Xen project Mailing List

[PATCH v2 1/6] x86/P2M: relax guarding of MMIO entries

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Date: Thu, 2 Sep 2021 10:32:10 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=FuErrn7dPOKk18p14Eqqw0Ug5qQHJVZRhPNfvjkAXCc=; b=QqHhhd6RNunR/gm9IEcERf6hsRrZ91u49seIlwSyduy/tgvlyY9L98qBJVFOaKS2JIEkvEVJiHfmWBnqArM4yK+Er4Ub9eTn/0mjgKStW7AHEhberdHR3XraM6cmUPuPDDY5LA60qLszeodZqMhtpmwxNc3jxslCrWbMBOcthES5KwTbsp0FasEx46tvfPRR98w98OITl+F8utSupwpVPSU0F16swNPILpDJANAg4OWbzi3nyGUDGTmnTRj6f/4DYl/OHhXBaZ9cX9F8MEePiYiaDxRbw7anKMMu+X2BXdGq2b+RyJpR65p9rzVg551Kinho6UJrzSn8V71iiDGL6w==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=esop9D2vOOSfKjxkqZ2QTy/dXVlj+3dCmsXtOrdkgM9Xd04dHZP1kfcLV5luhYvDUSA5pF8SG+oBfVk/uAmFTICChATsNPEZKNpCCALNnzQYiGYIOyWeMAYGoWFE77PGivScaWBk2vEil2SkqeE/wKZh+7T732+gtWPwfT/zkQwWVmxAP/CYHtsN/br42smHMGCieMO85HTfiReerk8mqA0rDKxSpDeO0khv8QJC0OcUk6K4gJtr+iQboeXhNsRb4ua2vggiPVpcmnx4vMnkw1CwRGbuQy+Mf1kWvp9r5Nvbp8Orom/+IDXPWSg3I5ySyqza17cEG5VAW3EQxqFlDw==

Authentication-results: citrix.com; dkim=none (message not signed) header.d=none;citrix.com; dmarc=none action=none header.from=suse.com;

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>

Delivery-date: Thu, 02 Sep 2021 08:32:20 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

One of the changes comprising the fixes for XSA-378 disallows replacing MMIO mappings by code paths not intended for this purpose. At least in the case of PVH Dom0 hitting an RMRR covered by an E820 ACPI region, this is too strict. Generally short-circuit requests establishing the same kind of mapping that's already in place, while otherwise adjusting permissions without - as before - allowing MFN or type to change. While there, also add a log message to the other domain_crash() invocation that did prevent PVH Dom0 from coming up after the XSA-378 changes. Fixes: 753cb68e6530 ("x86/p2m: guard (in particular) identity mapping entries") Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> --- I may have gone too far by allowing "access" to change for all special types now. --- v2: Format string and comment adjustments. Split off access accumulation. --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -958,9 +958,13 @@ guest_physmap_add_entry(struct domain *d if ( p2m_is_special(ot) ) { /* Don't permit unmapping grant/foreign/direct-MMIO this way. */ - domain_crash(d); p2m_unlock(p2m); - + printk(XENLOG_G_ERR + "%pd: GFN %#lx (%#lx,%u,%u) -> (%#lx,%u,%u) not permitted\n", + d, gfn_x(gfn) + i, + mfn_x(omfn), ot, a, + mfn_x(mfn) + i, t, p2m->default_access); + domain_crash(d); return -EPERM; } else if ( p2m_is_ram(ot) && !p2m_is_paged(ot) ) @@ -1302,9 +1306,24 @@ static int set_typed_p2m_entry(struct do } if ( p2m_is_special(ot) ) { - gfn_unlock(p2m, gfn, order); - domain_crash(d); - return -EPERM; + /* Special-case (almost) identical mappings. */ + if ( !mfn_eq(mfn, omfn) || gfn_p2mt != ot ) + { + gfn_unlock(p2m, gfn, order); + printk(XENLOG_G_ERR + "%pd: GFN %#lx (%#lx,%u,%u,%u) -> (%#lx,%u,%u,%u) not permitted\n", + d, gfn_l, + mfn_x(omfn), cur_order, ot, a, + mfn_x(mfn), order, gfn_p2mt, access); + domain_crash(d); + return -EPERM; + } + + if ( access == a ) + { + gfn_unlock(p2m, gfn, order); + return 0; + } } else if ( p2m_is_ram(ot) ) {

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.