[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 1/4] xen: Introduce non-broken hypercalls for the paging mempool size
- To: Jan Beulich <jbeulich@xxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
- Date: Thu, 17 Nov 2022 15:51:56 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Qt3K/tjGsrID4OSRWP2dbdWOP4OJdeeWOzH3yLoSS00=; b=AksSWj7f2tPSvvA9mYPTHqfykbCvv+MyhGxr/8HDXboInwSGLJKUoNFTzAEJOdbWuKTndIRhtMa9zSKu3dH9cnkY/j/ToNOBKWyud+RSL25ANpX6q/o9eWewz/MYf7vBPjECFxwicG6cPRg9gVqEjB/ztPlue1daFA/37V4278z03+Jiey56FEc9CZ4XTiFxoruuJsY8x8lCyd9SjXybAPV3i7dgV0BDIYt+g1xmK44r0RT/qgMUV8ebTH6UAlJkKHzwmU7vYwRu4CRhW6c6KXFieVgcm6fRwsDELimBzUZD7BCX9oIzvHWBRI/36ySVej0JPS865GHQNfbSFxlTrQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iPEQI7Hc5FEg0+GsKiLb/vO83z7pILkxuV1yoBA6YzhVzAQPXYXTP5MdqgDfbhtF4xwt8GY0HMFID1JbpLUeDlcfZl1bp+RStWHDW9AgaF+pcqFbS3GwIF9dHQM7UsYdEztjwhTVCtNaA3Mq8oDfImpGrXjt4EfNAaZpxjbvNzjS6oQJeEMq0gM5MPyZShUp943EmN2YkslxjvKQP1u4/tueNaqYAG888N+L0G6YYAJ0nlvYX8s+2BduX4tQ9BgvM0VTSOiBBiaD5JUgWYCg2S6FfSwjzIA0OITg6qvIKaa33TBcKgQV8PbkVE+ozMb2otRCUcFfIpDGK0doUDFz6A==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Henry Wang <Henry.Wang@xxxxxxx>, Anthony Perard <anthony.perard@xxxxxxxxxx>
- Delivery-date: Thu, 17 Nov 2022 15:52:11 +0000
- Ironport-data: A9a23:5AISw6B/xfhmvxVW/7Xiw5YqxClBgxIJ4kV8jS/XYbTApDN33mQCy WMWXmrUOvqCa2P3f9BzbdmzpBxT75/WmINnQQY4rX1jcSlH+JHPbTi7wuUcHAvJd5GeExg3h yk6QoOdRCzhZiaE/n9BCpC48T8nk/nNHuCnYAL9EngZbRd+Tys8gg5Ulec8g4p56fC0GArIs t7pyyHlEAbNNwVcbyRFtcpvlDs15K6o4WpB4QRkDRx2lAS2e0c9Xcp3yZ6ZdxMUcqEMdsamS uDKyq2O/2+x13/B3fv8z94X2mVTKlLjFVDmZkh+AsBOsTAbzsAG6Y4pNeJ0VKtio27hc+ada jl6ncfYpQ8BZsUgkQmGOvVSO3kW0aZuoNcrLZUj2CA6IoKvn3bEmp1T4E8K0YIw3PhlO1kN9 tYhDCkJRTaxluW6/I6wRbw57igjBJGD0II3nFhFlGicIdN4BJfJTuPN+MNS2yo2ioZWB/HCa sEFaD1pKhPdfxlIPVRRA5U79AuqriCnL3sE9xTI+uxuvTi7IA9ZidABNPL8fNCQSNoTtUGfv m/cpEzyAw0ANczZwj2Amp6prr+SwX2rAtpKfFG+3tlnnnyVwkETMxZIVQPmub6Yh3ejCs0Kf iT4/QJr98De7neDTNPwQhm5q36spQMHVpxbFOhSwBGAzO/Y7hiUAkAATyVdc5o2uckuXzso2 1SV2dTzClRHr7m9WX+bsLCOoluaIjMJJGUPYSsFSwot4NT5pow3yBXVQb5LErOxj9DzMSH9x XaNtidWr4sUickHxqCq52ftijinpoXKZgMt7wCRVWWghitzaZS5fYWu5R7e5OxZMYeCZlCbu T4PnM32xMADC4uc0hOERuolFausof2CNVXhbUVHGpAg83Gh/iCldIUJuTVmfh43YoADZCPjZ 1LVtUVJ/phPMXC2bKhxJYWsF8AtyqumHtPgPhzJUudzjlFKXFfv1ElTiYS4hQgBTGBEfXkDB Kqm
- Ironport-hdrordr: A9a23:t01IF6qIObXlVvfHh1HGMjkaV5sDLNV00zEX/kB9WHVpm5Oj+v xGzc5w6farsl0ssSkb6Ku90KnpewK+yXbsibNhcItKLzOWwldAS7sSobcKogeQUREWk9Qw6U 4OSdkYNDSdNzlHZIPBkXGF+rUbsZa6GcKT9IHjJh5WJGkEBZ2IrT0JczpzeXcGJjWucKBJcK Z0kfA3wgZIF052Uu2LQl0+G8TTrdzCk5zrJTYAGh4c8QGLyR+49bLgFBCc/xEGFxdC260r/2 TpmxHwovzLiYD79jbsk0voq7hGktrozdVOQOSKl8guMz3pziq4eYh7XLWGnTYt5MWi8kwjnt Xgqwope+5z93TSVGeopgaF4Xiv7B8er1vZjXOIi3rqpsL0ABggDdBauI5fehzFr2I9odBVys twriGknqsSKSmFsDX25tDOWR0vvFGzu2AenekaiGEaeZcCaYVWsZcU8CpuYdU99WPBmcUa+d tVfYbhDcVtABWnhrfizzBSKemXLzAO99G9MxA/U4KuomNrdTtCvjYlLYQk7ws9HdQGOtl5Dq 3/Q9pVfPsldL5oUYttQOgGWse5EWrLXFbFN3+TO03uEOUdN2vKsIOf2sR92AiGQu1+8HIJou W2bHpI8WopP07+A8yH25NGthjLXWWmRDzojsVT/YJwtLHwTKfidXTrciFkr+Kw5/EERsHLUf e6P5xbR/flMGv1AI5MmwnzQYNbJ3USWNAc/tw7R1WNqMTWLZCCjJ2STN/DYL72VTo0UGL2BX UOGDD1OcVb90iuHmT1hRDAMkmdDnAXPagAZZQy09Jju7TlbLc8wzT9oW7Jlv2jOHlFrrE8el d4Lffujr67zFPGj1r10w==
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
- Thread-index: AQHY+iEUvJBYB0FmNEu7gTGG+j5kxa5C56gAgABdHwA=
- Thread-topic: [PATCH 1/4] xen: Introduce non-broken hypercalls for the paging mempool size
On 17/11/2022 10:18, Jan Beulich wrote:
> On 17.11.2022 02:08, Andrew Cooper wrote:
>> The existing XEN_DOMCTL_SHADOW_OP_{GET,SET}_ALLOCATION have problems:
>>
>> * All set_allocation() flavours have an overflow-before-widen bug when
>> calculating "sc->mb << (20 - PAGE_SHIFT)".
>> * All flavours have a granularity of 1M. This was tolerable when the size
>> of
>> the pool could only be set at the same granularity, but is broken now that
>> ARM has a 16-page stopgap allocation in use.
>> * All get_allocation() flavours round up, and in particular turn 0 into 1,
>> meaning the get op returns junk before a successful set op.
>> * The x86 flavours reject the hypercalls before the VM has vCPUs allocated,
>> despite the pool size being a domain property.
>> * Even the hypercall names are long-obsolete.
>>
>> Implement a better interface, which can be first used to unit test the
>> behaviour, and subsequently correct a broken implementation. The old
>> interface will be retired in due course.
>>
>> The unit of bytes (as opposed pages) is a deliberate API/ABI improvement to
>> more easily support multiple page granularities.
>>
>> This is part of XSA-409 / CVE-2022-33747.
> While I'm not convinced of this attribution, ...
I think this very much depends on how critical the unit test is deemed.
If this was done the first time around, it would all have had
attribution. We're on the 3rd set of fixes, and the unit test is a key
justification of the safety of the fix.
>> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
>> Release-acked-by: Henry Wang <Henry.Wang@xxxxxxx>
> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> # hypervisor
Thanks.
> albeit with remarks:
>
>> --- a/xen/arch/x86/mm/paging.c
>> +++ b/xen/arch/x86/mm/paging.c
>> @@ -977,6 +977,49 @@ int __init paging_set_allocation(struct domain *d,
>> unsigned int pages,
>> }
>> #endif
>>
>> +int arch_get_paging_mempool_size(struct domain *d, uint64_t *size)
>> +{
>> + int rc;
>> +
>> + if ( is_pv_domain(d) ) /* TODO: Relax in due course */
>> + return -EOPNOTSUPP;
> I guess this is merely for symmetry with ...
>
>> +int arch_set_paging_mempool_size(struct domain *d, uint64_t size)
>> +{
>> + unsigned long pages = size >> PAGE_SHIFT;
>> + bool preempted = false;
>> + int rc;
>> +
>> + if ( is_pv_domain(d) ) /* TODO: Relax in due course */
>> + return -EOPNOTSUPP;
> ... this, since otherwise "get" ought to be fine for PV?
Its the safest course of action, given other known issues with PV.
There's no need for a working get without a working set.
>
>> @@ -946,6 +949,22 @@ struct xen_domctl_cacheflush {
>> xen_pfn_t start_pfn, nr_pfns;
>> };
>>
>> +/*
>> + * XEN_DOMCTL_get_paging_mempool_size / XEN_DOMCTL_set_paging_mempool_size.
>> + *
>> + * Get or set the paging memory pool size. The size is in bytes.
>> + *
>> + * This is a dedicated pool of memory for Xen to use while managing the
>> guest,
>> + * typically containing pagetables. As such, there is an implementation
>> + * specific minimum granularity.
>> + *
>> + * The set operation can fail mid-way through the request (e.g. Xen running
>> + * out of memory, no free memory to reclaim from the pool, etc.).
>> + */
>> +struct xen_domctl_paging_mempool {
>> + uint64_aligned_t size; /* IN/OUT. Size in bytes. */
> While likely people will correctly infer what is meant, strictly speaking
> this is wrong: The field is IN for "set" and OUT for "get".
I'll drop them, to reduce any possible confusion. As you say, the
meaning is entirely clear.
~Andrew
|