[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH for-4.15 4/4] xen/iommu: x86: Don't leak the IOMMU page-tables

To: Julien Grall <julien@xxxxxxx>
From: Jan Beulich <jbeulich@xxxxxxxx>
Date: Wed, 23 Dec 2020 17:35:18 +0100
Cc: hongyxia@xxxxxxxxxxxx, Julien Grall <jgrall@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Paul Durrant <paul@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 23 Dec 2020 16:35:30 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 23.12.2020 17:19, Julien Grall wrote:
> On 23/12/2020 16:15, Jan Beulich wrote:
>> On 23.12.2020 17:07, Julien Grall wrote:
>>> I think I prefer the small race introduced (the pages will still be
>>> freed) over this solution.
>>
>> The "will still be freed" is because of the 2nd round of freeing
>> you add in an earlier patch? I'd prefer to avoid the race to in
>> turn avoid that 2nd round of freeing.
> 
> The "2nd round" of freeing is necessary at least for the domain creation 
> failure case (it would be the 1rst round).
> 
> If we can avoid IOMMU page-table allocation in the domain creation path, 
> then yes I agree that we want to avoid that "2nd round". Otherwise, I 
> think it is best to take advantage of it.

Well, I'm not really certain either way here. If it's really just
VMX'es APIC access page that's the problem here, custom cleanup
of this "fallout" from VMX code would certainly be an option.
Furthermore I consider it wrong to insert this page in the IOMMU
page tables in the first place. This page overlaps with the MSI
special address range, and hence accesses will be dealt with by
interrupt remapping machinery (if enabled). If interrupt
remapping is disabled, this page should be no different for I/O
purposes than all other pages in this window - they shouldn't
be mapped at all.

Perhaps, along the lines of epte_get_entry_emt(), ept_set_entry()
should gain an is_special_page() check to prevent propagation to
the IOMMU for such pages (we can't do anything about them in
shared-page-table setups)? See also the (PV related) comment in
cleanup_page_mappings(), a few lines ahead of a respective use of
is_special_page(),

Jan

References:
- [PATCH for-4.15 0/4] xen/iommu: Collection of bug fixes for IOMMU teadorwn
  - From: Julien Grall
- [PATCH for-4.15 4/4] xen/iommu: x86: Don't leak the IOMMU page-tables
  - From: Julien Grall
- Re: [PATCH for-4.15 4/4] xen/iommu: x86: Don't leak the IOMMU page-tables
  - From: Jan Beulich
- Re: [PATCH for-4.15 4/4] xen/iommu: x86: Don't leak the IOMMU page-tables
  - From: Julien Grall
- Re: [PATCH for-4.15 4/4] xen/iommu: x86: Don't leak the IOMMU page-tables
  - From: Jan Beulich
- Re: [PATCH for-4.15 4/4] xen/iommu: x86: Don't leak the IOMMU page-tables
  - From: Julien Grall

Prev by Date: [PATCH 0/4] xen: domain-tracked allocations, and fault injection
Next by Date: Re: [PATCH 4/4] tools/misc: Test for fault injection
Previous by thread: Re: [PATCH for-4.15 4/4] xen/iommu: x86: Don't leak the IOMMU page-tables
Next by thread: [linux-linus test] 157776: regressions - FAIL
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.