[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/2] gnttab: remove guest_physmap_remove_page() call from gnttab_map_frame()

  • To: Julien Grall <julien@xxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Wed, 22 Sep 2021 12:47:16 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Ynmh/rxar0o+sw0+7TfSuIexXq+IETrYTVj3DFqnmVk=; b=RRgJEeq6QX/CCfg36x4012XNFArQCl6xceLJew9pSFU8ysx/Bz3dVLEIutR2J8beAeJoq50AlfiBZlGK0LS9iVkeb6AncCx8i7Qz88alJC3HZY8dWcT3Uz8fm1ALu5xGeP2UpSOA+PEaANO0eDCtGUVaxaf32IO8FuBZwQY+pR3dYtyolRFbAs3TRHsQnhJXqUD+bQD2TjIrq9gnjDBjpRFryD578TSYrutAw3/CYehuvYzzYbJ4MT/Gu44PBySSG4L26zp/YBZDsZgbAGzht0Ec1o8crntcThNMNnaQuPBSVzQuxqam/UdPVJ7Hrn0QvpyymrztWiRUQXnYeoTe7w==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ovk8Y+g2IzAkVJFRWbi042mReAiQNo6hebmt5b4X65O5ip+5Isa3MGCE3kVofMAMpSLrA3KFbvLYfVfo8odYI7zlNJxCemTOttNI7wyQocLAlN69SbjRK12q/fqi1tv9874l5Tl0iJ6zNjcbaWnN64qRto3TJiHPP1ciEeeMCCkgnojSFTyjW2OCMTu4UXHdBZqGD/hjgyMGcxyYn7hFTSjp/1AmgiXBvFs9t67Vw/D4BYcF3S8MAHMbyT5mtMqr5gPoTGgdjgStjusHt2UfhBpB0H/ov+CRWxnVvTXMSKCTsZX/gn+i2TO1PnCtrj/bU+FRK2EREwPI14N90lKvsg==
  • Authentication-results: kernel.org; dkim=none (message not signed) header.d=none;kernel.org; dmarc=none action=none header.from=suse.com;
  • Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>
  • Delivery-date: Wed, 22 Sep 2021 10:47:23 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 22.09.2021 12:28, Julien Grall wrote:
> Hi,
> On 22/09/2021 14:42, Jan Beulich wrote:
>> On 22.09.2021 11:26, Roger Pau Monné wrote:
>>> On Tue, Sep 21, 2021 at 12:12:05PM +0200, Jan Beulich wrote:
>>>> On 21.09.2021 10:32, Roger Pau Monné wrote:
>>>>> On Mon, Sep 20, 2021 at 05:27:17PM +0200, Jan Beulich wrote:
>>>>>> On 20.09.2021 12:20, Roger Pau Monné wrote:
>>>>>>> On Mon, Sep 13, 2021 at 08:41:47AM +0200, Jan Beulich wrote:
>>>>>>>> --- a/xen/include/asm-arm/grant_table.h
>>>>>>>> +++ b/xen/include/asm-arm/grant_table.h
>>>>>>>> +        if ( gfn_eq(ogfn, INVALID_GFN) || gfn_eq(ogfn, gfn) ||        
>>>>>>>>    \
>>>>>>> I'm slightly confused by this checks, don't you need to check for
>>>>>>> gfn_eq(gfn, INVALID_GFN) (not ogfn) in order to call
>>>>>>> guest_physmap_remove_page?
>>>>>> Why? It's ogfn which gets passed to the function. And it indeed is the
>>>>>> prior GFN's mapping that we want to remove here.
>>>>>>> Or assuming that ogfn is not invalid can be used to imply a removal?
>>>>>> That implication can be (and on x86 is) used for the incoming argument,
>>>>>> i.e. "gfn". I don't think "ogfn" can serve this purpose.
>>>>> I guess I'm confused due to the ogfn checks done on the Arm side that
>>>>> are not performed on x86. So on Arm you always need to explicitly
>>>>> unhook the previous GFN before attempting to setup a new mapping,
>>>>> while on x86 you only need to do this when it's a removal in order to
>>>>> clear the entry?
>>>> The difference isn't with guest_physmap_add_entry() (both x86 and
>>>> Arm only insert a new mapping there), but with
>>>> xenmem_add_to_physmap_one(): Arm's variant doesn't care about prior
>>>> mappings. And gnttab_map_frame() gets called only from there. This
>>>> is effectively what the first paragraph of the description is about.
>>> OK, sorry, it wasn't clear to me from the description. Could you
>>> explicitly mention in the description that the removal is moved into
>>> gnttab_set_frame_gfn on Arm in order to cope with the fact that
>>> xenmem_add_to_physmap_one doesn't perform it.
>> Well, it's not really "in order to cope" - that's true for the placement
>> prior to this change as well, so not a justification for the change.
>> Nevertheless I've tried to make this more clear by changing the 1st
>> paragraph to:
>> "Without holding appropriate locks, attempting to remove a prior mapping
>>   of the underlying page is pointless, as the same (or another) mapping
>>   could be re-established by a parallel request on another vCPU. Move the
>>   code to Arm's gnttab_set_frame_gfn(); it cannot be dropped there since
>>   xenmem_add_to_physmap_one() doesn't call it either (unlike on x86). Of
>>   course this new placement doesn't improve things in any way as far as
>>   the security of grant status frame mappings goes (see XSA-379). Proper
>>   locking would be needed here to allow status frames to be mapped
>>   securely."
>>> TBH I think it would be in our best interest to try to make
>>> xenmem_add_to_physmap_one behave as close as possible between arches.
>>> This discrepancy between x86 and Arm regarding page removal is just
>>> going to bring more trouble in the long term, and hiding the
>>> differences inside gnttab_set_frame_gfn just makes it even more
>>> obscure.
>> Stefano, Julien?
> This would be ideal as I don't particular like the approach taken in 
> this patch. But AFAICT, this would require us to implement an M2P. Or is 
> there another way to do it?

For the purpose of just XENMAPSPACE_grant_table the "restricted" M2P
(to just grant table pages), as introduced by an on-list patch, would
do afaict. That wouldn't remove all the differences between the two
implementations, but at least the one affecting the difference in how
gnttab_map_frame() needs to behave.




Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.