AMD/IOMMU: fix infinite loop due to ivrs_bdf_entries larger than 16-bit value

Certain AMD systems could have upto 0x10000 ivrs_bdf_entries.
However, the loop variable (bdf) is declared as u16 which causes
inifinite loop when parsing IOMMU event log with IO_PAGE_FAULT event.
This patch changes the variable to u32 instead.

Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

diff --git a/xen/drivers/passthrough/amd/iommu_acpi.c b/xen/drivers/passthrough/amd/iommu_acpi.c
index fca203707dc54f41894f3bd60cef0aab31538c97..9d05f7b20a01bd7184106afb499d8beb15595917 100644 (file)
--- a/xen/drivers/passthrough/amd/iommu_acpi.c
+++ b/xen/drivers/passthrough/amd/iommu_acpi.c
@@ -159,7 +159,7 @@ static int __init register_exclusion_range_for_all_devices(
     int seg = 0; /* XXX */
     unsigned long range_top, iommu_top, length;
     struct amd_iommu *iommu;
-    u16 bdf;
+    unsigned int bdf;
 
     /* is part of exclusion range inside of IOMMU virtual address space? */
     /* note: 'limit' parameter is assumed to be page-aligned */
@@ -237,7 +237,8 @@ static int __init register_exclusion_range_for_iommu_devices(
     unsigned long base, unsigned long limit, u8 iw, u8 ir)
 {
     unsigned long range_top, iommu_top, length;
-    u16 bdf, req;
+    unsigned int bdf;
+    u16 req;
 
     /* is part of exclusion range inside of IOMMU virtual address space? */
     /* note: 'limit' parameter is assumed to be page-aligned */
@@ -292,7 +293,7 @@ static int __init parse_ivmd_device_range(
     const struct acpi_ivrs_memory *ivmd_block,
     unsigned long base, unsigned long limit, u8 iw, u8 ir)
 {
-    u16 first_bdf, last_bdf, bdf;
+    unsigned int first_bdf, last_bdf, bdf;
     int error;
 
     first_bdf = ivmd_block->header.device_id;
@@ -430,7 +431,7 @@ static u16 __init parse_ivhd_device_range(
     const struct acpi_ivhd_device_range *range,
     u16 header_length, u16 block_length, struct amd_iommu *iommu)
 {
-    u16 dev_length, first_bdf, last_bdf, bdf;
+    unsigned int dev_length, first_bdf, last_bdf, bdf;
 
     dev_length = sizeof(*range);
     if ( header_length < (block_length + dev_length) )
@@ -511,7 +512,7 @@ static u16 __init parse_ivhd_device_alias_range(
     u16 header_length, u16 block_length, struct amd_iommu *iommu)
 {
 
-    u16 dev_length, first_bdf, last_bdf, alias_id, bdf;
+    unsigned int dev_length, first_bdf, last_bdf, alias_id, bdf;
 
     dev_length = sizeof(*range);
     if ( header_length < (block_length + dev_length) )
@@ -590,7 +591,7 @@ static u16 __init parse_ivhd_device_extended_range(
     const struct acpi_ivhd_device_extended_range *range,
     u16 header_length, u16 block_length, struct amd_iommu *iommu)
 {
-    u16 dev_length, first_bdf, last_bdf, bdf;
+    unsigned int dev_length, first_bdf, last_bdf, bdf;
 
     dev_length = sizeof(*range);
     if ( header_length < (block_length + dev_length) )

diff --git a/xen/drivers/passthrough/amd/iommu_init.c b/xen/drivers/passthrough/amd/iommu_init.c
index b431d16869d0ad73b834342c3226d0cfd7c8bb77..4686813a8bb6bc13058ddc330024907631aa0bba 100644 (file)
--- a/xen/drivers/passthrough/amd/iommu_init.c
+++ b/xen/drivers/passthrough/amd/iommu_init.c
@@ -524,7 +524,8 @@ static hw_irq_controller iommu_maskable_msi_type = {
 
 static void parse_event_log_entry(struct amd_iommu *iommu, u32 entry[])
 {
-    u16 domain_id, device_id, bdf, flags;
+    u16 domain_id, device_id, flags;
+    unsigned int bdf;
     u32 code;
     u64 *addr;
     int count = 0;
@@ -1103,7 +1104,7 @@ int iterate_ivrs_entries(int (*handler)(u16 seg, struct ivrs_mappings *))
 
     do {
         struct ivrs_mappings *map;
-        int bdf;
+        unsigned int bdf;
 
         if ( !radix_tree_gang_lookup(&ivrs_maps, (void **)&map, seg, 1) )
             break;
@@ -1118,7 +1119,7 @@ int iterate_ivrs_entries(int (*handler)(u16 seg, struct ivrs_mappings *))
 static int __init alloc_ivrs_mappings(u16 seg)
 {
     struct ivrs_mappings *ivrs_mappings;
-    int bdf;
+    unsigned int bdf;
 
     BUG_ON( !ivrs_bdf_entries );
 
@@ -1156,7 +1157,7 @@ static int __init alloc_ivrs_mappings(u16 seg)
 static int __init amd_iommu_setup_device_table(
     u16 seg, struct ivrs_mappings *ivrs_mappings)
 {
-    int bdf;
+    unsigned int bdf;
     void *intr_tb, *dte;
 
     BUG_ON( (ivrs_bdf_entries == 0) );
@@ -1306,7 +1307,8 @@ static void invalidate_all_domain_pages(void)
 static int _invalidate_all_devices(
     u16 seg, struct ivrs_mappings *ivrs_mappings)
 {
-    int bdf, req_id;
+    unsigned int bdf; 
+    u16 req_id;
     unsigned long flags;
     struct amd_iommu *iommu;