From: Paul Durrant Date: Wed, 15 Aug 2018 12:14:06 +0000 (+0200) Subject: x86/hvm/ioreq: MMIO range checking completely ignores direction flag X-Git-Tag: archive/raspbian/4.14.0+80-gd101b417b7-1+rpi1^2~63^2~3469 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=60a56dc0064a00830663ffe48215dcd080cb9504;p=xen.git x86/hvm/ioreq: MMIO range checking completely ignores direction flag hvm_select_ioreq_server() is used to route an ioreq to the appropriate ioreq server. For MMIO this is done by comparing the range of the ioreq to the ranges registered by the device models of each ioreq server. Unfortunately the calculation of the range if the ioreq completely ignores the direction flag and thus may calculate the wrong range for comparison. Thus the ioreq may either be routed to the wrong server or erroneously terminated by null_ops. NOTE: The patch also fixes whitespace in the switch statement to make it style compliant. Signed-off-by: Paul Durrant Reviewed-by: Andrew Cooper --- diff --git a/xen/arch/x86/hvm/ioreq.c b/xen/arch/x86/hvm/ioreq.c index 7c515b3ef7..940a2c9728 100644 --- a/xen/arch/x86/hvm/ioreq.c +++ b/xen/arch/x86/hvm/ioreq.c @@ -1353,20 +1353,25 @@ struct hvm_ioreq_server *hvm_select_ioreq_server(struct domain *d, switch ( type ) { - unsigned long end; + unsigned long start, end; case XEN_DMOP_IO_RANGE_PORT: - end = addr + p->size - 1; - if ( rangeset_contains_range(r, addr, end) ) + start = addr; + end = start + p->size - 1; + if ( rangeset_contains_range(r, start, end) ) return s; break; + case XEN_DMOP_IO_RANGE_MEMORY: - end = addr + (p->size * p->count) - 1; - if ( rangeset_contains_range(r, addr, end) ) + start = hvm_mmio_first_byte(p); + end = hvm_mmio_last_byte(p); + + if ( rangeset_contains_range(r, start, end) ) return s; break; + case XEN_DMOP_IO_RANGE_PCI: if ( rangeset_contains_singleton(r, addr >> 32) ) {