[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v2 2/2] p2m: split mem_access into separate files
This patch relocates mem_access components that are currently mixed with p2m code into separate files. This better aligns the code with similar subsystems, such as mem_sharing and mem_paging, which are already in separate files. There are no code-changes introduced, the patch is mechanical code movement. On ARM we also relocate the static inline gfn_next_boundary function to p2m.h as it is a function the mem_access code needs access to. Signed-off-by: Tamas K Lengyel <tamas.lengyel@xxxxxxxxxxxx> Acked-by: Razvan Cojocaru <rcojocaru@xxxxxxxxxxxxxxx> --- Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx> Cc: Julien Grall <julien.grall@xxxxxxx> Cc: Jan Beulich <jbeulich@xxxxxxxx> Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Cc: George Dunlap <george.dunlap@xxxxxxxxxxxxx> v2: Don't move ARM radix tree functions Include asm/mem_accesss.h in xen/mem_access.h --- MAINTAINERS | 2 + xen/arch/arm/Makefile | 1 + xen/arch/arm/mem_access.c | 431 ++++++++++++++++++++++++++++++++++++ xen/arch/arm/p2m.c | 414 +---------------------------------- xen/arch/arm/traps.c | 1 + xen/arch/x86/mm/Makefile | 1 + xen/arch/x86/mm/mem_access.c | 462 +++++++++++++++++++++++++++++++++++++++ xen/arch/x86/mm/p2m.c | 421 ----------------------------------- xen/arch/x86/vm_event.c | 3 +- xen/common/mem_access.c | 2 +- xen/include/asm-arm/mem_access.h | 53 +++++ xen/include/asm-arm/p2m.h | 31 ++- xen/include/asm-x86/mem_access.h | 61 ++++++ xen/include/asm-x86/p2m.h | 24 +- xen/include/xen/mem_access.h | 67 +++++- xen/include/xen/p2m-common.h | 52 ----- 16 files changed, 1089 insertions(+), 937 deletions(-) create mode 100644 xen/arch/arm/mem_access.c create mode 100644 xen/arch/x86/mm/mem_access.c create mode 100644 xen/include/asm-arm/mem_access.h create mode 100644 xen/include/asm-x86/mem_access.h diff --git a/MAINTAINERS b/MAINTAINERS index f0d0202..fb26be3 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -402,6 +402,8 @@ S: Supported F: tools/tests/xen-access F: xen/arch/*/monitor.c F: xen/arch/*/vm_event.c +F: xen/arch/arm/mem_access.c +F: xen/arch/x86/mm/mem_access.c F: xen/arch/x86/hvm/monitor.c F: xen/common/mem_access.c F: xen/common/monitor.c diff --git a/xen/arch/arm/Makefile b/xen/arch/arm/Makefile index da39d39..b095e8a 100644 --- a/xen/arch/arm/Makefile +++ b/xen/arch/arm/Makefile @@ -24,6 +24,7 @@ obj-y += io.o obj-y += irq.o obj-y += kernel.o obj-$(CONFIG_LIVEPATCH) += livepatch.o +obj-y += mem_access.o obj-y += mm.o obj-y += monitor.o obj-y += p2m.o diff --git a/xen/arch/arm/mem_access.c b/xen/arch/arm/mem_access.c new file mode 100644 index 0000000..a6e5bcd --- /dev/null +++ b/xen/arch/arm/mem_access.c @@ -0,0 +1,431 @@ +/* + * arch/arm/mem_access.c + * + * Architecture-specific mem_access handling routines + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public + * License v2 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public + * License along with this program; If not, see <http://www.gnu.org/licenses/>. + */ + +#include <xen/config.h> +#include <xen/mem_access.h> +#include <xen/monitor.h> +#include <xen/sched.h> +#include <xen/vm_event.h> +#include <public/vm_event.h> +#include <asm/event.h> + +static int __p2m_get_mem_access(struct domain *d, gfn_t gfn, + xenmem_access_t *access) +{ + struct p2m_domain *p2m = p2m_get_hostp2m(d); + void *i; + unsigned int index; + + static const xenmem_access_t memaccess[] = { +#define ACCESS(ac) [p2m_access_##ac] = XENMEM_access_##ac + ACCESS(n), + ACCESS(r), + ACCESS(w), + ACCESS(rw), + ACCESS(x), + ACCESS(rx), + ACCESS(wx), + ACCESS(rwx), + ACCESS(rx2rw), + ACCESS(n2rwx), +#undef ACCESS + }; + + ASSERT(p2m_is_locked(p2m)); + + /* If no setting was ever set, just return rwx. */ + if ( !p2m->mem_access_enabled ) + { + *access = XENMEM_access_rwx; + return 0; + } + + /* If request to get default access. */ + if ( gfn_eq(gfn, INVALID_GFN) ) + { + *access = memaccess[p2m->default_access]; + return 0; + } + + i = radix_tree_lookup(&p2m->mem_access_settings, gfn_x(gfn)); + + if ( !i ) + { + /* + * No setting was found in the Radix tree. Check if the + * entry exists in the page-tables. + */ + mfn_t mfn = p2m_get_entry(p2m, gfn, NULL, NULL, NULL); + + if ( mfn_eq(mfn, INVALID_MFN) ) + return -ESRCH; + + /* If entry exists then its rwx. */ + *access = XENMEM_access_rwx; + } + else + { + /* Setting was found in the Radix tree. */ + index = radix_tree_ptr_to_int(i); + if ( index >= ARRAY_SIZE(memaccess) ) + return -ERANGE; + + *access = memaccess[index]; + } + + return 0; +} + +/* + * If mem_access is in use it might have been the reason why get_page_from_gva + * failed to fetch the page, as it uses the MMU for the permission checking. + * Only in these cases we do a software-based type check and fetch the page if + * we indeed found a conflicting mem_access setting. + */ +struct page_info* +p2m_mem_access_check_and_get_page(vaddr_t gva, unsigned long flag, + const struct vcpu *v) +{ + long rc; + paddr_t ipa; + gfn_t gfn; + mfn_t mfn; + xenmem_access_t xma; + p2m_type_t t; + struct page_info *page = NULL; + struct p2m_domain *p2m = &v->domain->arch.p2m; + + rc = gva_to_ipa(gva, &ipa, flag); + if ( rc < 0 ) + goto err; + + gfn = _gfn(paddr_to_pfn(ipa)); + + /* + * We do this first as this is faster in the default case when no + * permission is set on the page. + */ + rc = __p2m_get_mem_access(v->domain, gfn, &xma); + if ( rc < 0 ) + goto err; + + /* Let's check if mem_access limited the access. */ + switch ( xma ) + { + default: + case XENMEM_access_rwx: + case XENMEM_access_rw: + /* + * If mem_access contains no rw perm restrictions at all then the original + * fault was correct. + */ + goto err; + case XENMEM_access_n2rwx: + case XENMEM_access_n: + case XENMEM_access_x: + /* + * If no r/w is permitted by mem_access, this was a fault caused by mem_access. + */ + break; + case XENMEM_access_wx: + case XENMEM_access_w: + /* + * If this was a read then it was because of mem_access, but if it was + * a write then the original get_page_from_gva fault was correct. + */ + if ( flag == GV2M_READ ) + break; + else + goto err; + case XENMEM_access_rx2rw: + case XENMEM_access_rx: + case XENMEM_access_r: + /* + * If this was a write then it was because of mem_access, but if it was + * a read then the original get_page_from_gva fault was correct. + */ + if ( flag == GV2M_WRITE ) + break; + else + goto err; + } + + /* + * We had a mem_access permission limiting the access, but the page type + * could also be limiting, so we need to check that as well. + */ + mfn = p2m_get_entry(p2m, gfn, &t, NULL, NULL); + if ( mfn_eq(mfn, INVALID_MFN) ) + goto err; + + if ( !mfn_valid(mfn_x(mfn)) ) + goto err; + + /* + * Base type doesn't allow r/w + */ + if ( t != p2m_ram_rw ) + goto err; + + page = mfn_to_page(mfn_x(mfn)); + + if ( unlikely(!get_page(page, v->domain)) ) + page = NULL; + +err: + return page; +} + +bool_t p2m_mem_access_check(paddr_t gpa, vaddr_t gla, const struct npfec npfec) +{ + int rc; + bool_t violation; + xenmem_access_t xma; + vm_event_request_t *req; + struct vcpu *v = current; + struct p2m_domain *p2m = p2m_get_hostp2m(v->domain); + + /* Mem_access is not in use. */ + if ( !p2m->mem_access_enabled ) + return true; + + rc = p2m_get_mem_access(v->domain, _gfn(paddr_to_pfn(gpa)), &xma); + if ( rc ) + return true; + + /* Now check for mem_access violation. */ + switch ( xma ) + { + case XENMEM_access_rwx: + violation = false; + break; + case XENMEM_access_rw: + violation = npfec.insn_fetch; + break; + case XENMEM_access_wx: + violation = npfec.read_access; + break; + case XENMEM_access_rx: + case XENMEM_access_rx2rw: + violation = npfec.write_access; + break; + case XENMEM_access_x: + violation = npfec.read_access || npfec.write_access; + break; + case XENMEM_access_w: + violation = npfec.read_access || npfec.insn_fetch; + break; + case XENMEM_access_r: + violation = npfec.write_access || npfec.insn_fetch; + break; + default: + case XENMEM_access_n: + case XENMEM_access_n2rwx: + violation = true; + break; + } + + if ( !violation ) + return true; + + /* First, handle rx2rw and n2rwx conversion automatically. */ + if ( npfec.write_access && xma == XENMEM_access_rx2rw ) + { + rc = p2m_set_mem_access(v->domain, _gfn(paddr_to_pfn(gpa)), 1, + 0, ~0, XENMEM_access_rw, 0); + return false; + } + else if ( xma == XENMEM_access_n2rwx ) + { + rc = p2m_set_mem_access(v->domain, _gfn(paddr_to_pfn(gpa)), 1, + 0, ~0, XENMEM_access_rwx, 0); + } + + /* Otherwise, check if there is a vm_event monitor subscriber */ + if ( !vm_event_check_ring(&v->domain->vm_event->monitor) ) + { + /* No listener */ + if ( p2m->access_required ) + { + gdprintk(XENLOG_INFO, "Memory access permissions failure, " + "no vm_event listener VCPU %d, dom %d\n", + v->vcpu_id, v->domain->domain_id); + domain_crash(v->domain); + } + else + { + /* n2rwx was already handled */ + if ( xma != XENMEM_access_n2rwx ) + { + /* A listener is not required, so clear the access + * restrictions. */ + rc = p2m_set_mem_access(v->domain, _gfn(paddr_to_pfn(gpa)), 1, + 0, ~0, XENMEM_access_rwx, 0); + } + } + + /* No need to reinject */ + return false; + } + + req = xzalloc(vm_event_request_t); + if ( req ) + { + req->reason = VM_EVENT_REASON_MEM_ACCESS; + + /* Send request to mem access subscriber */ + req->u.mem_access.gfn = gpa >> PAGE_SHIFT; + req->u.mem_access.offset = gpa & ((1 << PAGE_SHIFT) - 1); + if ( npfec.gla_valid ) + { + req->u.mem_access.flags |= MEM_ACCESS_GLA_VALID; + req->u.mem_access.gla = gla; + + if ( npfec.kind == npfec_kind_with_gla ) + req->u.mem_access.flags |= MEM_ACCESS_FAULT_WITH_GLA; + else if ( npfec.kind == npfec_kind_in_gpt ) + req->u.mem_access.flags |= MEM_ACCESS_FAULT_IN_GPT; + } + req->u.mem_access.flags |= npfec.read_access ? MEM_ACCESS_R : 0; + req->u.mem_access.flags |= npfec.write_access ? MEM_ACCESS_W : 0; + req->u.mem_access.flags |= npfec.insn_fetch ? MEM_ACCESS_X : 0; + + if ( monitor_traps(v, (xma != XENMEM_access_n2rwx), req) < 0 ) + domain_crash(v->domain); + + xfree(req); + } + + return false; +} + +/* + * Set access type for a region of pfns. + * If gfn == INVALID_GFN, sets the default access type. + */ +long p2m_set_mem_access(struct domain *d, gfn_t gfn, uint32_t nr, + uint32_t start, uint32_t mask, xenmem_access_t access, + unsigned int altp2m_idx) +{ + struct p2m_domain *p2m = p2m_get_hostp2m(d); + p2m_access_t a; + unsigned int order; + long rc = 0; + + static const p2m_access_t memaccess[] = { +#define ACCESS(ac) [XENMEM_access_##ac] = p2m_access_##ac + ACCESS(n), + ACCESS(r), + ACCESS(w), + ACCESS(rw), + ACCESS(x), + ACCESS(rx), + ACCESS(wx), + ACCESS(rwx), + ACCESS(rx2rw), + ACCESS(n2rwx), +#undef ACCESS + }; + + switch ( access ) + { + case 0 ... ARRAY_SIZE(memaccess) - 1: + a = memaccess[access]; + break; + case XENMEM_access_default: + a = p2m->default_access; + break; + default: + return -EINVAL; + } + + /* + * Flip mem_access_enabled to true when a permission is set, as to prevent + * allocating or inserting super-pages. + */ + p2m->mem_access_enabled = true; + + /* If request to set default access. */ + if ( gfn_eq(gfn, INVALID_GFN) ) + { + p2m->default_access = a; + return 0; + } + + p2m_write_lock(p2m); + + for ( gfn = gfn_add(gfn, start); nr > start; + gfn = gfn_next_boundary(gfn, order) ) + { + p2m_type_t t; + mfn_t mfn = p2m_get_entry(p2m, gfn, &t, NULL, &order); + + + if ( !mfn_eq(mfn, INVALID_MFN) ) + { + order = 0; + rc = p2m_set_entry(p2m, gfn, 1, mfn, t, a); + if ( rc ) + break; + } + + start += gfn_x(gfn_next_boundary(gfn, order)) - gfn_x(gfn); + /* Check for continuation if it is not the last iteration */ + if ( nr > start && !(start & mask) && hypercall_preempt_check() ) + { + rc = start; + break; + } + } + + p2m_write_unlock(p2m); + + return rc; +} + +long p2m_set_mem_access_multi(struct domain *d, + const XEN_GUEST_HANDLE(const_uint64) pfn_list, + const XEN_GUEST_HANDLE(const_uint8) access_list, + uint32_t nr, uint32_t start, uint32_t mask, + unsigned int altp2m_idx) +{ + /* Not yet implemented on ARM. */ + return -EOPNOTSUPP; +} + +int p2m_get_mem_access(struct domain *d, gfn_t gfn, + xenmem_access_t *access) +{ + int ret; + struct p2m_domain *p2m = p2m_get_hostp2m(d); + + p2m_read_lock(p2m); + ret = __p2m_get_mem_access(d, gfn, access); + p2m_read_unlock(p2m); + + return ret; +} + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c index 837be1d..4e7ce3d 100644 --- a/xen/arch/arm/p2m.c +++ b/xen/arch/arm/p2m.c @@ -7,6 +7,7 @@ #include <xen/vm_event.h> #include <xen/monitor.h> #include <xen/iocap.h> +#include <xen/mem_access.h> #include <public/vm_event.h> #include <asm/flushtlb.h> #include <asm/gic.h> @@ -58,22 +59,6 @@ static inline bool p2m_is_superpage(lpae_t pte, unsigned int level) return (level < 3) && p2m_mapping(pte); } -/* - * Return the start of the next mapping based on the order of the - * current one. - */ -static inline gfn_t gfn_next_boundary(gfn_t gfn, unsigned int order) -{ - /* - * The order corresponds to the order of the mapping (or invalid - * range) in the page table. So we need to align the GFN before - * incrementing. - */ - gfn = _gfn(gfn_x(gfn) & ~((1UL << order) - 1)); - - return gfn_add(gfn, 1UL << order); -} - static void p2m_flush_tlb(struct p2m_domain *p2m); /* Unlock the flush and do a P2M TLB flush if necessary */ @@ -602,73 +587,6 @@ static int p2m_create_table(struct p2m_domain *p2m, lpae_t *entry) return 0; } -static int __p2m_get_mem_access(struct domain *d, gfn_t gfn, - xenmem_access_t *access) -{ - struct p2m_domain *p2m = p2m_get_hostp2m(d); - void *i; - unsigned int index; - - static const xenmem_access_t memaccess[] = { -#define ACCESS(ac) [p2m_access_##ac] = XENMEM_access_##ac - ACCESS(n), - ACCESS(r), - ACCESS(w), - ACCESS(rw), - ACCESS(x), - ACCESS(rx), - ACCESS(wx), - ACCESS(rwx), - ACCESS(rx2rw), - ACCESS(n2rwx), -#undef ACCESS - }; - - ASSERT(p2m_is_locked(p2m)); - - /* If no setting was ever set, just return rwx. */ - if ( !p2m->mem_access_enabled ) - { - *access = XENMEM_access_rwx; - return 0; - } - - /* If request to get default access. */ - if ( gfn_eq(gfn, INVALID_GFN) ) - { - *access = memaccess[p2m->default_access]; - return 0; - } - - i = radix_tree_lookup(&p2m->mem_access_settings, gfn_x(gfn)); - - if ( !i ) - { - /* - * No setting was found in the Radix tree. Check if the - * entry exists in the page-tables. - */ - mfn_t mfn = p2m_get_entry(p2m, gfn, NULL, NULL, NULL); - - if ( mfn_eq(mfn, INVALID_MFN) ) - return -ESRCH; - - /* If entry exists then its rwx. */ - *access = XENMEM_access_rwx; - } - else - { - /* Setting was found in the Radix tree. */ - index = radix_tree_ptr_to_int(i); - if ( index >= ARRAY_SIZE(memaccess) ) - return -ERANGE; - - *access = memaccess[index]; - } - - return 0; -} - static int p2m_mem_access_radix_set(struct p2m_domain *p2m, gfn_t gfn, p2m_access_t a) { @@ -1454,106 +1372,6 @@ mfn_t gfn_to_mfn(struct domain *d, gfn_t gfn) return p2m_lookup(d, gfn, NULL); } -/* - * If mem_access is in use it might have been the reason why get_page_from_gva - * failed to fetch the page, as it uses the MMU for the permission checking. - * Only in these cases we do a software-based type check and fetch the page if - * we indeed found a conflicting mem_access setting. - */ -static struct page_info* -p2m_mem_access_check_and_get_page(vaddr_t gva, unsigned long flag, - const struct vcpu *v) -{ - long rc; - paddr_t ipa; - gfn_t gfn; - mfn_t mfn; - xenmem_access_t xma; - p2m_type_t t; - struct page_info *page = NULL; - struct p2m_domain *p2m = &v->domain->arch.p2m; - - rc = gva_to_ipa(gva, &ipa, flag); - if ( rc < 0 ) - goto err; - - gfn = _gfn(paddr_to_pfn(ipa)); - - /* - * We do this first as this is faster in the default case when no - * permission is set on the page. - */ - rc = __p2m_get_mem_access(v->domain, gfn, &xma); - if ( rc < 0 ) - goto err; - - /* Let's check if mem_access limited the access. */ - switch ( xma ) - { - default: - case XENMEM_access_rwx: - case XENMEM_access_rw: - /* - * If mem_access contains no rw perm restrictions at all then the original - * fault was correct. - */ - goto err; - case XENMEM_access_n2rwx: - case XENMEM_access_n: - case XENMEM_access_x: - /* - * If no r/w is permitted by mem_access, this was a fault caused by mem_access. - */ - break; - case XENMEM_access_wx: - case XENMEM_access_w: - /* - * If this was a read then it was because of mem_access, but if it was - * a write then the original get_page_from_gva fault was correct. - */ - if ( flag == GV2M_READ ) - break; - else - goto err; - case XENMEM_access_rx2rw: - case XENMEM_access_rx: - case XENMEM_access_r: - /* - * If this was a write then it was because of mem_access, but if it was - * a read then the original get_page_from_gva fault was correct. - */ - if ( flag == GV2M_WRITE ) - break; - else - goto err; - } - - /* - * We had a mem_access permission limiting the access, but the page type - * could also be limiting, so we need to check that as well. - */ - mfn = p2m_get_entry(p2m, gfn, &t, NULL, NULL); - if ( mfn_eq(mfn, INVALID_MFN) ) - goto err; - - if ( !mfn_valid(mfn_x(mfn)) ) - goto err; - - /* - * Base type doesn't allow r/w - */ - if ( t != p2m_ram_rw ) - goto err; - - page = mfn_to_page(mfn_x(mfn)); - - if ( unlikely(!get_page(page, v->domain)) ) - page = NULL; - -err: - return page; -} - struct page_info *get_page_from_gva(struct vcpu *v, vaddr_t va, unsigned long flags) { @@ -1666,236 +1484,6 @@ void __init setup_virt_paging(void) smp_call_function(setup_virt_paging_one, (void *)val, 1); } -bool_t p2m_mem_access_check(paddr_t gpa, vaddr_t gla, const struct npfec npfec) -{ - int rc; - bool_t violation; - xenmem_access_t xma; - vm_event_request_t *req; - struct vcpu *v = current; - struct p2m_domain *p2m = p2m_get_hostp2m(v->domain); - - /* Mem_access is not in use. */ - if ( !p2m->mem_access_enabled ) - return true; - - rc = p2m_get_mem_access(v->domain, _gfn(paddr_to_pfn(gpa)), &xma); - if ( rc ) - return true; - - /* Now check for mem_access violation. */ - switch ( xma ) - { - case XENMEM_access_rwx: - violation = false; - break; - case XENMEM_access_rw: - violation = npfec.insn_fetch; - break; - case XENMEM_access_wx: - violation = npfec.read_access; - break; - case XENMEM_access_rx: - case XENMEM_access_rx2rw: - violation = npfec.write_access; - break; - case XENMEM_access_x: - violation = npfec.read_access || npfec.write_access; - break; - case XENMEM_access_w: - violation = npfec.read_access || npfec.insn_fetch; - break; - case XENMEM_access_r: - violation = npfec.write_access || npfec.insn_fetch; - break; - default: - case XENMEM_access_n: - case XENMEM_access_n2rwx: - violation = true; - break; - } - - if ( !violation ) - return true; - - /* First, handle rx2rw and n2rwx conversion automatically. */ - if ( npfec.write_access && xma == XENMEM_access_rx2rw ) - { - rc = p2m_set_mem_access(v->domain, _gfn(paddr_to_pfn(gpa)), 1, - 0, ~0, XENMEM_access_rw, 0); - return false; - } - else if ( xma == XENMEM_access_n2rwx ) - { - rc = p2m_set_mem_access(v->domain, _gfn(paddr_to_pfn(gpa)), 1, - 0, ~0, XENMEM_access_rwx, 0); - } - - /* Otherwise, check if there is a vm_event monitor subscriber */ - if ( !vm_event_check_ring(&v->domain->vm_event->monitor) ) - { - /* No listener */ - if ( p2m->access_required ) - { - gdprintk(XENLOG_INFO, "Memory access permissions failure, " - "no vm_event listener VCPU %d, dom %d\n", - v->vcpu_id, v->domain->domain_id); - domain_crash(v->domain); - } - else - { - /* n2rwx was already handled */ - if ( xma != XENMEM_access_n2rwx ) - { - /* A listener is not required, so clear the access - * restrictions. */ - rc = p2m_set_mem_access(v->domain, _gfn(paddr_to_pfn(gpa)), 1, - 0, ~0, XENMEM_access_rwx, 0); - } - } - - /* No need to reinject */ - return false; - } - - req = xzalloc(vm_event_request_t); - if ( req ) - { - req->reason = VM_EVENT_REASON_MEM_ACCESS; - - /* Send request to mem access subscriber */ - req->u.mem_access.gfn = gpa >> PAGE_SHIFT; - req->u.mem_access.offset = gpa & ((1 << PAGE_SHIFT) - 1); - if ( npfec.gla_valid ) - { - req->u.mem_access.flags |= MEM_ACCESS_GLA_VALID; - req->u.mem_access.gla = gla; - - if ( npfec.kind == npfec_kind_with_gla ) - req->u.mem_access.flags |= MEM_ACCESS_FAULT_WITH_GLA; - else if ( npfec.kind == npfec_kind_in_gpt ) - req->u.mem_access.flags |= MEM_ACCESS_FAULT_IN_GPT; - } - req->u.mem_access.flags |= npfec.read_access ? MEM_ACCESS_R : 0; - req->u.mem_access.flags |= npfec.write_access ? MEM_ACCESS_W : 0; - req->u.mem_access.flags |= npfec.insn_fetch ? MEM_ACCESS_X : 0; - - if ( monitor_traps(v, (xma != XENMEM_access_n2rwx), req) < 0 ) - domain_crash(v->domain); - - xfree(req); - } - - return false; -} - -/* - * Set access type for a region of pfns. - * If gfn == INVALID_GFN, sets the default access type. - */ -long p2m_set_mem_access(struct domain *d, gfn_t gfn, uint32_t nr, - uint32_t start, uint32_t mask, xenmem_access_t access, - unsigned int altp2m_idx) -{ - struct p2m_domain *p2m = p2m_get_hostp2m(d); - p2m_access_t a; - unsigned int order; - long rc = 0; - - static const p2m_access_t memaccess[] = { -#define ACCESS(ac) [XENMEM_access_##ac] = p2m_access_##ac - ACCESS(n), - ACCESS(r), - ACCESS(w), - ACCESS(rw), - ACCESS(x), - ACCESS(rx), - ACCESS(wx), - ACCESS(rwx), - ACCESS(rx2rw), - ACCESS(n2rwx), -#undef ACCESS - }; - - switch ( access ) - { - case 0 ... ARRAY_SIZE(memaccess) - 1: - a = memaccess[access]; - break; - case XENMEM_access_default: - a = p2m->default_access; - break; - default: - return -EINVAL; - } - - /* - * Flip mem_access_enabled to true when a permission is set, as to prevent - * allocating or inserting super-pages. - */ - p2m->mem_access_enabled = true; - - /* If request to set default access. */ - if ( gfn_eq(gfn, INVALID_GFN) ) - { - p2m->default_access = a; - return 0; - } - - p2m_write_lock(p2m); - - for ( gfn = gfn_add(gfn, start); nr > start; - gfn = gfn_next_boundary(gfn, order) ) - { - p2m_type_t t; - mfn_t mfn = p2m_get_entry(p2m, gfn, &t, NULL, &order); - - - if ( !mfn_eq(mfn, INVALID_MFN) ) - { - order = 0; - rc = __p2m_set_entry(p2m, gfn, 0, mfn, t, a); - if ( rc ) - break; - } - - start += gfn_x(gfn_next_boundary(gfn, order)) - gfn_x(gfn); - /* Check for continuation if it is not the last iteration */ - if ( nr > start && !(start & mask) && hypercall_preempt_check() ) - { - rc = start; - break; - } - } - - p2m_write_unlock(p2m); - - return rc; -} - -long p2m_set_mem_access_multi(struct domain *d, - const XEN_GUEST_HANDLE(const_uint64) pfn_list, - const XEN_GUEST_HANDLE(const_uint8) access_list, - uint32_t nr, uint32_t start, uint32_t mask, - unsigned int altp2m_idx) -{ - /* Not yet implemented on ARM. */ - return -EOPNOTSUPP; -} - -int p2m_get_mem_access(struct domain *d, gfn_t gfn, - xenmem_access_t *access) -{ - int ret; - struct p2m_domain *p2m = p2m_get_hostp2m(d); - - p2m_read_lock(p2m); - ret = __p2m_get_mem_access(d, gfn, access); - p2m_read_unlock(p2m); - - return ret; -} - /* * Local variables: * mode: C diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c index 8ff73fe..f2ea083 100644 --- a/xen/arch/arm/traps.c +++ b/xen/arch/arm/traps.c @@ -32,6 +32,7 @@ #include <xen/domain_page.h> #include <xen/perfc.h> #include <xen/virtual_region.h> +#include <xen/mem_access.h> #include <public/sched.h> #include <public/xen.h> #include <asm/debugger.h> diff --git a/xen/arch/x86/mm/Makefile b/xen/arch/x86/mm/Makefile index 9804c3a..e977dd8 100644 --- a/xen/arch/x86/mm/Makefile +++ b/xen/arch/x86/mm/Makefile @@ -9,6 +9,7 @@ obj-y += guest_walk_3.o obj-y += guest_walk_4.o obj-y += mem_paging.o obj-y += mem_sharing.o +obj-y += mem_access.o guest_walk_%.o: guest_walk.c Makefile $(CC) $(CFLAGS) -DGUEST_PAGING_LEVELS=$* -c $< -o $@ diff --git a/xen/arch/x86/mm/mem_access.c b/xen/arch/x86/mm/mem_access.c new file mode 100644 index 0000000..34a994d --- /dev/null +++ b/xen/arch/x86/mm/mem_access.c @@ -0,0 +1,462 @@ +/****************************************************************************** + * arch/x86/mm/mem_access.c + * + * Parts of this code are Copyright (c) 2009 by Citrix Systems, Inc. (Patrick Colp) + * Parts of this code are Copyright (c) 2007 by Advanced Micro Devices. + * Parts of this code are Copyright (c) 2006-2007 by XenSource Inc. + * Parts of this code are Copyright (c) 2006 by Michael A Fetterman + * Parts based on earlier work by Michael A Fetterman, Ian Pratt et al. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; If not, see <http://www.gnu.org/licenses/>. + */ + +#include <xen/guest_access.h> /* copy_from_guest() */ +#include <xen/mem_access.h> +#include <xen/vm_event.h> +#include <xen/event.h> +#include <public/vm_event.h> +#include <asm/p2m.h> +#include <asm/altp2m.h> +#include <asm/vm_event.h> + +#include "mm-locks.h" + +bool p2m_mem_access_emulate_check(struct vcpu *v, + const vm_event_response_t *rsp) +{ + xenmem_access_t access; + bool violation = 1; + const struct vm_event_mem_access *data = &rsp->u.mem_access; + + if ( p2m_get_mem_access(v->domain, _gfn(data->gfn), &access) == 0 ) + { + switch ( access ) + { + case XENMEM_access_n: + case XENMEM_access_n2rwx: + default: + violation = data->flags & MEM_ACCESS_RWX; + break; + + case XENMEM_access_r: + violation = data->flags & MEM_ACCESS_WX; + break; + + case XENMEM_access_w: + violation = data->flags & MEM_ACCESS_RX; + break; + + case XENMEM_access_x: + violation = data->flags & MEM_ACCESS_RW; + break; + + case XENMEM_access_rx: + case XENMEM_access_rx2rw: + violation = data->flags & MEM_ACCESS_W; + break; + + case XENMEM_access_wx: + violation = data->flags & MEM_ACCESS_R; + break; + + case XENMEM_access_rw: + violation = data->flags & MEM_ACCESS_X; + break; + + case XENMEM_access_rwx: + violation = 0; + break; + } + } + + return violation; +} + +bool_t p2m_mem_access_check(paddr_t gpa, unsigned long gla, + struct npfec npfec, + vm_event_request_t **req_ptr) +{ + struct vcpu *v = current; + unsigned long gfn = gpa >> PAGE_SHIFT; + struct domain *d = v->domain; + struct p2m_domain *p2m = NULL; + mfn_t mfn; + p2m_type_t p2mt; + p2m_access_t p2ma; + vm_event_request_t *req; + int rc; + + if ( altp2m_active(d) ) + p2m = p2m_get_altp2m(v); + if ( !p2m ) + p2m = p2m_get_hostp2m(d); + + /* First, handle rx2rw conversion automatically. + * These calls to p2m->set_entry() must succeed: we have the gfn + * locked and just did a successful get_entry(). */ + gfn_lock(p2m, gfn, 0); + mfn = p2m->get_entry(p2m, gfn, &p2mt, &p2ma, 0, NULL, NULL); + + if ( npfec.write_access && p2ma == p2m_access_rx2rw ) + { + rc = p2m->set_entry(p2m, gfn, mfn, PAGE_ORDER_4K, p2mt, p2m_access_rw, -1); + ASSERT(rc == 0); + gfn_unlock(p2m, gfn, 0); + return 1; + } + else if ( p2ma == p2m_access_n2rwx ) + { + ASSERT(npfec.write_access || npfec.read_access || npfec.insn_fetch); + rc = p2m->set_entry(p2m, gfn, mfn, PAGE_ORDER_4K, + p2mt, p2m_access_rwx, -1); + ASSERT(rc == 0); + } + gfn_unlock(p2m, gfn, 0); + + /* Otherwise, check if there is a memory event listener, and send the message along */ + if ( !vm_event_check_ring(&d->vm_event->monitor) || !req_ptr ) + { + /* No listener */ + if ( p2m->access_required ) + { + gdprintk(XENLOG_INFO, "Memory access permissions failure, " + "no vm_event listener VCPU %d, dom %d\n", + v->vcpu_id, d->domain_id); + domain_crash(v->domain); + return 0; + } + else + { + gfn_lock(p2m, gfn, 0); + mfn = p2m->get_entry(p2m, gfn, &p2mt, &p2ma, 0, NULL, NULL); + if ( p2ma != p2m_access_n2rwx ) + { + /* A listener is not required, so clear the access + * restrictions. This set must succeed: we have the + * gfn locked and just did a successful get_entry(). */ + rc = p2m->set_entry(p2m, gfn, mfn, PAGE_ORDER_4K, + p2mt, p2m_access_rwx, -1); + ASSERT(rc == 0); + } + gfn_unlock(p2m, gfn, 0); + return 1; + } + } + + *req_ptr = NULL; + req = xzalloc(vm_event_request_t); + if ( req ) + { + *req_ptr = req; + + req->reason = VM_EVENT_REASON_MEM_ACCESS; + req->u.mem_access.gfn = gfn; + req->u.mem_access.offset = gpa & ((1 << PAGE_SHIFT) - 1); + if ( npfec.gla_valid ) + { + req->u.mem_access.flags |= MEM_ACCESS_GLA_VALID; + req->u.mem_access.gla = gla; + + if ( npfec.kind == npfec_kind_with_gla ) + req->u.mem_access.flags |= MEM_ACCESS_FAULT_WITH_GLA; + else if ( npfec.kind == npfec_kind_in_gpt ) + req->u.mem_access.flags |= MEM_ACCESS_FAULT_IN_GPT; + } + req->u.mem_access.flags |= npfec.read_access ? MEM_ACCESS_R : 0; + req->u.mem_access.flags |= npfec.write_access ? MEM_ACCESS_W : 0; + req->u.mem_access.flags |= npfec.insn_fetch ? MEM_ACCESS_X : 0; + } + + /* Return whether vCPU pause is required (aka. sync event) */ + return (p2ma != p2m_access_n2rwx); +} + +int p2m_set_altp2m_mem_access(struct domain *d, struct p2m_domain *hp2m, + struct p2m_domain *ap2m, p2m_access_t a, + gfn_t gfn) +{ + mfn_t mfn; + p2m_type_t t; + p2m_access_t old_a; + unsigned int page_order; + unsigned long gfn_l = gfn_x(gfn); + int rc; + + mfn = ap2m->get_entry(ap2m, gfn_l, &t, &old_a, 0, NULL, NULL); + + /* Check host p2m if no valid entry in alternate */ + if ( !mfn_valid(mfn_x(mfn)) ) + { + + mfn = __get_gfn_type_access(hp2m, gfn_l, &t, &old_a, + P2M_ALLOC | P2M_UNSHARE, &page_order, 0); + + rc = -ESRCH; + if ( !mfn_valid(mfn_x(mfn)) || t != p2m_ram_rw ) + return rc; + + /* If this is a superpage, copy that first */ + if ( page_order != PAGE_ORDER_4K ) + { + unsigned long mask = ~((1UL << page_order) - 1); + unsigned long gfn2_l = gfn_l & mask; + mfn_t mfn2 = _mfn(mfn_x(mfn) & mask); + + rc = ap2m->set_entry(ap2m, gfn2_l, mfn2, page_order, t, old_a, 1); + if ( rc ) + return rc; + } + } + + return ap2m->set_entry(ap2m, gfn_l, mfn, PAGE_ORDER_4K, t, a, + (current->domain != d)); +} + +static int set_mem_access(struct domain *d, struct p2m_domain *p2m, + struct p2m_domain *ap2m, p2m_access_t a, + gfn_t gfn) +{ + int rc = 0; + + if ( ap2m ) + { + rc = p2m_set_altp2m_mem_access(d, p2m, ap2m, a, gfn); + /* If the corresponding mfn is invalid we will want to just skip it */ + if ( rc == -ESRCH ) + rc = 0; + } + else + { + mfn_t mfn; + p2m_access_t _a; + p2m_type_t t; + unsigned long gfn_l = gfn_x(gfn); + + mfn = p2m->get_entry(p2m, gfn_l, &t, &_a, 0, NULL, NULL); + rc = p2m->set_entry(p2m, gfn_l, mfn, PAGE_ORDER_4K, t, a, -1); + } + + return rc; +} + +static bool xenmem_access_to_p2m_access(struct p2m_domain *p2m, + xenmem_access_t xaccess, + p2m_access_t *paccess) +{ + static const p2m_access_t memaccess[] = { +#define ACCESS(ac) [XENMEM_access_##ac] = p2m_access_##ac + ACCESS(n), + ACCESS(r), + ACCESS(w), + ACCESS(rw), + ACCESS(x), + ACCESS(rx), + ACCESS(wx), + ACCESS(rwx), + ACCESS(rx2rw), + ACCESS(n2rwx), +#undef ACCESS + }; + + switch ( xaccess ) + { + case 0 ... ARRAY_SIZE(memaccess) - 1: + *paccess = memaccess[xaccess]; + break; + case XENMEM_access_default: + *paccess = p2m->default_access; + break; + default: + return false; + } + + return true; +} + +/* + * Set access type for a region of gfns. + * If gfn == INVALID_GFN, sets the default access type. + */ +long p2m_set_mem_access(struct domain *d, gfn_t gfn, uint32_t nr, + uint32_t start, uint32_t mask, xenmem_access_t access, + unsigned int altp2m_idx) +{ + struct p2m_domain *p2m = p2m_get_hostp2m(d), *ap2m = NULL; + p2m_access_t a; + unsigned long gfn_l; + long rc = 0; + + /* altp2m view 0 is treated as the hostp2m */ + if ( altp2m_idx ) + { + if ( altp2m_idx >= MAX_ALTP2M || + d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + return -EINVAL; + + ap2m = d->arch.altp2m_p2m[altp2m_idx]; + } + + if ( !xenmem_access_to_p2m_access(p2m, access, &a) ) + return -EINVAL; + + /* If request to set default access. */ + if ( gfn_eq(gfn, INVALID_GFN) ) + { + p2m->default_access = a; + return 0; + } + + p2m_lock(p2m); + if ( ap2m ) + p2m_lock(ap2m); + + for ( gfn_l = gfn_x(gfn) + start; nr > start; ++gfn_l ) + { + rc = set_mem_access(d, p2m, ap2m, a, _gfn(gfn_l)); + + if ( rc ) + break; + + /* Check for continuation if it's not the last iteration. */ + if ( nr > ++start && !(start & mask) && hypercall_preempt_check() ) + { + rc = start; + break; + } + } + + if ( ap2m ) + p2m_unlock(ap2m); + p2m_unlock(p2m); + + return rc; +} + +long p2m_set_mem_access_multi(struct domain *d, + const XEN_GUEST_HANDLE(const_uint64) pfn_list, + const XEN_GUEST_HANDLE(const_uint8) access_list, + uint32_t nr, uint32_t start, uint32_t mask, + unsigned int altp2m_idx) +{ + struct p2m_domain *p2m = p2m_get_hostp2m(d), *ap2m = NULL; + long rc = 0; + + /* altp2m view 0 is treated as the hostp2m */ + if ( altp2m_idx ) + { + if ( altp2m_idx >= MAX_ALTP2M || + d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + return -EINVAL; + + ap2m = d->arch.altp2m_p2m[altp2m_idx]; + } + + p2m_lock(p2m); + if ( ap2m ) + p2m_lock(ap2m); + + while ( start < nr ) + { + p2m_access_t a; + uint8_t access; + uint64_t gfn_l; + + if ( copy_from_guest_offset(&gfn_l, pfn_list, start, 1) || + copy_from_guest_offset(&access, access_list, start, 1) ) + { + rc = -EFAULT; + break; + } + + if ( !xenmem_access_to_p2m_access(p2m, access, &a) ) + { + rc = -EINVAL; + break; + } + + rc = set_mem_access(d, p2m, ap2m, a, _gfn(gfn_l)); + + if ( rc ) + break; + + /* Check for continuation if it's not the last iteration. */ + if ( nr > ++start && !(start & mask) && hypercall_preempt_check() ) + { + rc = start; + break; + } + } + + if ( ap2m ) + p2m_unlock(ap2m); + p2m_unlock(p2m); + + return rc; +} + +/* + * Get access type for a gfn. + * If gfn == INVALID_GFN, gets the default access type. + */ +int p2m_get_mem_access(struct domain *d, gfn_t gfn, xenmem_access_t *access) +{ + struct p2m_domain *p2m = p2m_get_hostp2m(d); + p2m_type_t t; + p2m_access_t a; + mfn_t mfn; + + static const xenmem_access_t memaccess[] = { +#define ACCESS(ac) [p2m_access_##ac] = XENMEM_access_##ac + ACCESS(n), + ACCESS(r), + ACCESS(w), + ACCESS(rw), + ACCESS(x), + ACCESS(rx), + ACCESS(wx), + ACCESS(rwx), + ACCESS(rx2rw), + ACCESS(n2rwx), +#undef ACCESS + }; + + /* If request to get default access. */ + if ( gfn_eq(gfn, INVALID_GFN) ) + { + *access = memaccess[p2m->default_access]; + return 0; + } + + gfn_lock(p2m, gfn, 0); + mfn = p2m->get_entry(p2m, gfn_x(gfn), &t, &a, 0, NULL, NULL); + gfn_unlock(p2m, gfn, 0); + + if ( mfn_eq(mfn, INVALID_MFN) ) + return -ESRCH; + + if ( (unsigned) a >= ARRAY_SIZE(memaccess) ) + return -ERANGE; + + *access = memaccess[a]; + return 0; +} + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index 6a45185..6299d5a 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -1589,433 +1589,12 @@ void p2m_mem_paging_resume(struct domain *d, vm_event_response_t *rsp) } } -bool p2m_mem_access_emulate_check(struct vcpu *v, - const vm_event_response_t *rsp) -{ - xenmem_access_t access; - bool violation = 1; - const struct vm_event_mem_access *data = &rsp->u.mem_access; - - if ( p2m_get_mem_access(v->domain, _gfn(data->gfn), &access) == 0 ) - { - switch ( access ) - { - case XENMEM_access_n: - case XENMEM_access_n2rwx: - default: - violation = data->flags & MEM_ACCESS_RWX; - break; - - case XENMEM_access_r: - violation = data->flags & MEM_ACCESS_WX; - break; - - case XENMEM_access_w: - violation = data->flags & MEM_ACCESS_RX; - break; - - case XENMEM_access_x: - violation = data->flags & MEM_ACCESS_RW; - break; - - case XENMEM_access_rx: - case XENMEM_access_rx2rw: - violation = data->flags & MEM_ACCESS_W; - break; - - case XENMEM_access_wx: - violation = data->flags & MEM_ACCESS_R; - break; - - case XENMEM_access_rw: - violation = data->flags & MEM_ACCESS_X; - break; - - case XENMEM_access_rwx: - violation = 0; - break; - } - } - - return violation; -} - void p2m_altp2m_check(struct vcpu *v, uint16_t idx) { if ( altp2m_active(v->domain) ) p2m_switch_vcpu_altp2m_by_id(v, idx); } -bool_t p2m_mem_access_check(paddr_t gpa, unsigned long gla, - struct npfec npfec, - vm_event_request_t **req_ptr) -{ - struct vcpu *v = current; - unsigned long gfn = gpa >> PAGE_SHIFT; - struct domain *d = v->domain; - struct p2m_domain *p2m = NULL; - mfn_t mfn; - p2m_type_t p2mt; - p2m_access_t p2ma; - vm_event_request_t *req; - int rc; - - if ( altp2m_active(d) ) - p2m = p2m_get_altp2m(v); - if ( !p2m ) - p2m = p2m_get_hostp2m(d); - - /* First, handle rx2rw conversion automatically. - * These calls to p2m->set_entry() must succeed: we have the gfn - * locked and just did a successful get_entry(). */ - gfn_lock(p2m, gfn, 0); - mfn = p2m->get_entry(p2m, gfn, &p2mt, &p2ma, 0, NULL, NULL); - - if ( npfec.write_access && p2ma == p2m_access_rx2rw ) - { - rc = p2m->set_entry(p2m, gfn, mfn, PAGE_ORDER_4K, p2mt, p2m_access_rw, -1); - ASSERT(rc == 0); - gfn_unlock(p2m, gfn, 0); - return 1; - } - else if ( p2ma == p2m_access_n2rwx ) - { - ASSERT(npfec.write_access || npfec.read_access || npfec.insn_fetch); - rc = p2m->set_entry(p2m, gfn, mfn, PAGE_ORDER_4K, - p2mt, p2m_access_rwx, -1); - ASSERT(rc == 0); - } - gfn_unlock(p2m, gfn, 0); - - /* Otherwise, check if there is a memory event listener, and send the message along */ - if ( !vm_event_check_ring(&d->vm_event->monitor) || !req_ptr ) - { - /* No listener */ - if ( p2m->access_required ) - { - gdprintk(XENLOG_INFO, "Memory access permissions failure, " - "no vm_event listener VCPU %d, dom %d\n", - v->vcpu_id, d->domain_id); - domain_crash(v->domain); - return 0; - } - else - { - gfn_lock(p2m, gfn, 0); - mfn = p2m->get_entry(p2m, gfn, &p2mt, &p2ma, 0, NULL, NULL); - if ( p2ma != p2m_access_n2rwx ) - { - /* A listener is not required, so clear the access - * restrictions. This set must succeed: we have the - * gfn locked and just did a successful get_entry(). */ - rc = p2m->set_entry(p2m, gfn, mfn, PAGE_ORDER_4K, - p2mt, p2m_access_rwx, -1); - ASSERT(rc == 0); - } - gfn_unlock(p2m, gfn, 0); - return 1; - } - } - - *req_ptr = NULL; - req = xzalloc(vm_event_request_t); - if ( req ) - { - *req_ptr = req; - - req->reason = VM_EVENT_REASON_MEM_ACCESS; - req->u.mem_access.gfn = gfn; - req->u.mem_access.offset = gpa & ((1 << PAGE_SHIFT) - 1); - if ( npfec.gla_valid ) - { - req->u.mem_access.flags |= MEM_ACCESS_GLA_VALID; - req->u.mem_access.gla = gla; - - if ( npfec.kind == npfec_kind_with_gla ) - req->u.mem_access.flags |= MEM_ACCESS_FAULT_WITH_GLA; - else if ( npfec.kind == npfec_kind_in_gpt ) - req->u.mem_access.flags |= MEM_ACCESS_FAULT_IN_GPT; - } - req->u.mem_access.flags |= npfec.read_access ? MEM_ACCESS_R : 0; - req->u.mem_access.flags |= npfec.write_access ? MEM_ACCESS_W : 0; - req->u.mem_access.flags |= npfec.insn_fetch ? MEM_ACCESS_X : 0; - } - - /* Return whether vCPU pause is required (aka. sync event) */ - return (p2ma != p2m_access_n2rwx); -} - -static inline -int p2m_set_altp2m_mem_access(struct domain *d, struct p2m_domain *hp2m, - struct p2m_domain *ap2m, p2m_access_t a, - gfn_t gfn) -{ - mfn_t mfn; - p2m_type_t t; - p2m_access_t old_a; - unsigned int page_order; - unsigned long gfn_l = gfn_x(gfn); - int rc; - - mfn = ap2m->get_entry(ap2m, gfn_l, &t, &old_a, 0, NULL, NULL); - - /* Check host p2m if no valid entry in alternate */ - if ( !mfn_valid(mfn) ) - { - - mfn = __get_gfn_type_access(hp2m, gfn_l, &t, &old_a, - P2M_ALLOC | P2M_UNSHARE, &page_order, 0); - - rc = -ESRCH; - if ( !mfn_valid(mfn) || t != p2m_ram_rw ) - return rc; - - /* If this is a superpage, copy that first */ - if ( page_order != PAGE_ORDER_4K ) - { - unsigned long mask = ~((1UL << page_order) - 1); - unsigned long gfn2_l = gfn_l & mask; - mfn_t mfn2 = _mfn(mfn_x(mfn) & mask); - - rc = ap2m->set_entry(ap2m, gfn2_l, mfn2, page_order, t, old_a, 1); - if ( rc ) - return rc; - } - } - - return ap2m->set_entry(ap2m, gfn_l, mfn, PAGE_ORDER_4K, t, a, - (current->domain != d)); -} - -static int set_mem_access(struct domain *d, struct p2m_domain *p2m, - struct p2m_domain *ap2m, p2m_access_t a, - gfn_t gfn) -{ - int rc = 0; - - if ( ap2m ) - { - rc = p2m_set_altp2m_mem_access(d, p2m, ap2m, a, gfn); - /* If the corresponding mfn is invalid we will want to just skip it */ - if ( rc == -ESRCH ) - rc = 0; - } - else - { - mfn_t mfn; - p2m_access_t _a; - p2m_type_t t; - unsigned long gfn_l = gfn_x(gfn); - - mfn = p2m->get_entry(p2m, gfn_l, &t, &_a, 0, NULL, NULL); - rc = p2m->set_entry(p2m, gfn_l, mfn, PAGE_ORDER_4K, t, a, -1); - } - - return rc; -} - -static bool xenmem_access_to_p2m_access(struct p2m_domain *p2m, - xenmem_access_t xaccess, - p2m_access_t *paccess) -{ - static const p2m_access_t memaccess[] = { -#define ACCESS(ac) [XENMEM_access_##ac] = p2m_access_##ac - ACCESS(n), - ACCESS(r), - ACCESS(w), - ACCESS(rw), - ACCESS(x), - ACCESS(rx), - ACCESS(wx), - ACCESS(rwx), - ACCESS(rx2rw), - ACCESS(n2rwx), -#undef ACCESS - }; - - switch ( xaccess ) - { - case 0 ... ARRAY_SIZE(memaccess) - 1: - *paccess = memaccess[xaccess]; - break; - case XENMEM_access_default: - *paccess = p2m->default_access; - break; - default: - return false; - } - - return true; -} - -/* - * Set access type for a region of gfns. - * If gfn == INVALID_GFN, sets the default access type. - */ -long p2m_set_mem_access(struct domain *d, gfn_t gfn, uint32_t nr, - uint32_t start, uint32_t mask, xenmem_access_t access, - unsigned int altp2m_idx) -{ - struct p2m_domain *p2m = p2m_get_hostp2m(d), *ap2m = NULL; - p2m_access_t a; - unsigned long gfn_l; - long rc = 0; - - /* altp2m view 0 is treated as the hostp2m */ - if ( altp2m_idx ) - { - if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) - return -EINVAL; - - ap2m = d->arch.altp2m_p2m[altp2m_idx]; - } - - if ( !xenmem_access_to_p2m_access(p2m, access, &a) ) - return -EINVAL; - - /* If request to set default access. */ - if ( gfn_eq(gfn, INVALID_GFN) ) - { - p2m->default_access = a; - return 0; - } - - p2m_lock(p2m); - if ( ap2m ) - p2m_lock(ap2m); - - for ( gfn_l = gfn_x(gfn) + start; nr > start; ++gfn_l ) - { - rc = set_mem_access(d, p2m, ap2m, a, _gfn(gfn_l)); - - if ( rc ) - break; - - /* Check for continuation if it's not the last iteration. */ - if ( nr > ++start && !(start & mask) && hypercall_preempt_check() ) - { - rc = start; - break; - } - } - - if ( ap2m ) - p2m_unlock(ap2m); - p2m_unlock(p2m); - - return rc; -} - -long p2m_set_mem_access_multi(struct domain *d, - const XEN_GUEST_HANDLE(const_uint64) pfn_list, - const XEN_GUEST_HANDLE(const_uint8) access_list, - uint32_t nr, uint32_t start, uint32_t mask, - unsigned int altp2m_idx) -{ - struct p2m_domain *p2m = p2m_get_hostp2m(d), *ap2m = NULL; - long rc = 0; - - /* altp2m view 0 is treated as the hostp2m */ - if ( altp2m_idx ) - { - if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) - return -EINVAL; - - ap2m = d->arch.altp2m_p2m[altp2m_idx]; - } - - p2m_lock(p2m); - if ( ap2m ) - p2m_lock(ap2m); - - while ( start < nr ) - { - p2m_access_t a; - uint8_t access; - uint64_t gfn_l; - - if ( copy_from_guest_offset(&gfn_l, pfn_list, start, 1) || - copy_from_guest_offset(&access, access_list, start, 1) ) - { - rc = -EFAULT; - break; - } - - if ( !xenmem_access_to_p2m_access(p2m, access, &a) ) - { - rc = -EINVAL; - break; - } - - rc = set_mem_access(d, p2m, ap2m, a, _gfn(gfn_l)); - - if ( rc ) - break; - - /* Check for continuation if it's not the last iteration. */ - if ( nr > ++start && !(start & mask) && hypercall_preempt_check() ) - { - rc = start; - break; - } - } - - if ( ap2m ) - p2m_unlock(ap2m); - p2m_unlock(p2m); - - return rc; -} - -/* - * Get access type for a gfn. - * If gfn == INVALID_GFN, gets the default access type. - */ -int p2m_get_mem_access(struct domain *d, gfn_t gfn, xenmem_access_t *access) -{ - struct p2m_domain *p2m = p2m_get_hostp2m(d); - p2m_type_t t; - p2m_access_t a; - mfn_t mfn; - - static const xenmem_access_t memaccess[] = { -#define ACCESS(ac) [p2m_access_##ac] = XENMEM_access_##ac - ACCESS(n), - ACCESS(r), - ACCESS(w), - ACCESS(rw), - ACCESS(x), - ACCESS(rx), - ACCESS(wx), - ACCESS(rwx), - ACCESS(rx2rw), - ACCESS(n2rwx), -#undef ACCESS - }; - - /* If request to get default access. */ - if ( gfn_eq(gfn, INVALID_GFN) ) - { - *access = memaccess[p2m->default_access]; - return 0; - } - - gfn_lock(p2m, gfn, 0); - mfn = p2m->get_entry(p2m, gfn_x(gfn), &t, &a, 0, NULL, NULL); - gfn_unlock(p2m, gfn, 0); - - if ( mfn_eq(mfn, INVALID_MFN) ) - return -ESRCH; - - if ( (unsigned) a >= ARRAY_SIZE(memaccess) ) - return -ERANGE; - - *access = memaccess[a]; - return 0; -} - static struct p2m_domain * p2m_getlru_nestedp2m(struct domain *d, struct p2m_domain *p2m) { diff --git a/xen/arch/x86/vm_event.c b/xen/arch/x86/vm_event.c index 1e88d67..8d8bc4a 100644 --- a/xen/arch/x86/vm_event.c +++ b/xen/arch/x86/vm_event.c @@ -18,7 +18,8 @@ * License along with this program; If not, see <http://www.gnu.org/licenses/>. */ -#include <asm/p2m.h> +#include <xen/sched.h> +#include <xen/mem_access.h> #include <asm/vm_event.h> /* Implicitly serialized by the domctl lock. */ diff --git a/xen/common/mem_access.c b/xen/common/mem_access.c index 565a320..19f63bb 100644 --- a/xen/common/mem_access.c +++ b/xen/common/mem_access.c @@ -24,8 +24,8 @@ #include <xen/guest_access.h> #include <xen/hypercall.h> #include <xen/vm_event.h> +#include <xen/mem_access.h> #include <public/memory.h> -#include <asm/p2m.h> #include <xsm/xsm.h> int mem_access_memop(unsigned long cmd, diff --git a/xen/include/asm-arm/mem_access.h b/xen/include/asm-arm/mem_access.h new file mode 100644 index 0000000..3a155f8 --- /dev/null +++ b/xen/include/asm-arm/mem_access.h @@ -0,0 +1,53 @@ +/* + * mem_access.h: architecture specific mem_access handling routines + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, + * version 2, as published by the Free Software Foundation. + * + * This program is distributed in the hope it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program; If not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef _ASM_ARM_MEM_ACCESS_H +#define _ASM_ARM_MEM_ACCESS_H + +static inline +bool p2m_mem_access_emulate_check(struct vcpu *v, + const vm_event_response_t *rsp) +{ + /* Not supported on ARM. */ + return 0; +} + +/* vm_event and mem_access are supported on any ARM guest */ +static inline bool_t p2m_mem_access_sanity_check(struct domain *d) +{ + return 1; +} + +/* + * Send mem event based on the access. Boolean return value indicates if trap + * needs to be injected into guest. + */ +bool_t p2m_mem_access_check(paddr_t gpa, vaddr_t gla, const struct npfec npfec); + +struct page_info* +p2m_mem_access_check_and_get_page(vaddr_t gva, unsigned long flag, + const struct vcpu *v); + +#endif /* _ASM_ARM_MEM_ACCESS_H */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/xen/include/asm-arm/p2m.h b/xen/include/asm-arm/p2m.h index fdb6b47..2b22e9a 100644 --- a/xen/include/asm-arm/p2m.h +++ b/xen/include/asm-arm/p2m.h @@ -4,6 +4,7 @@ #include <xen/mm.h> #include <xen/radix-tree.h> #include <xen/rwlock.h> +#include <xen/mem_access.h> #include <public/vm_event.h> /* for vm_event_response_t */ #include <public/memory.h> #include <xen/p2m-common.h> @@ -139,14 +140,6 @@ typedef enum { p2m_to_mask(p2m_map_foreign))) static inline -bool p2m_mem_access_emulate_check(struct vcpu *v, - const vm_event_response_t *rsp) -{ - /* Not supported on ARM. */ - return 0; -} - -static inline void p2m_altp2m_check(struct vcpu *v, uint16_t idx) { /* Not supported on ARM. */ @@ -343,22 +336,26 @@ static inline int get_page_and_type(struct page_info *page, /* get host p2m table */ #define p2m_get_hostp2m(d) (&(d)->arch.p2m) -/* vm_event and mem_access are supported on any ARM guest */ -static inline bool_t p2m_mem_access_sanity_check(struct domain *d) -{ - return 1; -} - static inline bool_t p2m_vm_event_sanity_check(struct domain *d) { return 1; } /* - * Send mem event based on the access. Boolean return value indicates if trap - * needs to be injected into guest. + * Return the start of the next mapping based on the order of the + * current one. */ -bool_t p2m_mem_access_check(paddr_t gpa, vaddr_t gla, const struct npfec npfec); +static inline gfn_t gfn_next_boundary(gfn_t gfn, unsigned int order) +{ + /* + * The order corresponds to the order of the mapping (or invalid + * range) in the page table. So we need to align the GFN before + * incrementing. + */ + gfn = _gfn(gfn_x(gfn) & ~((1UL << order) - 1)); + + return gfn_add(gfn, 1UL << order); +} #endif /* _XEN_P2M_H */ diff --git a/xen/include/asm-x86/mem_access.h b/xen/include/asm-x86/mem_access.h new file mode 100644 index 0000000..9f7b409 --- /dev/null +++ b/xen/include/asm-x86/mem_access.h @@ -0,0 +1,61 @@ +/****************************************************************************** + * include/asm-x86/mem_access.h + * + * Memory access support. + * + * Copyright (c) 2011 GridCentric Inc. (Andres Lagar-Cavilla) + * Copyright (c) 2007 Advanced Micro Devices (Wei Huang) + * Parts of this code are Copyright (c) 2006-2007 by XenSource Inc. + * Parts of this code are Copyright (c) 2006 by Michael A Fetterman + * Parts based on earlier work by Michael A Fetterman, Ian Pratt et al. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; If not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef __ASM_X86_MEM_ACCESS_H__ +#define __ASM_X86_MEM_ACCESS_H__ + +/* + * Setup vm_event request based on the access (gla is -1ull if not available). + * Handles the rw2rx conversion. Boolean return value indicates if event type + * is syncronous (aka. requires vCPU pause). If the req_ptr has been populated, + * then the caller should use monitor_traps to send the event on the MONITOR + * ring. Once having released get_gfn* locks caller must also xfree the + * request. + */ +bool_t p2m_mem_access_check(paddr_t gpa, unsigned long gla, + struct npfec npfec, + vm_event_request_t **req_ptr); + +/* Check for emulation and mark vcpu for skipping one instruction + * upon rescheduling if required. */ +bool p2m_mem_access_emulate_check(struct vcpu *v, + const vm_event_response_t *rsp); + +/* Sanity check for mem_access hardware support */ +static inline bool_t p2m_mem_access_sanity_check(struct domain *d) +{ + return is_hvm_domain(d) && cpu_has_vmx && hap_enabled(d); +} + +#endif /*__ASM_X86_MEM_ACCESS_H__ */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h index 7035860..8964e90 100644 --- a/xen/include/asm-x86/p2m.h +++ b/xen/include/asm-x86/p2m.h @@ -29,6 +29,7 @@ #include <xen/config.h> #include <xen/paging.h> #include <xen/p2m-common.h> +#include <xen/mem_access.h> #include <asm/mem_sharing.h> #include <asm/page.h> /* for pagetable_t */ @@ -663,29 +664,6 @@ int p2m_mem_paging_prep(struct domain *d, unsigned long gfn, uint64_t buffer); /* Resume normal operation (in case a domain was paused) */ void p2m_mem_paging_resume(struct domain *d, vm_event_response_t *rsp); -/* - * Setup vm_event request based on the access (gla is -1ull if not available). - * Handles the rw2rx conversion. Boolean return value indicates if event type - * is syncronous (aka. requires vCPU pause). If the req_ptr has been populated, - * then the caller should use monitor_traps to send the event on the MONITOR - * ring. Once having released get_gfn* locks caller must also xfree the - * request. - */ -bool_t p2m_mem_access_check(paddr_t gpa, unsigned long gla, - struct npfec npfec, - vm_event_request_t **req_ptr); - -/* Check for emulation and mark vcpu for skipping one instruction - * upon rescheduling if required. */ -bool p2m_mem_access_emulate_check(struct vcpu *v, - const vm_event_response_t *rsp); - -/* Sanity check for mem_access hardware support */ -static inline bool_t p2m_mem_access_sanity_check(struct domain *d) -{ - return is_hvm_domain(d) && cpu_has_vmx && hap_enabled(d); -} - /* * Internal functions, only called by other p2m code */ diff --git a/xen/include/xen/mem_access.h b/xen/include/xen/mem_access.h index da36e07..5ab34c1 100644 --- a/xen/include/xen/mem_access.h +++ b/xen/include/xen/mem_access.h @@ -19,29 +19,78 @@ * along with this program; If not, see <http://www.gnu.org/licenses/>. */ -#ifndef _XEN_ASM_MEM_ACCESS_H -#define _XEN_ASM_MEM_ACCESS_H +#ifndef _XEN_MEM_ACCESS_H +#define _XEN_MEM_ACCESS_H +#include <xen/types.h> +#include <xen/mm.h> #include <public/memory.h> -#include <asm/p2m.h> +#include <public/vm_event.h> +#include <asm/mem_access.h> -#ifdef CONFIG_HAS_MEM_ACCESS +/* + * Additional access types, which are used to further restrict + * the permissions given my the p2m_type_t memory type. Violations + * caused by p2m_access_t restrictions are sent to the vm_event + * interface. + * + * The access permissions are soft state: when any ambiguous change of page + * type or use occurs, or when pages are flushed, swapped, or at any other + * convenient type, the access permissions can get reset to the p2m_domain + * default. + */ +typedef enum { + /* Code uses bottom three bits with bitmask semantics */ + p2m_access_n = 0, /* No access allowed. */ + p2m_access_r = 1 << 0, + p2m_access_w = 1 << 1, + p2m_access_x = 1 << 2, + p2m_access_rw = p2m_access_r | p2m_access_w, + p2m_access_rx = p2m_access_r | p2m_access_x, + p2m_access_wx = p2m_access_w | p2m_access_x, + p2m_access_rwx = p2m_access_r | p2m_access_w | p2m_access_x, + + p2m_access_rx2rw = 8, /* Special: page goes from RX to RW on write */ + p2m_access_n2rwx = 9, /* Special: page goes from N to RWX on access, * + * generates an event but does not pause the + * vcpu */ + + /* NOTE: Assumed to be only 4 bits right now on x86. */ +} p2m_access_t; + +/* + * Set access type for a region of gfns. + * If gfn == INVALID_GFN, sets the default access type. + */ +long p2m_set_mem_access(struct domain *d, gfn_t gfn, uint32_t nr, + uint32_t start, uint32_t mask, xenmem_access_t access, + unsigned int altp2m_idx); +long p2m_set_mem_access_multi(struct domain *d, + const XEN_GUEST_HANDLE(const_uint64) pfn_list, + const XEN_GUEST_HANDLE(const_uint8) access_list, + uint32_t nr, uint32_t start, uint32_t mask, + unsigned int altp2m_idx); + +/* + * Get access type for a gfn. + * If gfn == INVALID_GFN, gets the default access type. + */ +int p2m_get_mem_access(struct domain *d, gfn_t gfn, xenmem_access_t *access); + +#ifdef CONFIG_HAS_MEM_ACCESS int mem_access_memop(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(xen_mem_access_op_t) arg); - #else - static inline int mem_access_memop(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(xen_mem_access_op_t) arg) { return -ENOSYS; } +#endif /* CONFIG_HAS_MEM_ACCESS */ -#endif /* HAS_MEM_ACCESS */ - -#endif /* _XEN_ASM_MEM_ACCESS_H */ +#endif /* _XEN_MEM_ACCESS_H */ /* * Local variables: diff --git a/xen/include/xen/p2m-common.h b/xen/include/xen/p2m-common.h index 3be1e91..8cd5a6b 100644 --- a/xen/include/xen/p2m-common.h +++ b/xen/include/xen/p2m-common.h @@ -1,38 +1,6 @@ #ifndef _XEN_P2M_COMMON_H #define _XEN_P2M_COMMON_H -#include <public/vm_event.h> - -/* - * Additional access types, which are used to further restrict - * the permissions given my the p2m_type_t memory type. Violations - * caused by p2m_access_t restrictions are sent to the vm_event - * interface. - * - * The access permissions are soft state: when any ambiguous change of page - * type or use occurs, or when pages are flushed, swapped, or at any other - * convenient type, the access permissions can get reset to the p2m_domain - * default. - */ -typedef enum { - /* Code uses bottom three bits with bitmask semantics */ - p2m_access_n = 0, /* No access allowed. */ - p2m_access_r = 1 << 0, - p2m_access_w = 1 << 1, - p2m_access_x = 1 << 2, - p2m_access_rw = p2m_access_r | p2m_access_w, - p2m_access_rx = p2m_access_r | p2m_access_x, - p2m_access_wx = p2m_access_w | p2m_access_x, - p2m_access_rwx = p2m_access_r | p2m_access_w | p2m_access_x, - - p2m_access_rx2rw = 8, /* Special: page goes from RX to RW on write */ - p2m_access_n2rwx = 9, /* Special: page goes from N to RWX on access, * - * generates an event but does not pause the - * vcpu */ - - /* NOTE: Assumed to be only 4 bits right now on x86. */ -} p2m_access_t; - /* Map MMIO regions in the p2m: start_gfn and nr describe the range in * * the guest physical address space to map, starting from the machine * * frame number mfn. */ @@ -45,24 +13,4 @@ int unmap_mmio_regions(struct domain *d, unsigned long nr, mfn_t mfn); -/* - * Set access type for a region of gfns. - * If gfn == INVALID_GFN, sets the default access type. - */ -long p2m_set_mem_access(struct domain *d, gfn_t gfn, uint32_t nr, - uint32_t start, uint32_t mask, xenmem_access_t access, - unsigned int altp2m_idx); - -long p2m_set_mem_access_multi(struct domain *d, - const XEN_GUEST_HANDLE(const_uint64) pfn_list, - const XEN_GUEST_HANDLE(const_uint8) access_list, - uint32_t nr, uint32_t start, uint32_t mask, - unsigned int altp2m_idx); - -/* - * Get access type for a gfn. - * If gfn == INVALID_GFN, gets the default access type. - */ -int p2m_get_mem_access(struct domain *d, gfn_t gfn, xenmem_access_t *access); - #endif /* _XEN_P2M_COMMON_H */ -- 2.10.2 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |