Xen project Mailing List

Re: [PATCH 4/5] xen/memory: Fix acquire_resource size semantics

To: Julien Grall <julien@xxxxxxx>, <paul@xxxxxxx>, 'Xen-devel' <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Thu, 30 Jul 2020 20:53:10 +0100

Authentication-results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none

Cc: 'Stefano Stabellini' <sstabellini@xxxxxxxxxx>, 'Hubert Jasudowicz' <hubert.jasudowicz@xxxxxxx>, 'Wei Liu' <wl@xxxxxxx>, 'Konrad Rzeszutek Wilk' <konrad.wilk@xxxxxxxxxx>, 'George Dunlap' <George.Dunlap@xxxxxxxxxxxxx>, 'Michał Leszczyński' <michal.leszczynski@xxxxxxx>, 'Jan Beulich' <JBeulich@xxxxxxxx>, 'Ian Jackson' <ian.jackson@xxxxxxxxxx>

Delivery-date: Thu, 30 Jul 2020 19:53:24 +0000

Ironport-sdr: nqnJxs+Xpx7NxZTh8AWiEtTmjTO27dOHGkZygQHHS0P+9CUccpL9tymdiTLvS2RxAmEKPWgHwW OR/ZZyOWQcfS1V13EAlyEiEJK6mqkNB3xNckX4+oOkqJQaKMXFduBL5YCOenhpW8UvlIWH/wOs XauWjqJ6VY3BQxDBtZfKN0FXVIQTyBejEbTWIBnmsKf0vzBaqWI3Ut0LwQUtbYBgTOQNuX62j/ PtbyKXmyF4iQ6TZkWNCMa6A0oi6sM5T/sGvKjdH6V7hexG5BYffX5yMX5IwnIz8QIWxvUJA4uy Iek=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 30/07/2020 13:54, Julien Grall wrote: > Hi Paul, > > On 30/07/2020 09:31, Paul Durrant wrote: >>> diff --git a/xen/common/memory.c b/xen/common/memory.c >>> index dc3a7248e3..21edabf9cc 100644 >>> --- a/xen/common/memory.c >>> +++ b/xen/common/memory.c >>> @@ -1007,6 +1007,26 @@ static long xatp_permission_check(struct >>> domain *d, unsigned int space) >>> return xsm_add_to_physmap(XSM_TARGET, current->domain, d); >>> } >>> >>> +/* >>> + * Return 0 on any kind of error. Caller converts to -EINVAL. >>> + * >>> + * All nonzero values should be repeatable (i.e. derived from some >>> fixed >>> + * proerty of the domain), and describe the full resource (i.e. >>> mapping the >> >> s/property/property >> >>> + * result of this call will be the entire resource). >> >> This precludes dynamically adding a resource to a running domain. Do >> we really want to bake in that restriction? > > AFAICT, this restriction is not documented in the ABI. In particular, > it is written: > > " > The size of a resource will never be zero, but a nonzero result doesn't > guarentee that a subsequent mapping request will be successful. There > are further type/id specific constraints which may change between the > two calls. > " > > So I think a domain couldn't rely on this behavior. Although, it might > be good to clarify in the comment on top of resource_max_frames that > this an implementation decision and not part of the ABI. There are two aspects here. First, yes - I deliberately didn't state it in the ABI, just in case we might want to use it in the future. I could theoretically foresee using -EBUSY for the purpose. That said however, we are currently deliberately taking dynamic resources out of Xen, because they've proved to be unnecessary in practice and a fertile source of complexity and security bugs. I don't foresee accepting new dynamic resources, but that's not to say that someone can't theoretically come up with a sufficiently compelling counterexample. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.