Xen project Mailing List

Re: [PATCH] memory: overlapping XENMAPSPACE_gmfn_range requests

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Mon, 15 Dec 2025 15:17:08 +0100

Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL

Cc: Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Mon, 15 Dec 2025 14:17:17 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 15.12.2025 13:46, Andrew Cooper wrote: > On 15/12/2025 11:22 am, Jan Beulich wrote: >> Overlapping requests may need processing backwards, or else the intended >> effect wouldn't be achieved (and instead some pages would be moved more >> than once). >> >> Also covers XEN_DMOP_relocate_memory, where the potential issue was first >> noticed. >> >> Fixes: a04811a315e0 ("mm: New XENMEM space, XENMAPSPACE_gmfn_range") >> Reported-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> >> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> >> --- >> Of course an alternative would be to simply reject overlapping requests. >> Then we should reject all overlaps though, I think. But since the code >> change didn't end up overly intrusive, I thought I would go the "fix it" >> route first. >> >> In-place moves (->idx == ->gpfn) are effectively no-ops, but we don't look >> to short-circuit them for XENMAPSPACE_gmfn, so they're not short-circuited >> here either. > > Maybe we should short-circuit them. I can't think of anything good that > will come of having redundant TLB/IOTLB flushing. At the best it's a > waste of time, and at the worst it covers up bugs. I can do so (in a prereq change). In fact I first had the short-circuiting, but then remembered that in (somewhat) similar situations elsewhere you didn't like me doing such. >> --- a/xen/common/memory.c >> +++ b/xen/common/memory.c >> @@ -849,7 +849,7 @@ int xenmem_add_to_physmap(struct domain >> unsigned int start) >> { >> unsigned int done = 0; >> - long rc = 0; >> + long rc = 0, adjust = 1; >> union add_to_physmap_extra extra = {}; >> struct page_info *pages[16]; >> >> @@ -884,8 +884,25 @@ int xenmem_add_to_physmap(struct domain >> return -EOVERFLOW; >> } >> >> - xatp->idx += start; >> - xatp->gpfn += start; >> + /* >> + * Overlapping ranges need processing backwards when destination is >> above >> + * source. >> + */ >> + if ( xatp->gpfn > xatp->idx && >> + unlikely(xatp->gpfn < xatp->idx + xatp->size) ) >> + { >> + adjust = -1; >> + >> + /* Both fields store "next item to process". */ >> + xatp->idx += xatp->size - start - 1; >> + xatp->gpfn += xatp->size - start - 1; >> + } >> + else >> + { >> + xatp->idx += start; >> + xatp->gpfn += start; >> + } > > These fields get written back during continuations. I double-checked yet again, but no, I don't think so. > XEN_DMOP_relocate_memory will corrupt itself, given the expectation that > 'done' only moves forwards. This, otoh, I really need to fix. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.