Xen project Mailing List

Re: [PATCH 1/2] gnttab: remove guest_physmap_remove_page() call from gnttab_map_frame()

Date: Fri, 26 Nov 2021 09:07:04 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=fObQzg7vV+qGsSkTeaEDu3xAdXwegYP7bqT4/fGJMKE=; b=BsRGQYGLbN5cbHAx1QgLZf+uL7j6eRoOka6ozy+9WWr9KLGGBTv7oEAvljgcIjtRG83Ci7Q79R328M8g6RHZVVXZK+dRqOa9Q50Q7iahRQlSGVecqLo1ZbLv4bwaCoTJwOR3TF5+xg7v9WWPgF8R4VjKzuT9RWOGyRaA9hb3ytDnNbFnvaTOWyMbgcEPLIqXE38KI3igSkS8/0y29dk713H0zfOi4Z1gGyeOWB76qkIHosGkk/nrt0GZRVpBqEGUJIw5S14o5Nl2izrBrx8dBFr+/RFgcmeiqBZT3cjwVP1PZgVG1LKdsKcreexgJILToLd+zxo+8a9ANJyv0aJIDw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VZqTDVjFdpbEW64XeAUFRsMOqTQjfnbuvoEUc4PRJS/eE5UtEqJlIBecaYdMW0s8lPH2oD5ZVeNxXj7BTBDmhbJsNlmID+PyMESrawbZLLK/BXED09MjRkshpFeF4ExglFRjyQ+Ueo6PmkIV85RmfxVr6i3otNe5L8jySACM9N/zdfLovdaCffX1ESgMCQ4YqJUEzK2dFHseuNhwGPH+H6uuhVeDetyYcB9LV6UXxwZBd80V74nm2RABIFjA/HH5R+l2OdIs8cB9CFm99Kz3Ibln0h3f4ezUKGWG/3/IHG9Po3pxMi7GulZcmbleoKpX2xVBDaKlYFkxK+q/fUwAIQ==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Fri, 26 Nov 2021 08:07:55 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 25.11.2021 17:37, Julien Grall wrote: > On 13/09/2021 07:41, Jan Beulich wrote: >> Without holding appropriate locks, attempting to remove a prior mapping >> of the underlying page is pointless, as the same (or another) mapping >> could be re-established by a parallel request on another vCPU. Move the >> code to Arm's gnttab_set_frame_gfn(). Of course this new placement >> doesn't improve things in any way as far as the security of grant status >> frame mappings goes (see XSA-379). Proper locking would be needed here >> to allow status frames to be mapped securely. >> >> In turn this then requires replacing the other use in >> gnttab_unpopulate_status_frames(), which yet in turn requires adjusting >> x86's gnttab_set_frame_gfn(). Note that with proper locking inside >> guest_physmap_remove_page() combined with checking the GFN's mapping >> there against the passed in MFN, there then is no issue with the >> involved multiple gnttab_set_frame_gfn()-s potentially returning varying > > Do you mean gnttab_get_frame_gfn()? No, I don't think so; I do mean gnttab_set_frame_gfn(). Its return value directs the caller to do (or not) certain things. >> --- a/xen/include/asm-arm/grant_table.h >> +++ b/xen/include/asm-arm/grant_table.h >> @@ -71,11 +71,17 @@ int replace_grant_host_mapping(unsigned >> XFREE((gt)->arch.status_gfn); \ >> } while ( 0 ) >> >> -#define gnttab_set_frame_gfn(gt, st, idx, gfn) \ >> - do { \ >> - ((st) ? (gt)->arch.status_gfn : (gt)->arch.shared_gfn)[idx] = \ >> - (gfn); \ >> - } while ( 0 ) >> +#define gnttab_set_frame_gfn(gt, st, idx, gfn, mfn) \ >> + ({ \ >> + int rc_ = 0; \ >> + gfn_t ogfn = gnttab_get_frame_gfn(gt, st, idx); \ >> + if ( gfn_eq(ogfn, INVALID_GFN) || gfn_eq(ogfn, gfn) || \ >> + (rc_ = guest_physmap_remove_page((gt)->domain, ogfn, mfn, \ >> + 0)) == 0 ) \ >> + ((st) ? (gt)->arch.status_gfn \ >> + : (gt)->arch.shared_gfn)[idx] = (gfn); \ >> + rc_; \ >> + }) > > I think using a function would make it a bit easier to understand what > it does. I can convert it, but it's not very likely that it would be possible to make it an inline one. Not sure whether that's then still desirable. > However... The naming of the function is now quite confusing. The more > on x86... > >> >> #define gnttab_get_frame_gfn(gt, st, idx) ({ \ >> (st) ? gnttab_status_gfn(NULL, gt, idx) \ >> --- a/xen/include/asm-x86/grant_table.h >> +++ b/xen/include/asm-x86/grant_table.h >> @@ -37,7 +37,12 @@ static inline int replace_grant_host_map >> >> #define gnttab_init_arch(gt) 0 >> #define gnttab_destroy_arch(gt) do {} while ( 0 ) >> -#define gnttab_set_frame_gfn(gt, st, idx, gfn) do {} while ( 0 ) >> +#define gnttab_set_frame_gfn(gt, st, idx, gfn, mfn) \ >> + (gfn_eq(gfn, INVALID_GFN) \ >> + ? guest_physmap_remove_page((gt)->domain, \ >> + gnttab_get_frame_gfn(gt, st, idx), \ >> + mfn, 0) \ >> + : 0 /* Handled in add_to_physmap_one(). */) > > ... it will end up to remove the mapping. I don't have a better name at > the moment. However I think this would deserve some documentation in the > code so one can understand how to implement it for another arch. Hmm, perhaps. But wouldn't we better document the final behavior (i.e. once the remaining Arm issue got addressed)? That may then also lead to overall simpler code, ideally with more suitable names (if the present ones are deemed unsuitable, which I'm not convinced of). Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.