diff options
| author | Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com> | 2020-11-30 12:31:28 +0200 |
|---|---|---|
| committer | Alex Bennée <alex.bennee@linaro.org> | 2020-11-30 15:12:50 +0000 |
| commit | fab65bbd6b97c1ac6d29c75a0a97bf0e08674052 (patch) | |
| tree | 5dcadf596a61c9617bba978a14e66f90ecd2fa25 /xen | |
| parent | dc67273572685e7a8d864bb4835af0b50eb7c8fc (diff) | |
xen/ioreq: Use guest_cmpxchg64() instead of cmpxchg()
The cmpxchg() in ioreq_send_buffered() operates on memory shared
with the emulator domain (and the target domain if the legacy
interface is used).
In order to be on the safe side we need to switch
to guest_cmpxchg64() to prevent a domain to DoS Xen on Arm.
As there is no plan to support the legacy interface on Arm,
we will have a page to be mapped in a single domain at the time,
so we can use s->emulator in guest_cmpxchg64() safely.
Thankfully the only user of the legacy interface is x86 so far
and there is not concern regarding the atomics operations.
Please note, that the legacy interface *must* not be used on Arm
without revisiting the code.
Signed-off-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
CC: Julien Grall <julien.grall@arm.com>
Message-Id: <1606732298-22107-14-git-send-email-olekstysh@gmail.com>
Diffstat (limited to 'xen')
| -rw-r--r-- | xen/arch/arm/hvm.c | 4 | ||||
| -rw-r--r-- | xen/common/ioreq.c | 3 |
2 files changed, 6 insertions, 1 deletions
diff --git a/xen/arch/arm/hvm.c b/xen/arch/arm/hvm.c index 8951b34086..9694e5aa6b 100644 --- a/xen/arch/arm/hvm.c +++ b/xen/arch/arm/hvm.c @@ -31,6 +31,10 @@ #include <asm/hypercall.h> +/* + * The legacy interface (which involves magic IOREQ pages) *must* not be used + * without revisiting the code. + */ static int hvm_allow_set_param(const struct domain *d, unsigned int param) { switch ( param ) diff --git a/xen/common/ioreq.c b/xen/common/ioreq.c index 3ca5b960f3..4855dd8362 100644 --- a/xen/common/ioreq.c +++ b/xen/common/ioreq.c @@ -29,6 +29,7 @@ #include <xen/trace.h> #include <xen/vpci.h> +#include <asm/guest_atomics.h> #include <asm/hvm/ioreq.h> #include <public/hvm/ioreq.h> @@ -1182,7 +1183,7 @@ static int ioreq_send_buffered(struct ioreq_server *s, ioreq_t *p) new.read_pointer = old.read_pointer - n * IOREQ_BUFFER_SLOT_NUM; new.write_pointer = old.write_pointer - n * IOREQ_BUFFER_SLOT_NUM; - cmpxchg(&pg->ptrs.full, old.full, new.full); + guest_cmpxchg64(s->emulator, &pg->ptrs.full, old.full, new.full); } notify_via_xen_event_channel(d, s->bufioreq_evtchn); |