projects / xen.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: fab256b) | patch
x86: allow stubdom access to irq created for msi
authorSimon Gaiser <simon@invisiblethingslab.com>
Fri, 27 Sep 2019 13:04:08 +0000 (15:04 +0200)
committerJan Beulich <jbeulich@suse.com>
Fri, 27 Sep 2019 13:04:08 +0000 (15:04 +0200)
commit92d9101eabc75bff9184bf7fe5f2e9241897c857
tree3bac2348aa979ef062334e10bf250a50f40093d0tree | snapshot
parentfab256ba5feee451a07c6cb4fe3ec12d2d7a5b41commit | diff
x86: allow stubdom access to irq created for msi

Stubdomains need to be given sufficient privilege over the guest which it
provides emulation for in order for PCI passthrough to work correctly.
When a HVM domain try to enable MSI, QEMU in stubdomain calls
PHYSDEVOP_map_pirq, but later it needs to call XEN_DOMCTL_bind_pt_irq as
part of xc_domain_update_msi_irq. Give the stubdomain enough permissions
over the mapped interrupt in order to bind it successfully to it's
target domain.

This is not needed for PCI INTx, because IRQ in that case is known
beforehand and the stubdomain is given permissions over this IRQ by
libxl__device_pci_add (there's a do_pci_add against the stubdomain).

create_irq() already grant IRQ access to hardware_domain, with
assumption the device model lives there.
Modify create_irq() to take additional parameter, whether to grant
permissions to the domain creating the IRQ, which may be dom0 or a
stubdomain. Do this instead of granting access always to
hardware_domain. Save ID of the domain given permission, to revoke it in
destroy_irq() - easier and cleaner than replaying logic of create_irq()
parameter. Use domid instead of actual reference to the domain,
because it might get destroyed before destroying IRQ (stubdomain is
destroyed before its target domain). And it is not an issue,
because IRQ permissions live within domain structure, so destroying
a domain also implicitly revoke the permission.  Potential domid
reuse is detected by checking if that domain does have permission
over the IRQ being destroyed.

Then, adjust all callers to provide the parameter. In case of Xen
internal allocations, set it to false, but for domain accessible
interrupt set it to true.

Inspired by https://github.com/OpenXT/xenclient-oe/blob/5e0e7304a5a3c75ef01240a1e3673665b2aaf05e/recipes-extended/xen/files/stubdomain-msi-irq-access.patch by Eric Chanudet <chanudete@ainfosec.com>.

Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com>
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
xen/arch/x86/hpet.c diff | blob | history
xen/arch/x86/irq.c diff | blob | history
xen/drivers/char/ns16550.c diff | blob | history
xen/drivers/passthrough/amd/iommu_init.c diff | blob | history
xen/drivers/passthrough/vtd/iommu.c diff | blob | history
xen/include/asm-x86/irq.h diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.