From 028ae70bb69992617582dcafbe06da0e176c92cd Mon Sep 17 00:00:00 2001 From: George Dunlap Date: Mon, 23 Dec 2019 17:21:33 +0000 Subject: [PATCH 2/4] x86/altp2m: Restrict MAX_EPTP to hap.c Right now we have two altp2m structures hanging off arch_domain: altp2m_eptp, which is hardware-based and points to a page with 512 ept pointers, and altp2m_p2m, which is currently limited to 10 as a fairly arbitary way of balancing performance, space, and usability. altp2m indexes are used as index values to both, meaning the only safe option is to check guest-supplied indexes against both. This is a bit redundant, however, as MAX_ALTP2M must always be <= MAX_EPTP. Move MAX_EPTP to hap.c, where the array is initialized; and add BUILD_BUG_ON() asserting that MAX_ALTP2M < MAX_EPTP. Then, elsewhere, it will always be safe to check guest-supplied indexes against MAX_ALTP2M. Signed-off-by: George Dunlap --- xen/arch/x86/mm/hap/hap.c | 3 +++ xen/include/asm-x86/domain.h | 1 - 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c index 3d93f3451c..69159c689e 100644 --- a/xen/arch/x86/mm/hap/hap.c +++ b/xen/arch/x86/mm/hap/hap.c @@ -488,6 +488,9 @@ int hap_enable(struct domain *d, u32 mode) goto out; } +#define MAX_EPTP (PAGE_SIZE / sizeof(uint64_t)) + BUILD_BUG_ON(MAX_ALTP2M > MAX_EPTP); + for ( i = 0; i < MAX_EPTP; i++ ) d->arch.altp2m_eptp[i] = mfn_x(INVALID_MFN); diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h index 3780287e7e..c46fb54d7e 100644 --- a/xen/include/asm-x86/domain.h +++ b/xen/include/asm-x86/domain.h @@ -240,7 +240,6 @@ struct paging_vcpu { #define MAX_ALTP2M 10 /* arbitrary */ #define INVALID_ALTP2M 0xffff -#define MAX_EPTP (PAGE_SIZE / sizeof(uint64_t)) struct p2m_domain; struct time_scale { int shift; -- 2.24.0