Xen project Mailing List

Re: [PATCH 4/5] xen/memory: Fix acquire_resource size semantics

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Fri, 31 Jul 2020 16:31:28 +0200

Cc: 'Hubert Jasudowicz' <hubert.jasudowicz@xxxxxxx>, 'Stefano Stabellini' <sstabellini@xxxxxxxxxx>, 'Julien Grall' <julien@xxxxxxx>, 'Wei Liu' <wl@xxxxxxx>, paul@xxxxxxx, 'George Dunlap' <George.Dunlap@xxxxxxxxxxxxx>, 'Konrad Rzeszutek Wilk' <konrad.wilk@xxxxxxxxxx>, 'Michał Leszczyński' <michal.leszczynski@xxxxxxx>, 'Ian Jackson' <ian.jackson@xxxxxxxxxx>, 'Xen-devel' <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Fri, 31 Jul 2020 14:31:34 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 30.07.2020 21:46, Andrew Cooper wrote: > On 30/07/2020 09:31, Paul Durrant wrote: >>> From: Xen-devel <xen-devel-bounces@xxxxxxxxxxxxxxxxxxxx> On Behalf Of >>> Andrew Cooper >>> Sent: 28 July 2020 12:37 >>> >>> --- a/xen/common/grant_table.c >>> +++ b/xen/common/grant_table.c >>> @@ -4013,6 +4013,25 @@ static int gnttab_get_shared_frame_mfn(struct domain >>> *d, >>> return 0; >>> } >>> >>> +unsigned int gnttab_resource_max_frames(struct domain *d, unsigned int id) >>> +{ >>> + unsigned int nr = 0; >>> + >>> + /* Don't need the grant lock. This limit is fixed at domain create >>> time. */ >>> + switch ( id ) >>> + { >>> + case XENMEM_resource_grant_table_id_shared: >>> + nr = d->grant_table->max_grant_frames; >>> + break; >>> + >>> + case XENMEM_resource_grant_table_id_status: >>> + nr = grant_to_status_frames(d->grant_table->max_grant_frames); >> Two uses of d->grant_table, so perhaps define a stack variable for it? > > Can do. > >> Also, should you not make sure 0 is returned in the case of a v1 table? > > This was the case specifically discussed in the commit message, but > perhaps it needs expanding. > > Doing so would be buggy. > > Some utility is going to query the resource size, and then try to map it > (if it doesn't blindly know the size and/or subset it cares about already). > > In between these two hypercalls from the utility, the guest can do a > v1=>v2 or v2=>v1 switch and make the resource spontaneously appear or > disappear. > > The only case where we can know for certain whether the resource is > available is when we're in the map hypercall. Therefore, userspace has > to be able to get to the map call if there is potentially a resource > available. > > The semantics of the size call are really "this resource might exist, > and if it does, this is how large it is". With you deriving from d->grant_table->max_grant_frames, this approach would imply that by obtaining a mapping the grant tables will get grown to their permitted maximum, no matter whether as much is actually needed by the guest. If this is indeed the intention, then we could as well set up maximum grant structures right at domain creation. Not something I would favor, but anyway... Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.