[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 5/6] x86/mm: clean up SHARED_M2P{, _ENTRY} uses

To: Jan Beulich <JBeulich@xxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: George Dunlap <george.dunlap@xxxxxxxxxx>
Date: Tue, 12 Dec 2017 17:50:01 +0000
Cc: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, tamas@xxxxxxxxxxxxx, Tim Deegan <tim@xxxxxxx>
Delivery-date: Tue, 12 Dec 2017 17:50:20 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 12/12/2017 03:08 PM, Jan Beulich wrote:
> Stop open-coding SHARED_M2P() and drop a pointless use of it from
> paging_mfn_is_dirty() (!VALID_M2P() is a superset of SHARED_M2P()) and
> another one from free_page_type() (prior assertions render this
> redundant).
> 
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> 
> --- a/xen/arch/x86/mm.c
> +++ b/xen/arch/x86/mm.c
> @@ -2371,9 +2371,7 @@ int free_page_type(struct page_info *pag
>  
>          gmfn = mfn_to_gmfn(owner, mfn_x(page_to_mfn(page)));
>          ASSERT(VALID_M2P(gmfn));
> -        /* Page sharing not supported for shadowed domains */
> -        if(!SHARED_M2P(gmfn))
> -            shadow_remove_all_shadows(owner, _mfn(gmfn));
> +        shadow_remove_all_shadows(owner, _mfn(gmfn));

But that's an ASSERT(), not a BUG_ON().  Code after an ASSERT() needs to
make sure that if it turns out to be false in a non-debug run, nothing
worse than a BUG() will happen -- for instance, an information leak or a
privilege escalation.

xen/arch/x86/mm/shadow/common.c:sh_remove_shadows() looks up the page
struct for the mfn without checking if it's valid; so it will *probably*
end up accessing a wild pointer; at which point it would be better to
change the ASSERT(VALID_M2P()) into a BUG_ON(!VALID_M2P()).

Or, if we don't want to crash on a production box in that case, we
should leave the if() statement there.

> --- a/xen/arch/x86/mm/paging.c
> +++ b/xen/arch/x86/mm/paging.c
> @@ -369,8 +369,8 @@ int paging_mfn_is_dirty(struct domain *d
>  
>      /* We /really/ mean PFN here, even for non-translated guests. */
>      pfn = _pfn(get_gpfn_from_mfn(mfn_x(gmfn)));
> -    /* Shared pages are always read-only; invalid pages can't be dirty. */
> -    if ( unlikely(SHARED_M2P(pfn_x(pfn)) || !VALID_M2P(pfn_x(pfn))) )
> +    /* Invalid pages can't be dirty. */
> +    if ( unlikely(!VALID_M2P(pfn_x(pfn))) )
>          return 0;

Are you sure that it will always be the case in the future that
SHARED_MP2(x) implies !VALID_M2P(x)?  (This is also relevant for my
previous comment.)

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 5/6] x86/mm: clean up SHARED_M2P{, _ENTRY} uses
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH 5/6] x86/mm: clean up SHARED_M2P{, _ENTRY} uses
  - From: Jan Beulich

References:
- [Xen-devel] [PATCH 0/6] XSA-248...251 follow-up
  - From: Jan Beulich
- [Xen-devel] [PATCH 5/6] x86/mm: clean up SHARED_M2P{,_ENTRY} uses
  - From: Jan Beulich

Prev by Date: [Xen-devel] [xen-unstable-smoke test] 117084: trouble: blocked/broken
Next by Date: Re: [Xen-devel] [PATCH] x86/PCI: limit the size of the 64bit BAR to 256GB
Previous by thread: [Xen-devel] [PATCH 5/6] x86/mm: clean up SHARED_M2P{,_ENTRY} uses
Next by thread: Re: [Xen-devel] [PATCH 5/6] x86/mm: clean up SHARED_M2P{, _ENTRY} uses
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.