1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
From bc5ae1d254ef1da536127d2a232b6c21052f4d92 Mon Sep 17 00:00:00 2001
From: Jan Beulich <jbeulich@suse.com>
Date: Tue, 12 Nov 2024 13:53:24 +0100
Subject: [PATCH 52/56] x86/HVM: drop stdvga's "lock" struct member
No state is left to protect. It being the last field, drop the struct
itself as well. Similarly for then ending up empty, drop the .complete
handler.
This is part of XSA-463 / CVE-2024-45818
Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
(cherry picked from commit b180a50326c8a2c171f37c1940a0fbbdcad4be90)
---
xen/arch/x86/hvm/stdvga.c | 30 ++-------------------------
xen/arch/x86/include/asm/hvm/domain.h | 1 -
xen/arch/x86/include/asm/hvm/io.h | 4 ----
3 files changed, 2 insertions(+), 33 deletions(-)
diff --git a/xen/arch/x86/hvm/stdvga.c b/xen/arch/x86/hvm/stdvga.c
index 9f308fc896..d38d30affb 100644
--- a/xen/arch/x86/hvm/stdvga.c
+++ b/xen/arch/x86/hvm/stdvga.c
@@ -69,61 +69,35 @@ static int cf_check stdvga_mem_write(
static bool cf_check stdvga_mem_accept(
const struct hvm_io_handler *handler, const ioreq_t *p)
{
- struct hvm_hw_stdvga *s = ¤t->domain->arch.hvm.stdvga;
-
- /*
- * The range check must be done without taking the lock, to avoid
- * deadlock when hvm_mmio_internal() is called from
- * hvm_copy_to/from_guest_phys() in hvm_process_io_intercept().
- */
if ( (ioreq_mmio_first_byte(p) < VGA_MEM_BASE) ||
(ioreq_mmio_last_byte(p) >= (VGA_MEM_BASE + VGA_MEM_SIZE)) )
return 0;
- spin_lock(&s->lock);
-
if ( p->dir != IOREQ_WRITE || p->data_is_ptr || p->count != 1 )
{
/*
* Only accept single direct writes, as that's the only thing we can
* accelerate using buffered ioreq handling.
*/
- goto reject;
+ return false;
}
- /* s->lock intentionally held */
- return 1;
-
- reject:
- spin_unlock(&s->lock);
- return 0;
-}
-
-static void cf_check stdvga_mem_complete(const struct hvm_io_handler *handler)
-{
- struct hvm_hw_stdvga *s = ¤t->domain->arch.hvm.stdvga;
-
- spin_unlock(&s->lock);
+ return true;
}
static const struct hvm_io_ops stdvga_mem_ops = {
.accept = stdvga_mem_accept,
.read = stdvga_mem_read,
.write = stdvga_mem_write,
- .complete = stdvga_mem_complete
};
void stdvga_init(struct domain *d)
{
- struct hvm_hw_stdvga *s = &d->arch.hvm.stdvga;
struct hvm_io_handler *handler;
if ( !has_vvga(d) )
return;
- memset(s, 0, sizeof(*s));
- spin_lock_init(&s->lock);
-
/* VGA memory */
handler = hvm_next_io_handler(d);
if ( handler )
diff --git a/xen/arch/x86/include/asm/hvm/domain.h b/xen/arch/x86/include/asm/hvm/domain.h
index dd9d837e84..333501d5f2 100644
--- a/xen/arch/x86/include/asm/hvm/domain.h
+++ b/xen/arch/x86/include/asm/hvm/domain.h
@@ -72,7 +72,6 @@ struct hvm_domain {
struct hvm_hw_vpic vpic[2]; /* 0=master; 1=slave */
struct hvm_vioapic **vioapic;
unsigned int nr_vioapics;
- struct hvm_hw_stdvga stdvga;
/*
* hvm_hw_pmtimer is a publicly-visible name. We will defer renaming
diff --git a/xen/arch/x86/include/asm/hvm/io.h b/xen/arch/x86/include/asm/hvm/io.h
index 958077de81..d123e7c9ed 100644
--- a/xen/arch/x86/include/asm/hvm/io.h
+++ b/xen/arch/x86/include/asm/hvm/io.h
@@ -110,10 +110,6 @@ struct vpci_arch_msix_entry {
int pirq;
};
-struct hvm_hw_stdvga {
- spinlock_t lock;
-};
-
void stdvga_init(struct domain *d);
extern void hvm_dpci_msi_eoi(struct domain *d, int vector);
--
2.47.0
|
GitWeb