([10.9.154.239]) by FTLPIPO01.CITRIX.COM with ESMTP; 06 Jun 2014 17:48:48 +0000 Received: from ukmail1.uk.xensource.com (10.80.16.128) by smtprelay.citrix.com (10.13.107.78) with Microsoft SMTP Server id 14.3.181.6; Fri, 6 Jun 2014 13:48:47 -0400 Received: from kaball.uk.xensource.com ([10.80.2.59]) by ukmail1.uk.xensource.com with esmtp (Exim 4.69) (envelope-from ) id 1WsyFu-00015p-LP; Fri, 06 Jun 2014 18:48:42 +0100 From: Stefano Stabellini To: Date: Fri, 6 Jun 2014 18:48:25 +0100 Message-ID: <1402076908-26740-1-git-send-email-stefano.stabellini@eu.citrix.com> X-Mailer: git-send-email 1.7.9.5 In-Reply-To: References: MIME-Version: 1.0 X-DLP: MIA2 Cc: julien.grall@citrix.com, Ian.Campbell@citrix.com, Stefano Stabellini Subject: [Xen-devel] [PATCH v4 1/4] xen/arm: observe itargets setting in vgic_enable_irqs and vgic_disable_irqs X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Post: , List-Help: , List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: stefano.stabellini@eu.citrix.com X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.128.172 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 List-Archive: vgic_enable_irqs should enable irq delivery to the vcpu specified by GICD_ITARGETSR, rather than the vcpu that wrote to GICD_ISENABLER. Similarly vgic_disable_irqs should use the target vcpu specified by itarget to disable irqs. itargets can be set to a mask but vgic_get_target_vcpu always returns the lower vcpu in the mask. Correctly initialize itargets for SPIs. Validate writes to GICD_ITARGETSR. Signed-off-by: Stefano Stabellini --- Changes in v4: - remove assert that could allow a guest to crash Xen; - add itargets validation to vgic_distr_mmio_write; - export vgic_get_target_vcpu. Changes in v3: - add assert in get_target_vcpu; - rename get_target_vcpu to vgic_get_target_vcpu. Changes in v2: - refactor the common code in get_target_vcpu; - unify PPI and SPI paths; - correctly initialize itargets for SPI; - use byte_read. --- xen/arch/arm/vgic.c | 60 +++++++++++++++++++++++++++++++++++++++------ xen/include/asm-arm/gic.h | 2 ++ 2 files changed, 54 insertions(+), 8 deletions(-) diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c index cb8df3a..e527892 100644 --- a/xen/arch/arm/vgic.c +++ b/xen/arch/arm/vgic.c @@ -106,7 +106,15 @@ int domain_vgic_init(struct domain *d) INIT_LIST_HEAD(&d->arch.vgic.pending_irqs[i].lr_queue); } for (i=0; iarch.vgic.shared_irqs[i].lock); + /* Only delivery to CPU0 */ + for ( j = 0 ; j < 8 ; j++ ) + d->arch.vgic.shared_irqs[i].itargets[j] = + (1<<0) | (1<<8) | (1<<16) | (1<<24); + } return 0; } @@ -369,6 +377,22 @@ read_as_zero: return 1; } +struct vcpu *vgic_get_target_vcpu(struct vcpu *v, unsigned int irq) +{ + int target; + struct vgic_irq_rank *rank; + struct vcpu *v_target; + + rank = vgic_irq_rank(v, 1, irq/32); + vgic_lock_rank(v, rank); + target = byte_read(rank->itargets[(irq%32)/4], 0, irq % 4); + /* just return the first vcpu in the mask */ + target = find_next_bit((const unsigned long *) &target, 8, 0); + v_target = v->domain->vcpu[target]; + vgic_unlock_rank(v, rank); + return v_target; +} + static void vgic_disable_irqs(struct vcpu *v, uint32_t r, int n) { const unsigned long mask = r; @@ -376,12 +400,14 @@ static void vgic_disable_irqs(struct vcpu *v, uint32_t r, int n) unsigned int irq; unsigned long flags; int i = 0; + struct vcpu *v_target; while ( (i = find_next_bit(&mask, 32, i)) < 32 ) { irq = i + (32 * n); - p = irq_to_pending(v, irq); + v_target = vgic_get_target_vcpu(v, irq); + p = irq_to_pending(v_target, irq); clear_bit(GIC_IRQ_GUEST_ENABLED, &p->status); - gic_remove_from_queues(v, irq); + gic_remove_from_queues(v_target, irq); if ( p->desc != NULL ) { spin_lock_irqsave(&p->desc->lock, flags); @@ -399,24 +425,26 @@ static void vgic_enable_irqs(struct vcpu *v, uint32_t r, int n) unsigned int irq; unsigned long flags; int i = 0; + struct vcpu *v_target; while ( (i = find_next_bit(&mask, 32, i)) < 32 ) { irq = i + (32 * n); - p = irq_to_pending(v, irq); + v_target = vgic_get_target_vcpu(v, irq); + p = irq_to_pending(v_target, irq); set_bit(GIC_IRQ_GUEST_ENABLED, &p->status); /* We need to force the first injection of evtchn_irq because * evtchn_upcall_pending is already set by common code on vcpu * creation. */ - if ( irq == v->domain->arch.evtchn_irq && + if ( irq == v_target->domain->arch.evtchn_irq && vcpu_info(current, evtchn_upcall_pending) && list_empty(&p->inflight) ) - vgic_vcpu_inject_irq(v, irq); + vgic_vcpu_inject_irq(v_target, irq); else { unsigned long flags; - spin_lock_irqsave(&v->arch.vgic.lock, flags); + spin_lock_irqsave(&v_target->arch.vgic.lock, flags); if ( !list_empty(&p->inflight) && !test_bit(GIC_IRQ_GUEST_VISIBLE, &p->status) ) - gic_raise_guest_irq(v, irq, p->priority); - spin_unlock_irqrestore(&v->arch.vgic.lock, flags); + gic_raise_guest_irq(v_target, irq, p->priority); + spin_unlock_irqrestore(&v_target->arch.vgic.lock, flags); } if ( p->desc != NULL ) { @@ -502,6 +530,7 @@ static int vgic_distr_mmio_write(struct vcpu *v, mmio_info_t *info) int offset = (int)(info->gpa - v->domain->arch.vgic.dbase); int gicd_reg = REG(offset); uint32_t tr; + int i; switch ( gicd_reg ) { @@ -585,6 +614,21 @@ static int vgic_distr_mmio_write(struct vcpu *v, mmio_info_t *info) rank = vgic_irq_rank(v, 8, gicd_reg - GICD_ITARGETSR); if ( rank == NULL) goto write_ignore; vgic_lock_rank(v, rank); + tr = *r & ~(rank->itargets[REG_RANK_INDEX(8, gicd_reg - GICD_ITARGETSR)]); + i = 0; + /* validate writes */ + while ( (i = find_next_bit((const unsigned long *) &tr, 32, i)) < 32 ) + { + unsigned int target = i % 8; + if ( target > v->domain->max_vcpus ) + { + gdprintk(XENLOG_WARNING, "vGICD: GICD_ITARGETSR write invalid target vcpu %u\n", + target); + vgic_unlock_rank(v, rank); + return 1; + } + i++; + } if ( dabt.size == 2 ) rank->itargets[REG_RANK_INDEX(8, gicd_reg - GICD_ITARGETSR)] = *r; else diff --git a/xen/include/asm-arm/gic.h b/xen/include/asm-arm/gic.h index bf6fb1e..bd40628 100644 --- a/xen/include/asm-arm/gic.h +++ b/xen/include/asm-arm/gic.h @@ -227,6 +227,8 @@ int gic_irq_xlate(const u32 *intspec, unsigned int intsize, unsigned int *out_hwirq, unsigned int *out_type); void gic_clear_lrs(struct vcpu *v); +struct vcpu *vgic_get_target_vcpu(struct vcpu *v, unsigned int irq); + #endif /* __ASSEMBLY__ */ #endif