diff options
author | Andrew Cooper <andrew.cooper3@citrix.com> | 2013-07-11 14:18:57 +0200 |
---|---|---|
committer | Jan Beulich <jbeulich@suse.com> | 2013-07-11 14:18:57 +0200 |
commit | 8109c123702e2387b0781f3feaa4b53744464009 (patch) | |
tree | ae326c2e44aff71e3c19956e3f994a7020f126bf | |
parent | 7f6b1086489c0382c3f8c6a2026a6d0eaa53ea97 (diff) | |
download | xen-8109c123702e2387b0781f3feaa4b53744464009.tar.gz xen-8109c123702e2387b0781f3feaa4b53744464009.tar.bz2 xen-8109c123702e2387b0781f3feaa4b53744464009.zip |
AMD/intremap: Prevent use of per-device vector maps until irq logic is fixed
XSA-36 changed the default vector map mode from global to per-device. This is
because a global vector map does not prevent one PCI device from impersonating
another and launching a DoS on the system.
However, the per-device vector map logic is broken for devices with multiple
MSI-X vectors, which can either result in a failed ASSERT() or misprogramming
of a guests interrupt remapping tables. The core problem is not trivial to
fix.
In an effort to get AMD systems back to a non-regressed state, introduce a new
type of vector map called per-device-global. This uses per-device vector maps
in the IOMMU, but uses a single used_vector map for the core IRQ logic.
This patch is intended to be removed as soon as the per-device logic is fixed
correctly.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
master commit: f0fe8227624d5c02715ed086867d12cd24f6ff47
master date: 2013-06-27 14:01:18 +0200
-rw-r--r-- | xen/drivers/passthrough/amd/pci_amd_iommu.c | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/xen/drivers/passthrough/amd/pci_amd_iommu.c b/xen/drivers/passthrough/amd/pci_amd_iommu.c index 281a52bcfa..c3cbf887fe 100644 --- a/xen/drivers/passthrough/amd/pci_amd_iommu.c +++ b/xen/drivers/passthrough/amd/pci_amd_iommu.c @@ -192,8 +192,19 @@ int __init amd_iov_detect(void) { if ( amd_iommu_perdev_intremap ) { - printk("AMD-Vi: Enabling per-device vector maps\n"); - opt_irq_vector_map = OPT_IRQ_VECTOR_MAP_PERDEV; + /* Per-device vector map logic is broken for devices with multiple + * MSI-X interrupts (and would also be for multiple MSI, if Xen + * supported it). + * + * Until this is fixed, use global vector tables as far as the irq + * logic is concerned to avoid the buggy behaviour of per-device + * maps in map_domain_pirq(), and use per-device tables as far as + * intremap code is concerned to avoid the security issue. + */ + printk(XENLOG_WARNING "AMD-Vi: per-device vector map logic is broken. " + "Using per-device-global maps instead until a fix is found.\n"); + + opt_irq_vector_map = OPT_IRQ_VECTOR_MAP_GLOBAL; } else { @@ -204,6 +215,10 @@ int __init amd_iov_detect(void) else { printk("AMD-Vi: Not overriding irq_vector_map setting\n"); + + if ( opt_irq_vector_map != OPT_IRQ_VECTOR_MAP_GLOBAL ) + printk(XENLOG_WARNING "AMD-Vi: per-device vector map logic is broken. " + "Use irq_vector_map=global to work around.\n"); } if ( !amd_iommu_perdev_intremap ) printk(XENLOG_WARNING "AMD-Vi: Using global interrupt remap table is not recommended (see XSA-36)!\n"); |