Xen project Mailing List

Re: [PATCH] xen/arm: optee: Allocate anonymous domheap pages

To: Oleksandr Tyshchenko <olekstysh@xxxxxxxxx>

From: Stefano Stabellini <sstabellini@xxxxxxxxxx>

Date: Thu, 23 Sep 2021 13:08:30 -0700 (PDT)

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx>, Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Julien Grall <jgrall@xxxxxxxxxx>

Delivery-date: Thu, 23 Sep 2021 20:08:38 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, 6 Sep 2021, Oleksandr Tyshchenko wrote: > From: Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx> > > Allocate anonymous domheap pages as there is no strict need to > account them to a particular domain. > > Since XSA-383 "xen/arm: Restrict the amount of memory that dom0less > domU and dom0 can allocate" the dom0 cannot allocate memory outside > of the pre-allocated region. This means if we try to allocate > non-anonymous page to be accounted to dom0 we will get an > over-allocation issue when assigning that page to the domain. > The anonymous page, in turn, is not assigned to any domain. > > CC: Julien Grall <jgrall@xxxxxxxxxx> > Signed-off-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx> > Acked-by: Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx> Only one question, which is more architectural: given that these pages are "unlimited", could the guest exploit the interface somehow to force Xen to allocate an very high number of anonymous pages? E.g. could a domain call OPTEE_SMC_RPC_FUNC_ALLOC in a loop to force Xen to exaust all memory pages? > --- > xen/arch/arm/tee/optee.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/xen/arch/arm/tee/optee.c b/xen/arch/arm/tee/optee.c > index 3453615..83b4994 100644 > --- a/xen/arch/arm/tee/optee.c > +++ b/xen/arch/arm/tee/optee.c > @@ -410,7 +410,7 @@ static struct shm_rpc *allocate_and_pin_shm_rpc(struct > optee_domain *ctx, > if ( !shm_rpc ) > return ERR_PTR(-ENOMEM); > > - shm_rpc->xen_arg_pg = alloc_domheap_page(current->domain, 0); > + shm_rpc->xen_arg_pg = alloc_domheap_page(NULL, 0); > if ( !shm_rpc->xen_arg_pg ) > { > xfree(shm_rpc); > @@ -774,7 +774,7 @@ static int translate_noncontig(struct optee_domain *ctx, > * - There is a plan to implement preemption in the code below, which > * will allow use to increase default MAX_SHM_BUFFER_PG value. > */ > - xen_pgs = alloc_domheap_pages(current->domain, order, 0); > + xen_pgs = alloc_domheap_pages(NULL, order, 0); > if ( !xen_pgs ) > return -ENOMEM; > > @@ -938,7 +938,7 @@ static bool copy_std_request(struct cpu_user_regs *regs, > > BUILD_BUG_ON(OPTEE_MSG_NONCONTIG_PAGE_SIZE > PAGE_SIZE); > > - call->xen_arg_pg = alloc_domheap_page(current->domain, 0); > + call->xen_arg_pg = alloc_domheap_page(NULL, 0); > if ( !call->xen_arg_pg ) > { > set_user_reg(regs, 0, OPTEE_SMC_RETURN_ENOMEM); > -- > 2.7.4 >

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.