Xen project Mailing List

Re: [Xen-devel] [PATCH 7/8] x86/mm: handle foreign mappings in p2m_entry_modify

To: Roger Pau Monne <roger.pau@xxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: George Dunlap <george.dunlap@xxxxxxxxxx>

Date: Thu, 7 Feb 2019 17:49:16 +0000

Autocrypt: addr=george.dunlap@xxxxxxxxxx; prefer-encrypt=mutual; keydata= mQINBFPqG+MBEACwPYTQpHepyshcufo0dVmqxDo917iWPslB8lauFxVf4WZtGvQSsKStHJSj 92Qkxp4CH2DwudI8qpVbnWCXsZxodDWac9c3PordLwz5/XL41LevEoM3NWRm5TNgJ3ckPA+J K5OfSK04QtmwSHFP3G/SXDJpGs+oDJgASta2AOl9vPV+t3xG6xyfa2NMGn9wmEvvVMD44Z7R W3RhZPn/NEZ5gaJhIUMgTChGwwWDOX0YPY19vcy5fT4bTIxvoZsLOkLSGoZb/jHIzkAAznug Q7PPeZJ1kXpbW9EHHaUHiCD9C87dMyty0N3TmWfp0VvBCaw32yFtM9jUgB7UVneoZUMUKeHA fgIXhJ7I7JFmw3J0PjGLxCLHf2Q5JOD8jeEXpdxugqF7B/fWYYmyIgwKutiGZeoPhl9c/7RE Bf6f9Qv4AtQoJwtLw6+5pDXsTD5q/GwhPjt7ohF7aQZTMMHhZuS52/izKhDzIufl6uiqUBge 0lqG+/ViLKwCkxHDREuSUTtfjRc9/AoAt2V2HOfgKORSCjFC1eI0+8UMxlfdq2z1AAchinU0 eSkRpX2An3CPEjgGFmu2Je4a/R/Kd6nGU8AFaE8ta0oq5BSFDRYdcKchw4TSxetkG6iUtqOO ZFS7VAdF00eqFJNQpi6IUQryhnrOByw+zSobqlOPUO7XC5fjnwARAQABtCRHZW9yZ2UgVy4g RHVubGFwIDxkdW5sYXBnQHVtaWNoLmVkdT6JAlcEEwEKAEECGwMFCwkIBwMFFQoJCAsFFgID AQACHgECF4ACGQEWIQTXqBy2bTNXPzpOYFimNjwxBZC0bQUCXEowWQUJDCJ7dgAKCRCmNjwx BZC0beKvEACJ75YlJXd7TnNHgFyiCJkm/qPeoQ3sFGSDZuZh7SKcdt9+3V2bFEb0Mii1hQaz 3hRqZb8sYPHJrGP0ljK09k3wf8k3OuNxziLQBJyzvn7WNlE4wBEcy/Ejo9TVBdA4ph5D0YaZ nqdsPmxe/xlTFuSkgu4ep1v9dfVP1TQR0e+JIBa/Ss+cKC5intKm+8JxpOploAHuzaPu0L/X FapzsIXqgT9eIQeBEgO2hge6h9Jov3WeED/vh8kA7f8c6zQ/gs5E7VGALwsiLrhr0LZFcKcw kI3oCCrB/C/wyPZv789Ra8EXbeRSJmTjcnBwHRPjnjwQmetRDD1t+VyrkC6uujT5jmgOBzaj KCqZ8PcMAssOzdzQtKmjUQ2b3ICPs2X13xZ5M5/OVs1W3TG5gkvMh4YoHi4ilFnOk+v3/j7q 65FG6N0JLb94Ndi80HkIOQQ1XVGTyu6bUPaBg3rWK91Csp1682kD/dNVF3FKHrRLmSVtmEQR 5rK0+VGc/FmR6vd4haKGWIRuPxzg+pBR77avIZpU7C7+UXGuZ5CbHwIdY8LojJg2TuUdqaVj yxmEZLOA8rVHipCGrslRNthVbJrGN/pqtKjCClFZHIAYJQ9EGLHXLG9Pj76opfjHij3MpR3o pCGAh6KsCrfrsvjnpDwqSbngGyEVH030irSk4SwIqZ7FwLkBDQRUWmc6AQgAzpc8Ng5Opbrh iZrn69Xr3js28p+b4a+0BOvC48NfrNovZw4eFeKIzmI/t6EkJkSqBIxobWRpBkwGweENsqnd 0qigmsDw4N7J9Xx0h9ARDqiWxX4jr7u9xauI+CRJ1rBNO3VV30QdACwQ4LqhR/WA+IjdhyMH wj3EJGE61NdP/h0zfaLYAbvEg47/TPThFsm4m8Rd6bX7RkrrOgBbL/AOnYOMEivyfZZKX1vv iEemAvLfdk2lZt7Vm6X/fbKbV8tPUuZELzNedJvTTBS3/l1FVz9OUcLDeWhGEdlxqXH0sYWh E9+PXTAfz5JxKH+LMetwEM8DbuOoDIpmIGZKrZ+2fQARAQABiQNbBBgBCgAmAhsCFiEE16gc tm0zVz86TmBYpjY8MQWQtG0FAlxKMJ4FCQnQ/OQBKcBdIAQZAQoABgUCVFpnOgAKCRCyFcen x4Qb7cXrCAC0qQeEWmLa9oEAPa+5U6wvG1t/mi22gZN6uzQXH1faIOoDehr7PPESE6tuR/vI CTTnaSrd4UDPNeqOqVF07YexWD1LDcQG6PnRqC5DIX1RGE3BaSaMl2pFJP8y+chews11yP8G DBbxaIsTcHZI1iVIC9XLhoeegWi84vYc8F4ziADVfowbmbvcVw11gE8tmALCwTeBeZVteXjh 0OELHwrc1/4j4yvENjIXRO+QLIgk43kB57Upr4tP2MEcs0odgPM+Q+oETOJ00xzLgkTnLPim C1FIW2bOZdTj+Uq6ezRS2LKsNmW+PRRvNyA5ojEbA/faxmAjMZtLdSSSeFK8y4SoCRCmNjwx BZC0bevWEACRu+GyQgrdGmorUptniIeO1jQlpTiP5WpVnk9Oe8SiLoXUhXXNj6EtzyLGpYmf kEAbki+S6WAKnzZd3shL58AuMyDxtFNNjNeKJOcl6FL7JPBIIgIp3wR401Ep+/s5pl3Nw8Ii 157f0T7o8CPb54w6S1WsMkU78WzTxIs/1lLblSMcvyz1Jq64g4OqiWI85JfkzPLlloVf1rzy ebIBLrrmjhCE2tL1RONpE/KRVb+Q+PIs5+YcZ+Q1e0vXWA7NhTWFbWx3+N6WW6gaGpbFbopo FkYRpj+2TA5cX5zW148/xU5/ATEb5vdUkFLUFVy5YNUSyeBHuaf6fGmBrDc47rQjAOt1rmyD 56MUBHpLUbvA6NkPezb7T6bQpupyzGRkMUmSwHiLyQNJQhVe+9NiJJvtEE3jol0JVJoQ9WVn FAzPNCgHQyvbsIF3gYkCYKI0w8EhEoH5FHYLoKS6Jg880IY5rXzoAEfPvLXegy6mhYl+mNVN QUBD4h9XtOvcdzR559lZuC0Ksy7Xqw3BMolmKsRO3gWKhXSna3zKl4UuheyZtubVWoNWP/bn vbyiYnLwuiKDfNAinEWERC8nPKlv3PkZw5d3t46F1Dx0TMf16NmP+azsRpnMZyzpY8BL2eur feSGAOB9qjZNyzbo5nEKHldKWCKE7Ye0EPEjECS1gjKDwQ==

Cc: Kevin Tian <kevin.tian@xxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>

Delivery-date: Thu, 07 Feb 2019 17:49:54 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Openpgp: preference=signencrypt

On 1/30/19 10:36 AM, Roger Pau Monne wrote: > So that the specific handling can be removed from > atomic_write_ept_entry and be shared with npt and shadow code. > > This commit also removes the check that prevent non-ept PVH dom0 from > mapping foreign pages. > > Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> > --- > Cc: George Dunlap <george.dunlap@xxxxxxxxxxxxx> > Cc: Jan Beulich <jbeulich@xxxxxxxx> > Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > Cc: Wei Liu <wei.liu2@xxxxxxxxxx> > Cc: Jun Nakajima <jun.nakajima@xxxxxxxxx> > Cc: Kevin Tian <kevin.tian@xxxxxxxxx> > Cc: Tim Deegan <tim@xxxxxxx> > --- > xen/arch/x86/mm/hap/hap.c | 3 +- > xen/arch/x86/mm/p2m-ept.c | 108 +++++++------------------------- > xen/arch/x86/mm/p2m-pt.c | 7 --- > xen/arch/x86/mm/shadow/common.c | 3 +- > xen/include/asm-x86/p2m.h | 30 ++++++++- > 5 files changed, 53 insertions(+), 98 deletions(-) > > diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c > index dc46d5e14f..4f52639be5 100644 > --- a/xen/arch/x86/mm/hap/hap.c > +++ b/xen/arch/x86/mm/hap/hap.c > @@ -735,7 +735,8 @@ hap_write_p2m_entry(struct domain *d, unsigned long gfn, > l1_pgentry_t *p, > } > > p2m_entry_modify(p2m_get_hostp2m(d), > p2m_flags_to_type(l1e_get_flags(new)), > - p2m_flags_to_type(old_flags), level); > + p2m_flags_to_type(old_flags), l1e_get_mfn(new), > + l1e_get_mfn(*p), level); > > safe_write_pte(p, new); > if ( old_flags & _PAGE_PRESENT ) > diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c > index 0ece6608cb..2b0c3ab265 100644 > --- a/xen/arch/x86/mm/p2m-ept.c > +++ b/xen/arch/x86/mm/p2m-ept.c > @@ -45,65 +45,13 @@ static inline bool_t is_epte_valid(ept_entry_t *e) > return ((e->epte & ~(1ul << 63)) != 0 && e->sa_p2mt != p2m_invalid); > } > > -/* returns : 0 for success, -errno otherwise */ > -static int atomic_write_ept_entry(struct p2m_domain *p2m, > - ept_entry_t *entryptr, ept_entry_t new, > - int level) > +static void atomic_write_ept_entry(struct p2m_domain *p2m, > + ept_entry_t *entryptr, ept_entry_t new, > + int level) > { > - int rc; > - unsigned long oldmfn = mfn_x(INVALID_MFN); > - bool_t check_foreign = (new.mfn != entryptr->mfn || > - new.sa_p2mt != entryptr->sa_p2mt); > - > - if ( level ) > - { > - ASSERT(!is_epte_superpage(&new) || !p2m_is_foreign(new.sa_p2mt)); > - write_atomic(&entryptr->epte, new.epte); > - return 0; > - } > - > - if ( unlikely(p2m_is_foreign(new.sa_p2mt)) ) > - { > - rc = -EINVAL; > - if ( !is_epte_present(&new) ) > - goto out; > - > - if ( check_foreign ) > - { > - struct domain *fdom; > - > - if ( !mfn_valid(_mfn(new.mfn)) ) > - goto out; > - > - rc = -ESRCH; > - fdom = page_get_owner(mfn_to_page(_mfn(new.mfn))); > - if ( fdom == NULL ) > - goto out; > - > - /* get refcount on the page */ > - rc = -EBUSY; > - if ( !get_page(mfn_to_page(_mfn(new.mfn)), fdom) ) > - goto out; > - } > - } > - > - if ( unlikely(p2m_is_foreign(entryptr->sa_p2mt)) && check_foreign ) > - oldmfn = entryptr->mfn; > - > - p2m_entry_modify(p2m, new.sa_p2mt, entryptr->sa_p2mt, level); > - > + p2m_entry_modify(p2m, new.sa_p2mt, entryptr->sa_p2mt, _mfn(new.mfn), > + _mfn(entryptr->mfn), level); > write_atomic(&entryptr->epte, new.epte); > - > - if ( unlikely(oldmfn != mfn_x(INVALID_MFN)) ) > - put_page(mfn_to_page(_mfn(oldmfn))); > - > - rc = 0; > - > - out: > - if ( rc ) > - gdprintk(XENLOG_ERR, "epte o:%"PRIx64" n:%"PRIx64" rc:%d\n", > - entryptr->epte, new.epte, rc); > - return rc; > } This is pretty awesome. :-) > diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h > index 834d49d2d4..1cc8acb3fe 100644 > --- a/xen/include/asm-x86/p2m.h > +++ b/xen/include/asm-x86/p2m.h > @@ -933,9 +933,12 @@ struct hvm_ioreq_server *p2m_get_ioreq_server(struct > domain *d, > unsigned int *flags); > > static inline void p2m_entry_modify(struct p2m_domain *p2m, p2m_type_t nt, > - p2m_type_t ot, unsigned int level) > + p2m_type_t ot, mfn_t nfn, mfn_t ofn, > + unsigned int level) > { > - if ( level != 1 || nt == ot ) > + struct page_info *pg; > + > + if ( level != 1 || (nt == ot && mfn_eq(nfn, ofn)) ) > return; Are you sure that foreign mappings (or ioreq server pages, for that matter) can never be level > 1? ioreq server pages may be relatively harmless if we get out of sync; but the reference count with the foreign mapping is really dangerous if it gets screwed up. I'd be tempted to say that we should BUG_ON(level > 1 && nt == foreign). > > switch ( nt ) > @@ -948,6 +951,17 @@ static inline void p2m_entry_modify(struct p2m_domain > *p2m, p2m_type_t nt, > p2m->ioreq.entry_count++; > break; > > + case p2m_map_foreign: > + pg = mfn_to_page(nfn); > + > + if ( !pg || !page_get_owner_and_reference(pg) ) > + { > + ASSERT_UNREACHABLE(); > + return; > + } Similarly, I'd be tempted to say we should BUG_ON() here instead. If a rogue guest can trigger this path, it would be a DoS; but the alternate would be to allow the mfn to be put into the p2m table without a reference, which could potentially be far worse. The alternate would be to have this return an error value, which would 1) cause the p2m write to fail, and 2) be checked all the way up the chain. Less worried about the removal side, as if we have BUG_ON's on the insertion side, they *really* shouldn't happen. -George _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.