[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/2] gnttab: remove guest_physmap_remove_page() call from gnttab_map_frame()

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Wed, 22 Sep 2021 12:00:59 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=USClfeoc2YZ7F2ElexwdnWbKJ1U9/jdBu7bSUjnvKEE=; b=b0vZfVUXmQsPX2NYRWHwsbnk6JMqm4YvGV6uvKy7eq/650BB+rqBlz7EXA6zxVgC3k3ZecDIWtF6uNTgI4lC3sUpWs8lCi0KuWq3K6HDIDPlfy+x/G52oA8VeKzwXQnR2bDHCOWDTo3NjvWnH6zTKu6QCtQgKftCxIjE1tUYAdx/8188pH5xfRFsf3oHxJ+S2HuB47ZRxUaDhHjobvfhyGKF0/XeycN+uYl0L/nsLG/qvsmHvcuP2LU8ZRUIlcE0Rh32+5QNyjhOQ9rLPmdSQv3pLJ8cMxiWvpVekXHoJj26mF32c74NLQM5RYHe0SAL54MvV7K/pxj/19vFbGfbLQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ch1nka1NJZVi9fqPl97WeIYuMxoENPqMSstbfRZq+blIWnT5ehYddE5ZznUZyMsX+uBkyj2pAAniMCf6hTINABeFpwuPsv4DP3UP09Pu0/tMFsoJNYB6tz6eqS/pW9qtZsk0EOTJv3VnqqmStLRX3WDmU5XFmuPJ+d5LGGiCLJNQrJPzh+eJAl6a874IEGayCLxmVJbUDGKjYYqvtdfhsksoAbMsjBW518YyTO8hec5bamxCMrH49BU3r1/w6eDw8d/LnDYJf6beqPCKp5jRHkvEZ9QHNlgWOOrnF8xZI+bJloYeQfNZaP9cNKAvBTpWLFRfFoi7wNXIZXF2mgAFBg==
  • Authentication-results: esa3.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Wed, 22 Sep 2021 10:01:12 +0000
  • Ironport-data: A9a23:ivxB4Kz0bDDOvTzvarN6t+flwSrEfRIJ4+MujC+fZmUNrF6WrkVTy WcbDGyPbqyNNGLxfY9xOYTlpEoOuJ+DmNBnGgpvpCAxQypGp/SeCIXCJC8cHc8zwu4v7q5Dx 59DAjUVBJlsFhcwnvopW1TYhSEUOZugH9IQM8aZfHAsLeNYYH1500s7yrRj2tQAbeWRWGthh /uj+6UzB3f9s9JEGjp8B3Wr8U4HUFza4Vv0j3RmDRx5lAa2e0o9VfrzEZqZPXrgKrS4K8bhL wr1IBNVyUuCl/slIovNfr8W6STmSJaKVeSFoiI+t6RPHnGuD8H9u0o2HKN0VKtZt9mGt4Bp8 vl2q5Krc1YwBPCQmdxFdhBGMxgraMWq+JefSZS+mcmazkmAeHrw2fR+SkoxOOX0+M4uXzsIr 6ZBbmlQMFbT3Ipaw5riIgVort4kI8TxepsWp1lrzC3DDOZgSpfGK0nPzYIDh21p258fdRrYT +06bB5GT06eWhNKYwcIJLMmteaiwXaqJlW0r3rK/PFqsgA/1jdZwLXrddbYZNGObcFUhVqD4 HLL+XzjBRMXP8DZziCKmlqtme3njS79QJgVFrCz6rhtmlL77nMXIA0bUx28u/bRoky0Vs9bK kcU0jEztqV0/0uuJvH/Qhm5rXisrhMaHd1KHIUS8xqRw6DZ5wKYAGksTTNbbtEi8sgsSlQXO kShxo2zQ2Y16fvMFCzbpuz8QS6O1TY9fXc4SRQaQxA/ssDZ/d0ytkrqR8hDKfvg5jHqIg0c0 wxmvQBn2e5J1J5Vi/3ilbzUq2nz/cmSF2bZ8i2SBzj8v10jPOZJcqT1sQCz0BpWEGqOorBtV lA/ks6C5aglCZiXnURhq81cQen0u55p3NDa6GOD/qXNFRz2oBZPnqgKuVmSwXuF1e5eIlfUj Lf741852XOqFCLCgVVLj2eNNijX5fK4SYSNug/ogipmPcEqKV7vENBGTk+MxWH9+HURfVUEE c7DK66EVC9CYYw+lWbeb7pNgNcDm3FlrUuOFM+T8vhS+efHDJJjYexeawXmgyFQxP7snTg5B P4FZpPWlE0AALOhCsQVmKZKRW03wbEALcmeg+Rcd/KZIxogH2ckCvTLxqgmdZAjlKNQ/tokN FnkMqOB4Fag13DBNyuQbXVvNOHmUZpl9CppNi0wJ1e4nXMkZN/3vqsYcpI2e5gh9fBikqEoH 6VUJZ3YD6QdUCnD9hQccYL58N5oeiO0iF/cJCGiejU+IcJtHlSb5t/+cwLz3yASFS7r59Amq rit21qDE5oOTghvFujMb/erww/jtHQRgrsqDUDJPsNSaAPn940zc379ifo+IsctLxTfx2TFi 1bKUElA/eSU+t076tjEg6yAvryFKeomExoIBXTf4Ja3KTLeojipz7hfXbvaZjvaTm71pvmvP L0H0/HmPfQbt19WqI4gQa1zxKcz6taz9b9XygNoQCfCY1ixU+4yJ3CH2Y9Et7FXx68fsgyzA xrd9t5fMLSPGcXkDF9Oe1Z1MrXdjakZymvI8PA4AETm/ysmrrOIXHJbMwSIlCEAfqB+N5kow Lt5tcMbg+BlZsHG7jpSYvhoylmx
  • Ironport-hdrordr: A9a23:4c+PBqCqQSajIIvlHemo55DYdb4zR+YMi2TDsHoBLiC9E/bo8/ xG+c5x6faaslossR0b9uxoW5PhfZq/z/BICOAqVN/JMTUO01HIEKhSqafk3j38C2nf24dmpM JdmnFFeb7N5I5B/KTH3DU=
  • Ironport-sdr: s1lB/sIv8FDERjkYLpPxWCfXNtCvSh2t4dPeeb4Bc5lM5m0rnM1q6/26KMnUym0XCQPiKl/h9n dbA28Pt7SycQs0f/4f7Dwss4e8A6KpnQxNwVTV3+NVSDUMZPZmOiwiWugPn47w38EWXDuWYuEc wXqwkQEN6Ri+Lbkl72dC7ngyYj7REDO+XZXeVBarhisXsoOhg3oKG/QoL6h/xtpHA4R1sL0KzU 4UCTEQKW38Dnzw8W5J75Y5lpT/yrNyXU56CchyTclGqVabX6hD7WlkqmI328fcuDTDfvp5qkY0 kKJxpYw7Jnf+2IbHbv4Oh9RX
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Wed, Sep 22, 2021 at 11:42:30AM +0200, Jan Beulich wrote:
> On 22.09.2021 11:26, Roger Pau Monné wrote:
> > On Tue, Sep 21, 2021 at 12:12:05PM +0200, Jan Beulich wrote:
> >> On 21.09.2021 10:32, Roger Pau Monné wrote:
> >>> On Mon, Sep 20, 2021 at 05:27:17PM +0200, Jan Beulich wrote:
> >>>> On 20.09.2021 12:20, Roger Pau Monné wrote:
> >>>>> On Mon, Sep 13, 2021 at 08:41:47AM +0200, Jan Beulich wrote:
> >>>>>> --- a/xen/include/asm-arm/grant_table.h
> >>>>>> +++ b/xen/include/asm-arm/grant_table.h
> >>>>>> +        if ( gfn_eq(ogfn, INVALID_GFN) || gfn_eq(ogfn, gfn) ||        
> >>>>>>    \
> >>>>>
> >>>>> I'm slightly confused by this checks, don't you need to check for
> >>>>> gfn_eq(gfn, INVALID_GFN) (not ogfn) in order to call
> >>>>> guest_physmap_remove_page?
> >>>>
> >>>> Why? It's ogfn which gets passed to the function. And it indeed is the
> >>>> prior GFN's mapping that we want to remove here.
> >>>>
> >>>>> Or assuming that ogfn is not invalid can be used to imply a removal?
> >>>>
> >>>> That implication can be (and on x86 is) used for the incoming argument,
> >>>> i.e. "gfn". I don't think "ogfn" can serve this purpose.
> >>>
> >>> I guess I'm confused due to the ogfn checks done on the Arm side that
> >>> are not performed on x86. So on Arm you always need to explicitly
> >>> unhook the previous GFN before attempting to setup a new mapping,
> >>> while on x86 you only need to do this when it's a removal in order to
> >>> clear the entry?
> >>
> >> The difference isn't with guest_physmap_add_entry() (both x86 and
> >> Arm only insert a new mapping there), but with
> >> xenmem_add_to_physmap_one(): Arm's variant doesn't care about prior
> >> mappings. And gnttab_map_frame() gets called only from there. This
> >> is effectively what the first paragraph of the description is about.
> > 
> > OK, sorry, it wasn't clear to me from the description. Could you
> > explicitly mention in the description that the removal is moved into
> > gnttab_set_frame_gfn on Arm in order to cope with the fact that
> > xenmem_add_to_physmap_one doesn't perform it.
> 
> Well, it's not really "in order to cope" - that's true for the placement
> prior to this change as well, so not a justification for the change.
> Nevertheless I've tried to make this more clear by changing the 1st
> paragraph to:
> 
> "Without holding appropriate locks, attempting to remove a prior mapping
>  of the underlying page is pointless, as the same (or another) mapping
>  could be re-established by a parallel request on another vCPU. Move the
>  code to Arm's gnttab_set_frame_gfn(); it cannot be dropped there since
>  xenmem_add_to_physmap_one() doesn't call it either (unlike on x86). Of
>  course this new placement doesn't improve things in any way as far as
>  the security of grant status frame mappings goes (see XSA-379). Proper
>  locking would be needed here to allow status frames to be mapped
>  securely."

Thanks, this is indeed much clearer IMO:

Acked-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Albeit I still think we need to fix Arm side to do the removal in
xenmem_add_to_physmap_one (or the x86 side to not do it).

Thanks, Roger.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.