From: Marc Zyngier <marc.zyngier@arm.com>
To: Bjorn Helgaas <bhelgaas@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Jiang Liu <jiang.liu@linux.intel.com>,
Lorenzo Pieralisi <Lorenzo.Pieralisi@arm.com>,
Andre Przywara <Andre.Przywara@arm.com>,
"linux-pci@vger.kernel.org" <linux-pci@vger.kernel.org>,
linux-arm <linux-arm-kernel@lists.infradead.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] PCI: Fix pcibios_update_irq misuse of irq number
Date: Mon, 02 Feb 2015 16:23:56 +0000 [thread overview]
Message-ID: <54CFA49C.50404@arm.com> (raw)
In-Reply-To: <CAErSpo5=NhPZ5RNbBeGqKuLbKdOyTD1m+ijWM2SzQFWuKLTJfg@mail.gmail.com>
On 02/02/15 15:57, Bjorn Helgaas wrote:
> On Wed, Jan 28, 2015 at 8:51 AM, Marc Zyngier <marc.zyngier@arm.com> wrote:
>> pcibios_update_irq writes an irq number into the config space
>> of a given PCI device, but ignores the fact that this number
>> is a virtual interrupt number, which might be a very different
>> value from what the underlying hardware is using.
>>
>> The obvious fix is to fetch the HW interrupt number from the
>> corresponding irq_data structure. This is slightly complicated
>> by the fact that this interrupt might be services by a stacked
>> domain.
>>
>> This has been tested on KVM with kvmtool.
>>
>> Reported-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
>> Tested-by: Andre Przywara <andre.przywara@arm.com>
>> Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
>
> Jiang, are you OK with this patch as-is now, since it isn't used on x86?
>
> Marc, Lorenzo, I assume this actually fixes a bug. Can we get any
> more details about what happens when you hit the bug, and how you
> reproduced it (what platform, driver, etc.)?
It definitely fixes a bug. This has been found by running a KVM guest
using kvmtool PCI emulation, where the following things happen:
- Guest programs a virtual (bogus) interrupt number in the PCI device
config space (virtio disk in this case)
- kvmtool uses that interrupt number as is, without any other form of
validation
- Either the injection fails (because the interrupt is out of the range
of the virtual interrupt controller) -> virtio PCI device goes dead
- or the injection succeeds because this is a valid interrupt number,
but signals an unrelated peripheral -> virtio PCI device goes dead.
This can be trivially reproduced on any ARM PCI system that requires
legacy interrupts (i.e. no MSI support), and that uses a GIC interrupt
controller. Doing it in a VM is just much more convenient.
Hope this helps,
M.
--
Jazz is not dead. It just smells funny...
WARNING: multiple messages have this Message-ID (diff)
From: marc.zyngier@arm.com (Marc Zyngier)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] PCI: Fix pcibios_update_irq misuse of irq number
Date: Mon, 02 Feb 2015 16:23:56 +0000 [thread overview]
Message-ID: <54CFA49C.50404@arm.com> (raw)
In-Reply-To: <CAErSpo5=NhPZ5RNbBeGqKuLbKdOyTD1m+ijWM2SzQFWuKLTJfg@mail.gmail.com>
On 02/02/15 15:57, Bjorn Helgaas wrote:
> On Wed, Jan 28, 2015 at 8:51 AM, Marc Zyngier <marc.zyngier@arm.com> wrote:
>> pcibios_update_irq writes an irq number into the config space
>> of a given PCI device, but ignores the fact that this number
>> is a virtual interrupt number, which might be a very different
>> value from what the underlying hardware is using.
>>
>> The obvious fix is to fetch the HW interrupt number from the
>> corresponding irq_data structure. This is slightly complicated
>> by the fact that this interrupt might be services by a stacked
>> domain.
>>
>> This has been tested on KVM with kvmtool.
>>
>> Reported-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
>> Tested-by: Andre Przywara <andre.przywara@arm.com>
>> Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
>
> Jiang, are you OK with this patch as-is now, since it isn't used on x86?
>
> Marc, Lorenzo, I assume this actually fixes a bug. Can we get any
> more details about what happens when you hit the bug, and how you
> reproduced it (what platform, driver, etc.)?
It definitely fixes a bug. This has been found by running a KVM guest
using kvmtool PCI emulation, where the following things happen:
- Guest programs a virtual (bogus) interrupt number in the PCI device
config space (virtio disk in this case)
- kvmtool uses that interrupt number as is, without any other form of
validation
- Either the injection fails (because the interrupt is out of the range
of the virtual interrupt controller) -> virtio PCI device goes dead
- or the injection succeeds because this is a valid interrupt number,
but signals an unrelated peripheral -> virtio PCI device goes dead.
This can be trivially reproduced on any ARM PCI system that requires
legacy interrupts (i.e. no MSI support), and that uses a GIC interrupt
controller. Doing it in a VM is just much more convenient.
Hope this helps,
M.
--
Jazz is not dead. It just smells funny...
next prev parent reply other threads:[~2015-02-02 16:24 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-28 14:51 [PATCH] PCI: Fix pcibios_update_irq misuse of irq number Marc Zyngier
2015-01-28 14:51 ` Marc Zyngier
2015-01-28 15:21 ` Jiang Liu
2015-01-28 15:21 ` Jiang Liu
2015-01-28 15:27 ` Marc Zyngier
2015-01-28 15:27 ` Marc Zyngier
2015-01-28 15:43 ` Bjorn Helgaas
2015-01-28 15:43 ` Bjorn Helgaas
2015-02-02 16:15 ` Marc Zyngier
2015-02-02 16:15 ` Marc Zyngier
2015-02-02 16:22 ` Bjorn Helgaas
2015-02-02 16:22 ` Bjorn Helgaas
2015-02-02 15:57 ` Bjorn Helgaas
2015-02-02 15:57 ` Bjorn Helgaas
2015-02-02 16:06 ` Jiang Liu
2015-02-02 16:06 ` Jiang Liu
2015-02-02 16:23 ` Marc Zyngier [this message]
2015-02-02 16:23 ` Marc Zyngier
2015-02-02 16:33 ` Russell King - ARM Linux
2015-02-02 16:33 ` Russell King - ARM Linux
2015-02-02 18:08 ` Marc Zyngier
2015-02-02 18:08 ` Marc Zyngier
2015-02-02 18:20 ` Russell King - ARM Linux
2015-02-02 18:20 ` Russell King - ARM Linux
2015-02-02 17:02 ` Arnd Bergmann
2015-02-02 17:02 ` Arnd Bergmann
2015-02-03 10:38 ` Marc Zyngier
2015-02-03 10:38 ` Marc Zyngier
2015-02-03 11:31 ` Arnd Bergmann
2015-02-03 11:31 ` Arnd Bergmann
2015-02-03 11:37 ` Marc Zyngier
2015-02-03 11:37 ` Marc Zyngier
2015-02-03 12:57 ` Arnd Bergmann
2015-02-03 12:57 ` Arnd Bergmann
2015-02-04 15:39 ` [PATCH] kvmtool: don't use PCI config space IRQ line field Andre Przywara
2015-02-04 15:39 ` Andre Przywara
2015-02-06 18:55 ` Will Deacon
2015-02-06 18:55 ` Will Deacon
2015-02-06 19:02 ` Peter Maydell
2015-02-06 19:02 ` Peter Maydell
2015-02-06 19:07 ` Will Deacon
2015-02-06 19:07 ` Will Deacon
2015-02-07 21:24 ` arnd at arndb.de
2015-02-07 21:24 ` arnd
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54CFA49C.50404@arm.com \
--to=marc.zyngier@arm.com \
--cc=Andre.Przywara@arm.com \
--cc=Lorenzo.Pieralisi@arm.com \
--cc=bhelgaas@google.com \
--cc=jiang.liu@linux.intel.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.