1. Patchew
  2. Xen
  3. [PATCH 0/2] VT-d: set_msi_source_id() (XSA-467 follow-up)
  4. View patch

[PATCH 1/2] VT-d: move obtaining of MSI/HPET source ID

Jan Beulich posted 2 patches 7 months, 3 weeks ago
[PATCH 1/2] VT-d: move obtaining of MSI/HPET source ID
Posted by Jan Beulich 7 months, 3 weeks ago 
This was the original attempt to address XSA-467, until it was found
that IRQs can be off already from higher up the call stack. Nevertheless
moving code out of locked regions is generally desirable anyway; some of
the callers, after all, don't disable interrupts or acquire other locks.

Hence, despite this not addressing the original report:

Data collection solely depends on the passed in PCI device. Furthermore,
since the function only writes to a local variable, we can pull the
invocation of set_msi_source_id() (and also set_hpet_source_id()) ahead
of the acquiring of the (IRQ-safe) lock.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

--- a/xen/drivers/passthrough/vtd/intremap.c
+++ b/xen/drivers/passthrough/vtd/intremap.c
@@ -508,6 +508,11 @@ static int msi_msg_to_remap_entry(
     const struct pi_desc *pi_desc = msi_desc->pi_desc;
     bool alloc = false;
 
+    if ( pdev )
+        set_msi_source_id(pdev, &new_ire);
+    else
+        set_hpet_source_id(msi_desc->hpet_id, &new_ire);
+
     if ( msi_desc->msi_attrib.type == PCI_CAP_ID_MSI )
         nr = msi_desc->msi.nvec;
 
@@ -575,11 +580,6 @@ static int msi_msg_to_remap_entry(
         new_ire.post.p = 1;
     }
 
-    if ( pdev )
-        set_msi_source_id(pdev, &new_ire);
-    else
-        set_hpet_source_id(msi_desc->hpet_id, &new_ire);
-
     /* now construct new MSI/MSI-X rte entry */
     remap_rte = (struct msi_msg_remap_entry *)msg;
     remap_rte->address_lo.dontcare = 0;
Re: [PATCH 1/2] VT-d: move obtaining of MSI/HPET source ID
Posted by Andrew Cooper 7 months, 3 weeks ago 
On 13/03/2025 1:33 pm, Jan Beulich wrote:
> This was the original attempt to address XSA-467, until it was found
> that IRQs can be off already from higher up the call stack. Nevertheless
> moving code out of locked regions is generally desirable anyway; some of
> the callers, after all, don't disable interrupts or acquire other locks.
>
> Hence, despite this not addressing the original report:
>
> Data collection solely depends on the passed in PCI device. Furthermore,
> since the function only writes to a local variable, we can pull the
> invocation of set_msi_source_id() (and also set_hpet_source_id()) ahead
> of the acquiring of the (IRQ-safe) lock.
>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

It's worth noting that this patch was shown to fix the original crash,
only to expose the second.  i.e. it's had some testing.

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.