[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH RFCv2 08/15] xen/arm32: mm: Check if the virtual address is shared before updating it
On Thu, 13 May 2021, Julien Grall wrote: > On Thu, 13 May 2021, 23:32 Stefano Stabellini, <sstabellini@xxxxxxxxxx> wrote: > On Wed, 12 May 2021, Julien Grall wrote: > > Hi Stefano, > > > > On 12/05/2021 23:00, Stefano Stabellini wrote: > > > On Sun, 25 Apr 2021, Julien Grall wrote: > > > > From: Julien Grall <jgrall@xxxxxxxxxx> > > > > > > > > Only the first 2GB of the virtual address space is shared between > all > > > > the page-tables on Arm32. > > > > > > > > There is a long outstanding TODO in xen_pt_update() stating that > the > > > > function is can only work with shared mapping. Nobody has ever > called > > > ^ remove > > > > > > > the function with private mapping, however as we add more callers > > > > there is a risk to mess things up. > > > > > > > > Introduce a new define to mark the ened of the shared mappings > and use > > > ^end > > > > > > > it in xen_pt_update() to verify if the address is correct. > > > > > > > > Note that on Arm64, all the mappings are shared. Some compiler may > > > > complain about an always true check, so the new define is not > introduced > > > > for arm64 and the code is protected with an #ifdef. > > > On arm64 we could maybe define SHARED_VIRT_END to an arbitrarely > large > > > value, such as: > > > > > > #define SHARED_VIRT_END (1UL<<48) > > > > > > or: > > > > > > #define SHARED_VIRT_END DIRECTMAP_VIRT_END > > > > > > ? > > > > I thought about it but I didn't want to define to a random value... I > felt not > > define it was better. > > Yeah, I see your point: any restrictions in addressing (e.g. 48bits) > are physical address restrictions. Here we are talking about virtual > address restriction, and I don't think there are actually any > restrictions there? We could validly map something at > 0xffff_ffff_ffff_ffff. So even (1<<48) which makes sense at the physical > level, doesn't make sense in terms of virtual addresses. > > > The limit for the virtual address is 2^64. > > > > > > > Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx> > > > > > > > > --- > > > > Changes in v2: > > > > - New patch > > > > --- > > > > xen/arch/arm/mm.c | 11 +++++++++-- > > > > xen/include/asm-arm/config.h | 4 ++++ > > > > 2 files changed, 13 insertions(+), 2 deletions(-) > > > > > > > > diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c > > > > index 8fac24d80086..5c17cafff847 100644 > > > > --- a/xen/arch/arm/mm.c > > > > +++ b/xen/arch/arm/mm.c > > > > @@ -1275,11 +1275,18 @@ static int xen_pt_update(unsigned long > virt, > > > > * For arm32, page-tables are different on each CPUs. Yet, > they > > > > share > > > > * some common mappings. It is assumed that only common > mappings > > > > * will be modified with this function. > > > > - * > > > > - * XXX: Add a check. > > > > */ > > > > const mfn_t root = virt_to_mfn(THIS_CPU_PGTABLE); > > > > +#ifdef SHARED_VIRT_END > > > > + if ( virt > SHARED_VIRT_END || > > > > + (SHARED_VIRT_END - virt) < nr_mfns ) > > > > > > The following would be sufficient, right? > > > > > > if ( virt + nr_mfns > SHARED_VIRT_END ) > > > > This would not protect against an overflow. So I think it is best if > we keep > > my version. > > But there can be no overflow with the way SHARED_VIRT_END is defined. > > Even if SHARED_VIRT_END was defined at (1<<48) there can be no overflow. > Only if we defined SHARED_VIRT_END as 0xffff_ffff_ffff_ffff we would > have an overflow, but you wrote above that your preference is not to do > that. > > > You can have an overflow regardless the value of SHARED_VIRT_END. > > Imagine virt = 2^64 - 1 and nr_mfs = 1. The addition would result to 0. > > As a consequence the check would pass when it should not. Yes you are right, I don't know how I missed it! > One can argue that the caller will always provide sane values. However given > the simplicity of the check, this is not worth the trouble if > a caller is buggy. > > Now, the problem with SHARED_VIRT_END equals to 2^64 - 1 is not the overflow > but the compiler that may throw an error/warning for always > true check. Hence the reason of not defining SHARED_VIRT_END on arm64. OK, all checks out. Reviewed-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |