Xen project Mailing List

Re: [PATCH 1/4] xen: Introduce non-broken hypercalls for the paging mempool size

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Date: Thu, 17 Nov 2022 11:18:38 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Tvy92WkXe45I9oOXd1L/urf2YeCxtLaQ1nwyO/wJ8Qw=; b=FpCuNWe1M6rXA+Q0J8Bdl+x97NkUSb4rP/CFbhxZIGy6jZz8IRWBAu/MvjBh3hUvZoTWtgsGeBH7oM2yD2n9vJsvCfJyOLuioAK8H+pMJM7Cdmcp4T3rnceI49dlpBGfBd3E+hCSWGdlMaHlcD/Ih7MHAbdB0sByrnCP7yNX6IHghLJSAwsnuB2UD1PXpR7YE7HhRIrJrvpjY95P9gPSOtcGAurMBmizWNgKD4AiwVxOXUBw6FgIjZ3gjWgAI5wwcfiYSPuiC43Thz7EhAFlS8UJFwyJ7EbhSRYooTiMAoAp6Y6v1IwzArtS6g7VesA7eijTVrzxEoKRO8E28dGwiw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=P41FUvF7Wd6+X9KN1373kifOoTouAi/sjT9X6Tys3Z8qKoKE+6uMYkqKS27fzhHvCeSb9HRu2NvHIcQJjkhxV8xUjDZVJViPQRZRV0UfBO73NieZxudGNuzJdioSuAzOQaQKzZcYHbm5gpklffHyMk1iIAQ7aXWsWzzXq9NNXumZKEyfVm4dAcOJmklT5lTp7BlQWRKoZt53pLCfoCMn1fIMD1n358ZDegfbiCqOzakbirllq195dPD2bzQnYtxymcIGLwS2sw13vYFhsqvha2oHypPGF77GcBnxDWKI5ryy7WAULNu0biyTAcK9vRu4svV7ohtTa0DGvXTS7bwTfQ==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Henry Wang <Henry.Wang@xxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>

Delivery-date: Thu, 17 Nov 2022 10:18:51 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 17.11.2022 02:08, Andrew Cooper wrote: > The existing XEN_DOMCTL_SHADOW_OP_{GET,SET}_ALLOCATION have problems: > > * All set_allocation() flavours have an overflow-before-widen bug when > calculating "sc->mb << (20 - PAGE_SHIFT)". > * All flavours have a granularity of 1M. This was tolerable when the size of > the pool could only be set at the same granularity, but is broken now that > ARM has a 16-page stopgap allocation in use. > * All get_allocation() flavours round up, and in particular turn 0 into 1, > meaning the get op returns junk before a successful set op. > * The x86 flavours reject the hypercalls before the VM has vCPUs allocated, > despite the pool size being a domain property. > * Even the hypercall names are long-obsolete. > > Implement a better interface, which can be first used to unit test the > behaviour, and subsequently correct a broken implementation. The old > interface will be retired in due course. > > The unit of bytes (as opposed pages) is a deliberate API/ABI improvement to > more easily support multiple page granularities. > > This is part of XSA-409 / CVE-2022-33747. While I'm not convinced of this attribution, ... > Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > Release-acked-by: Henry Wang <Henry.Wang@xxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> # hypervisor albeit with remarks: > --- a/xen/arch/x86/mm/paging.c > +++ b/xen/arch/x86/mm/paging.c > @@ -977,6 +977,49 @@ int __init paging_set_allocation(struct domain *d, > unsigned int pages, > } > #endif > > +int arch_get_paging_mempool_size(struct domain *d, uint64_t *size) > +{ > + int rc; > + > + if ( is_pv_domain(d) ) /* TODO: Relax in due course */ > + return -EOPNOTSUPP; I guess this is merely for symmetry with ... > +int arch_set_paging_mempool_size(struct domain *d, uint64_t size) > +{ > + unsigned long pages = size >> PAGE_SHIFT; > + bool preempted = false; > + int rc; > + > + if ( is_pv_domain(d) ) /* TODO: Relax in due course */ > + return -EOPNOTSUPP; ... this, since otherwise "get" ought to be fine for PV? > @@ -946,6 +949,22 @@ struct xen_domctl_cacheflush { > xen_pfn_t start_pfn, nr_pfns; > }; > > +/* > + * XEN_DOMCTL_get_paging_mempool_size / XEN_DOMCTL_set_paging_mempool_size. > + * > + * Get or set the paging memory pool size. The size is in bytes. > + * > + * This is a dedicated pool of memory for Xen to use while managing the > guest, > + * typically containing pagetables. As such, there is an implementation > + * specific minimum granularity. > + * > + * The set operation can fail mid-way through the request (e.g. Xen running > + * out of memory, no free memory to reclaim from the pool, etc.). > + */ > +struct xen_domctl_paging_mempool { > + uint64_aligned_t size; /* IN/OUT. Size in bytes. */ While likely people will correctly infer what is meant, strictly speaking this is wrong: The field is IN for "set" and OUT for "get". Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.