[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH v3 3/3] gnttab: don't expose host physical address without need

Translated domains shouldn't see host physical addresses. While the
address is also not supposed to be handed back even to non-translated
domains when GNTMAP_device_map is not set (as explicitly stated by a
comment in the public header), PV kernels (Linux at least) assume the
field to get populated nevertheless. (Similarly mapkind() should check
only GNTMAP_device_map.)

Along these lines split the paging mode related check near the top of
map_grant_ref() to handle the "external" and "translated" cases
separately (GNTMAP_device_map use getting tied to being non-translated
rather than non-external), and make the assignment of ->dev_bus_addr
conditional upon the guest being a non-translated one.

Still along these lines in the unmapping case there's no point checking
->dev_bus_addr when GNTMAP_device_map isn't set (and hence the field
isn't going to be consumed).

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
---
v3: New.

--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -938,21 +938,29 @@ map_grant_ref(
     }
 
     if ( unlikely(paging_mode_external(ld) &&
-                  (op->flags & (GNTMAP_device_map|GNTMAP_application_map|
-                            GNTMAP_contains_pte))) )
+                  (op->flags & (GNTMAP_application_map|GNTMAP_contains_pte))) )
     {
-        gdprintk(XENLOG_INFO, "No device mapping in HVM domain\n");
+        gdprintk(XENLOG_INFO, "No application mapping in HVM domain\n");
         op->status = GNTST_general_error;
         return;
     }
 
-    if ( paging_mode_translate(ld) && (op->flags & GNTMAP_host_map) &&
-         (rc = notify_gfn(ld, gaddr_to_gfn(op->host_addr))) )
+    if ( paging_mode_translate(ld) )
     {
-        gdprintk(XENLOG_INFO, "notify(%"PRI_gfn") -> %d\n",
-                 gfn_x(gaddr_to_gfn(op->host_addr)), rc);
-        op->status = GNTST_general_error;
-        return;
+        if ( unlikely((op->flags & GNTMAP_device_map)) )
+        {
+            gdprintk(XENLOG_INFO, "No device mapping in translated domain\n");
+            op->status = GNTST_general_error;
+            return;
+        }
+
+        if ( unlikely(rc = notify_gfn(ld, gaddr_to_gfn(op->host_addr))) )
+        {
+            gdprintk(XENLOG_INFO, "notify(%"PRI_gfn") -> %d\n",
+                     gfn_x(gaddr_to_gfn(op->host_addr)), rc);
+            op->status = GNTST_general_error;
+            return;
+        }
         BUILD_BUG_ON(GNTST_okay);
     }
 
@@ -1201,7 +1209,8 @@ map_grant_ref(
     if ( need_iommu )
         double_gt_unlock(lgt, rgt);
 
-    op->dev_bus_addr = mfn_to_maddr(mfn);
+    op->dev_bus_addr = paging_mode_translate(ld) ? op->host_addr
+                                                 : mfn_to_maddr(mfn);
     op->handle       = handle;
     op->status       = GNTST_okay;
 
@@ -1382,7 +1391,7 @@ unmap_common(
 
     op->mfn = act->mfn;
 
-    if ( op->dev_bus_addr &&
+    if ( op->dev_bus_addr && (flags & GNTMAP_device_map) &&
          unlikely(op->dev_bus_addr != mfn_to_maddr(act->mfn)) )
         PIN_FAIL(act_release_out, GNTST_general_error,
                  "Bus address doesn't match gntref (%"PRIx64" != 
%"PRIpaddr")\n",


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.