[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2] xen/public: add comment to struct xen_mem_acquire_resource

  • To: Juergen Gross <jgross@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Tue, 8 Feb 2022 11:55:00 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3Bz3jv3JI9q31mHVOdaX+5yHINuphdteRvix91mskbI=; b=IC55PLARjWIrxj946tMnIojugT7vT4uwRKRcVMeNQy0/aE8tVglVlU3HU9kybK9t/2X0Q5HjbFZD4jHxzGRg8R9/TLXqfbSex84B/ol11EOmEZ4r9bNbRRFlfyAfpss8A1zhO/G/Ij1hMUQSnW3DIFJpAIbkIdzMCyZeVv8paHWKPeao8H36PkWkwch0e7CuIUyvq0ZGK16AsZAmVpujLa7rxgOkOu1Ps/pWk/rDYBiyU5lJ4fVxbJ8j4TUmNaPtc3iMZzi38ZxzShaIMAZoYuHALssO5rmMpFMJPznoF9i5fcIooZ691WYL3qxq3qlMS0Ep+dwOVv3pS35bQZ3waA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cqwd6xqhp+v8Qo5u7ephDkybH0VaBVFI3xIZ1aDJH9QRzhxisPXM3tBk4c3o9TXRrnXi0hBnP/EJI/kw2PlCPXB8bS31Pr0BZXi4KeoSzZWq9dDKSVU+lCS1hnskZezbwnuHVbEZrkcj4wNPPM81lMf+CM/XMb4kCykJWfPWMoUMlFEV2DPwF6n232i8/gs+DKq7oRylLw+tEk1S1D99c6ixd+cSSs4V3SccemNhEXzmnFrRWBAAHW4/yfSiymD9r7y+1+t9ImR7H7OVfEzJYwitagetbexR/sOVxu1gMleLVLdAlNg76u1P7AanMVNMPHy60Z/FrqZ3PqYW1tR6BA==
  • Authentication-results: esa2.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: George Dunlap <George.Dunlap@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Tue, 08 Feb 2022 11:55:14 +0000
  • Ironport-data: A9a23:+VWywKjXNM2bKV/17pFg9iScX1618BcKZh0ujC45NGQN5FlHY01je htvWzqAOKyCZDagKd0nady3oBkGuZKAxtZhSwo9rn9nQX4b9cadCdqndUqhZCn6wu8v7a5EA 2fyTvGacajYm1eF/k/F3oAMKRCQ7InQLlbGILes1htZGEk0GE/NtTo5w7Rj2tQw0YDga++wk YiaT/P3aQfNNwFcagr424rbwP+4lK2v0N+wlgVWicFj5DcypVFMZH4sDfjZw0/DaptVBoaHq 9Prl9lVyI97EyAFUbtJmp6jGqEDryW70QKm0hK6UID66vROS7BbPg/W+5PwZG8O4whlkeydx /1mhZC6TSgyIJfuv808dBQBHHgkZalvreqvzXiX6aR/zmXDenrohf5vEFs3LcsT/eMf7WNmr KJCbmpXN1ba2rzwkOnTpupE36zPKOHCOo8Ft24m5jbeFfs8GrjIQrnQ5M8e1zA17ixLNaiFO JBEOWYyBPjGSyB2PgYSC8szpcWLxV7/cD0Jg1WznZNitgA/yyQuieOwYbI5YOeiR9hRn0uej nLL+SL+GB5yHMeE1TOP/3aoh+nOtSD2QoQfEPu/7PECqEKX7nweDlsRT1TTifu2kEmlQPpEN lcZvCEpqMAa5EGtC9XwQRC8iHqFpQIHHcpdFfUg7wOAwbaS5ByWbkAGRDNcbN0ttOctWCcnk FSOmrvU6SdH6ePPDyjHr/HN8G30aXN9wXI+iTEsZjsJ6d3Mu58JrDXmb/FuSaHs1IXxMGSlq 9yVlxQWi7IWhM8N8qy0+1Hbnj6hzqT0oh4JChb/BTz8sF4gDGKxT8nxsAWAs64cRGqMZgTZ5 BA5d96iAPfi5H1nvAiEW60zEb6g/J5p2xWM0Ac0T/HNG9lAkkNPnLy8Ahkjfi+F0e5eIFcFh XM/XisLtfdu0IOCN/MfXm5II51CIVLcPdrkTOvISdFFf4J8cgSKlAk3OxLMhjG0yRZ9y/hkU Xt+TSpLJSxLYZmLMRLsH7tNuVPV7nxWKZzvqWDTkE38jOv2iI+9QrYZKlqeBt3VH4vfyDg5B +13bpPQoz0GCbWWSnCOreY7cABbRVBmVMueg5EGKYarfFE8cEl/UKC5/F/UU9E890ijvryTp S/Vt44x4AeXuEAr3i3QMi86M+60Dc8kxZ/5VAR1VWuVN7EYSd/HxI8UdoctfKlh8+pmzPVuS OICddnGCfNKIgkrMRxEBXUkhIA9JhmtmyyUOC+pPGo2c5J6HlSb8d74ZAr/siIJC3Pv58c5p rSh0CLdQIYCGFs+XJqHNqr3wgPjp2UZlcJzQ1DMfotZdnLz/dU4MCf2lPI2fZ0BcE2R2juA2 g+KKh4Evu2R8ZQt+dzEiPnc/YekGudzBGRAGGzf4erkPCXW5DP7k4RBTPyJbXbWU2atoPeuY uBczvfdNvwbnQkV79ogQugzla9nvonhvb5XyAhgDU7nVVXzB+MyOGSC0OlOqrZJmu1TtzypV x/d4dJdI7iIZp/oSQZDOAo/Y+2f/vgIgT2Ov+8tKUD36SIrrrqKVUJeY0uFhCBHdeYnNYokx aEqudIM6hz5gR0va47UgidR/mWKD3oBT6R46c1KXN610lImmgNYfJjRKi7q+5XeOdxDP34jL iKQmKef1a9XwVDPciZrGHXAtQaHaU/iZPyeIIc+Gmm0
  • Ironport-hdrordr: A9a23:yBTisqxZhUYjf6h9ASHGKrPxiOskLtp133Aq2lEZdPULSKOlfp GV8MjziyWYtN9IYgBcpTiBUJPwJE81bfZOkMcs1MSZLXXbUQyTXcBfBOrZsnLd8kjFmNK1up 0QCpSWZOeAbmSSyPyKmjVQcOxQgOVvkprY/ds2pk0FJWoBCsFdBkVCe32m+yVNNVN77PECZf 6hD7981lydkAMsH6OG7xc+Lor+juyOsKijTQ8NBhYh5gXLpyiv8qTGHx+R2Qpbey9TwJ85mF K10DDR1+GGibWW2xXc32jc49B9g9360OZOA8SKl4w8NijssAC1f45sMofy/gzd4dvfrWrCou O85CvIDP4DrU85uVvF+CcF7jOQlArGLUWSkWNwz0GT+vARDwhKdPapzbgpDCcxrXBQ4e2UmZ g7r15w/fBsfGL9tTW46N7SWx5wkE2o5XIkjO4IlnRaFZATcblLsOUkjQlo+bo7bWrHAbocYa JT5QDnlYJrWELfa2qcsnhkwdSqUHh2FhCaQlIassjQ1zRNhnh2w0YR2cRaxx47hd4AYogB4/ 6BPrVjlblIQMNTZaVhBP0ZSc/yDmDWWxrDPG+bPFyiHqAaPHDGrYLx/dwOlayXUY1NyIF3lI XKUVteu2J3c0XyCdeW1JkO6RzJSHXVZ0Wl9iif3ekOhlTRfsuYDcSzciFYryL7mYRtPiTyYY fHBK5r
  • Ironport-sdr: 8+cFhN1/Ktp1mwHod9npuu9PfsXE7Ok7Rjkj7pgViLFhIHJcOomOAMgyfUTV7xqOyScQ9K6jj2 VnpkHToJg9wr/15lEvR9Mda7MfF07aVuJwYTNtufaxwmNCHaeI5sLG4kDxpoYCtzaeRPxwTnn2 0eNOQbIaw53tsP7Qy8F/81dWSrrW1MvePvxfzAppFj8T1dShsvtq2gFXBBS39QueWR97/88XEK bOLitF94UvNUYut5pzqd6QO/Z4geIHrjLSsOx1WBZg3jRGzExU/PNj6iigcr43JwUiDnycN9Y3 8/f0RhE8UIO/dMHkbVpR0NFm
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHYHL+DXP8ckdd1J06xLHRfc3g2d6yJi+WA
  • Thread-topic: [PATCH v2] xen/public: add comment to struct xen_mem_acquire_resource
On 08/02/2022 07:42, Juergen Gross wrote:
> Commit 7c7f7e8fba01 changed xen/include/public/memory.h in an incompatible
> way. Unfortunately the changed parts were already in use in the Linux
> kernel, so an update of the header in the kernel would result in a build
> breakage.
>
> As the change of above commit was in a section originally meant to be not
> stable, it was the usage in the kernel which was wrong.

While I hate to drag the argument on, this is wrong.

Instead of speculating, why don't we actually look at the code.  From Linux:

unsigned int domid =
        (xdata.flags & XENMEM_rsrc_acq_caller_owned) ?
        DOMID_SELF : kdata.dom;
...
num = xen_remap_domain_mfn_array(vma,
                                 kdata.addr & PAGE_MASK,
                                 pfns, kdata.num, errs,
                                 vma->vm_page_prot,
                                 domid);

Under the original implementation, it was literally not possible for a
kernel to avoid using XENMEM_rsrc_acq_caller_owned, because it
determined which domid needed feeding into a subsequent foreign map command.

The constant was therefore always part of the fully public ABI, however
it may have been intended, and subsequent claims to the contrary
(notably, those used to justify its deletion) are false.

The security fix for Xen was to prohibit creating situations where we
fed caller_owned back to the kernel.  This is ABI compatible, merely
creating a dead logic path in the kernel.

> Add a comment to the modified struct for not reusing the now removed bit,
> in order to avoid kernels using it stumbling over a possible new meaning
> of the bit.
>
> In case the kernel is updating to a new version of the header, the wrong
> use case must be removed first.
>
> Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
> ---
> V2:
> - only add comment instead of reverting commit 7c7f7e8fba01 (Jan Beulich)
> ---
>  xen/include/public/memory.h | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/xen/include/public/memory.h b/xen/include/public/memory.h
> index 383a9468c3..86513057f7 100644
> --- a/xen/include/public/memory.h
> +++ b/xen/include/public/memory.h
> @@ -662,6 +662,11 @@ struct xen_mem_acquire_resource {
>       * two calls.
>       */
>      uint32_t nr_frames;
> +    /*
> +     * Padding field, must be zero on input.
> +     * The lowest bit was named XENMEM_rsrc_acq_caller_owned in a previous
> +     * version and should not be reused in future.

s/should/will/.  This is a statement of how Xen shall behave.

I think it's also worth somehow fitting in that it's an output only
bit.  It will be important when inevitably we end up changing this back
to being a flags field when we need to extend the hypercall.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.