Xen project Mailing List

Re: [PATCH] memory: overlapping XENMAPSPACE_gmfn_range requests

To: Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Mon, 15 Dec 2025 12:46:11 +0000

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JnBSn4xaXsptV87b7mB+Mcy023n3BNvH3quts1eun5k=; b=mV0L3Atwo4GSbQqwpdpQoj4lRVRCRExUP+euO0EeAi/FlElIJNy3mSE76u8opsi76rvgq/QfE0f6WBdiXFrhaEUZ8xMnuT85askQqUshYQW+ZEK1Jphs4T2AZtLsLLLDRiGHupWKVcAibY6J5khgasmsdMgI8kmKEtG/piI5FMpQjXeqwyqenTqzrK+olMfJFPrHuLCdoGRFCJVH7SYv6Y4X2NoSjZFTa8GN/4d9cHj7ZzP4TCnbqY9t21eLCEEI7DRw50+1t0IQS8qh7WskqBJYwRZqj1kn9N2Ce/hg+SapD5fFndzH8hnOHBXWP7laHqn0pi/j8A+MrYm/oUXxwA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=HLt3EYGkni1/baWVB0bj6BB6BTRqVkKw3hQL/4dBK4TqMsmlHmuCN+roDGYV3CbSNNOcPKOteYiE3pSE5Odj2MazhsleV60tUJNVCzTSV7b1Ew311AqhgbhMbNSPiwoiIX6I+aZeI1QGk2Zl3CmzlqUWo7O7TMZW30IujrxT/UXBIs3z3jb0fTYcckSYxhaQA7p1R1mzd8hGUxWALgT3Rh7NOVIuvJRCOPRP1VGsaRv2zfKEk3/EpFZ+SIWEsLD3LmIzPxmfTyZ9/R62RJCyIyJdxZUaO7ZnDAznyE0zUYk6SCJKMpeX95ezDHkGqYiFBDqKTSI58JJcbFPIv0wcxQ==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>

Delivery-date: Mon, 15 Dec 2025 12:46:31 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 15/12/2025 11:22 am, Jan Beulich wrote: > Overlapping requests may need processing backwards, or else the intended > effect wouldn't be achieved (and instead some pages would be moved more > than once). > > Also covers XEN_DMOP_relocate_memory, where the potential issue was first > noticed. > > Fixes: a04811a315e0 ("mm: New XENMEM space, XENMAPSPACE_gmfn_range") > Reported-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> > --- > Of course an alternative would be to simply reject overlapping requests. > Then we should reject all overlaps though, I think. But since the code > change didn't end up overly intrusive, I thought I would go the "fix it" > route first. > > In-place moves (->idx == ->gpfn) are effectively no-ops, but we don't look > to short-circuit them for XENMAPSPACE_gmfn, so they're not short-circuited > here either. Maybe we should short-circuit them. I can't think of anything good that will come of having redundant TLB/IOTLB flushing. At the best it's a waste of time, and at the worst it covers up bugs. > > --- a/xen/common/memory.c > +++ b/xen/common/memory.c > @@ -849,7 +849,7 @@ int xenmem_add_to_physmap(struct domain > unsigned int start) > { > unsigned int done = 0; > - long rc = 0; > + long rc = 0, adjust = 1; > union add_to_physmap_extra extra = {}; > struct page_info *pages[16]; > > @@ -884,8 +884,25 @@ int xenmem_add_to_physmap(struct domain > return -EOVERFLOW; > } > > - xatp->idx += start; > - xatp->gpfn += start; > + /* > + * Overlapping ranges need processing backwards when destination is above > + * source. > + */ > + if ( xatp->gpfn > xatp->idx && > + unlikely(xatp->gpfn < xatp->idx + xatp->size) ) > + { > + adjust = -1; > + > + /* Both fields store "next item to process". */ > + xatp->idx += xatp->size - start - 1; > + xatp->gpfn += xatp->size - start - 1; > + } > + else > + { > + xatp->idx += start; > + xatp->gpfn += start; > + } These fields get written back during continuations. XEN_DMOP_relocate_memory will corrupt itself, given the expectation that 'done' only moves forwards. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.