[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [RFC PATCH 58/84] x86/mm: fix leaks in map_xen_pagetable.

To: hongyax@xxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx
From: Julien Grall <julien.grall@xxxxxxx>
Date: Thu, 26 Sep 2019 13:05:03 +0100
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
Delivery-date: Thu, 26 Sep 2019 12:05:12 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi,

On 9/26/19 11:45 AM, hongyax@xxxxxxxxxx wrote:

On 26/09/2019 11:23, Julien Grall wrote:

Hi,
NIT: we don't usually add full stop at the end of the title. Thisapplies for the rest of the series.


Thanks.


On 9/26/19 10:46 AM, hongyax@xxxxxxxxxx wrote:

From: Hongyan Xia <hongyax@xxxxxxxxxx>

Not unmapping pages after map_xen_pagetable can leak the virtual address
space over time. Also this fix makes vmap_to_mfn non-trivial to be a
macro. There might be better options but move it into vmap.c for now.

Signed-off-by: Hongyan Xia <hongyax@xxxxxxxxxx>
---
  xen/arch/x86/mm.c          |  5 +----
  xen/common/vmap.c          | 13 +++++++++++++
  xen/include/asm-arm/mm.h   |  2 --
  xen/include/asm-x86/page.h |  2 --
  xen/include/xen/vmap.h     |  3 +++
  5 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index b2b2edbed1..145c5ab47c 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -5160,6 +5160,7 @@ int map_pages_to_xen(
                               !(l2e_get_flags(ol2e) & _PAGE_PSE) )
                              free_xen_pagetable(l2e_get_mfn(ol2e));
                      }
+                    UNMAP_XEN_PAGETABLE(l2t);
                      free_xen_pagetable(l2t_mfn);
                  }
              }
@@ -5225,7 +5226,6 @@ int map_pages_to_xen(
                  l3e_write_atomic(pl3e,

l3e_from_mfn(l2t_mfn,__PAGE_HYPERVISOR));

                  UNMAP_XEN_PAGETABLE(l2t);
-                l2t = NULL;
              }
              if ( locking )
                  spin_unlock(&map_pgdir_lock);
@@ -5346,7 +5346,6 @@ int map_pages_to_xen(
                      l2e_write_atomic(pl2e, l2e_from_mfn(l1t_mfn,

__PAGE_HYPERVISOR));

                      UNMAP_XEN_PAGETABLE(l1t);
-                    l1t = NULL;
                  }
                  if ( locking )
                      spin_unlock(&map_pgdir_lock);

@@ -5589,7 +5588,6 @@ int modify_xen_mappings(unsigned long s,unsigned long e, unsigned int nf)

l3e_write_atomic(pl3e, l3e_from_mfn(mfn,__PAGE_HYPERVISOR));

                  UNMAP_XEN_PAGETABLE(l2t);
-                l2t = NULL;
              }
              if ( locking )
                  spin_unlock(&map_pgdir_lock);

@@ -5657,7 +5655,6 @@ int modify_xen_mappings(unsigned long s,unsigned long e, unsigned int nf)

                      l2e_write_atomic(pl2e, l2e_from_mfn(mfn,

__PAGE_HYPERVISOR));

                      UNMAP_XEN_PAGETABLE(l1t);
-                    l1t = NULL;
                  }
                  if ( locking )
                      spin_unlock(&map_pgdir_lock);
diff --git a/xen/common/vmap.c b/xen/common/vmap.c
index faebc1ddf1..fcdb8495c8 100644
--- a/xen/common/vmap.c
+++ b/xen/common/vmap.c

@@ -19,6 +19,19 @@ static unsigned int __read_mostlyvm_end[VMAP_REGION_NR];

  /* lowest known clear bit in the bitmap */
  static unsigned int vm_low[VMAP_REGION_NR];
+mfn_t vmap_to_mfn(void *va)
+{
+    l1_pgentry_t *pl1e = virt_to_xen_l1e((unsigned long)(va));
+    mfn_t ret = _mfn(l1e_get_pfn(*pl1e));


We already

+    unmap_xen_pagetable(pl1e);

My knowledge of the x86 port is quite limited, but this feelssuspicious to see an unmap in a function call vmap_to_mfn(). Wheredoes is the map done?

Furthermore, this is not going to compile on Arm. You probably want toimplement this function in x86 code and keep the currentimplementation for Arm.

Without the direct map, Xen page tables are accessed after mapping theminto the address space with map_domain_page(), and unmapped when done.To read the l1e for the vmap, the page the l1e is in is first mapped,then the mfn is read, then the page is unmapped.

I am afraid I still don't understand. Maybe it will become clearer oncethe branch is provided.

Can you provide the exact call path where the correspondingmap_domain_page will be done. Is is done by virt_to_xen_l1e()?

This series is based on 60 patches from Wei, so he might also be able tocomment more on the details.


So is this a leak introduced by Wei's series?

Cheers,

--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] [RFC PATCH 00/84] Remove direct map from Xen
  - From: hongyax
- [Xen-devel] [RFC PATCH 58/84] x86/mm: fix leaks in map_xen_pagetable.
  - From: hongyax
- Re: [Xen-devel] [RFC PATCH 58/84] x86/mm: fix leaks in map_xen_pagetable.
  - From: Julien Grall
- Re: [Xen-devel] [RFC PATCH 58/84] x86/mm: fix leaks in map_xen_pagetable.
  - From: hongyax

Prev by Date: Re: [Xen-devel] [RFC PATCH 00/84] Remove direct map from Xen
Next by Date: Re: [Xen-devel] [PATCH] iommu: avoid triggering ASSERT_UNREACHABLE() on ARM...
Previous by thread: Re: [Xen-devel] [RFC PATCH 58/84] x86/mm: fix leaks in map_xen_pagetable.
Next by thread: Re: [Xen-devel] [RFC PATCH 58/84] x86/mm: fix leaks in map_xen_pagetable.
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.