[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] IOMMU: make domctl handler tolerate NULL domain

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Thu, 21 Apr 2022 19:14:52 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Y9pWpwzid0b/vkalw4ptt9lOsRkxF6ApYEjPg2lVN/g=; b=csQOvYtYyKiYaHh7MF1kw2ZnW/cQi61em8S7xQsXOzZbW9yYvl2/szlOVR4aWvHPBQFxORNxxHWDHOVV14lHH6rLnXzI9acf4g9wis3z6yxmAnWDSmznNKH0x3aL0DFzSe8Et57BnJQg0c7LyOGQRi841OhLii2HuWk97ndoOAiKtQNN2KqT+3Gw6oOoqCwkrRqis+Q+tBCIHTrFM/+VJxCV3kCy+lc1iPygDItQ1TRcRZATW9X1qq365z4HHL9XADsoEVZF0x02UKd+154tdsuGf+0xPsKxtbSr0dQAnefXKfurxoah67AQzix+CuaYhDKPxsnbpiTlOHhGbHOA9A==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=j+PE9aU3u8o0zkrZ/o8hCXp26F4IpuUstdgM+DEuMUR7KC7R7epSU31oTHXwo4nOjlokT3kiptSdaoANDEy8bTU2ykt5RGLHOWCgjpIR/Hhj0iaVQb3rcZzIaTChhdGuE8wtn7X4DD6MMp24sZawkZoeka8zuAeSRn1iIMqC8LB1h7Bbht3c+R9Mok2bTZYxPZHBC4zjoILMx6NZj1gHbXLqnZy3W0+KFiGEq3kH3jxqe+KjYXFpm2PuNU3PzA3nEFtxwJh5Z973nmGdEuCnNrh8/A7brc8zDc7rcVCr/IpALgbeHW+8hbGVugioCMuE1N9K6e1avsAY1TiTfIdBIg==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Paul Durrant <paul@xxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Thu, 21 Apr 2022 19:15:08 +0000
  • Ironport-data: A9a23:fDWUpqhzA2sfhC9a6qJWrMEZX161bBEKZh0ujC45NGQN5FlHY01je htvUTiPbviIN2Lxe4tza9m+9U1VvJLSzYA3HFE+qS4xQXsb9cadCdqndUqhZCn6wu8v7a5EA 2fyTvGacajYm1eF/k/F3oDJ9CU6jefSLlbFILas1hpZHGeIcw98z0M78wIFqtQw24LhX1nU4 YmaT/D3YzdJ5RYlagr41IrbwP9flKyaVOQw5wFWiVhj5TcyplFNZH4tDfjZw0jQG+G4KtWSV efbpIxVy0uCl/sb5nFJpZ6gGqECaua60QFjERO6UYD66vRJjnRaPqrWqJPwwKqY4tmEt4kZ9 TlDiXC/YT4yZ/zPifsEbwZJDw5cBvRI1eb9IVHq5KR/z2WeG5ft69NHKRhveKY/o6NwC2wI8 uEEIjcQaBzFn/ix3L+wVuhrgIIkMdXvO4Qc/HpnyFk1D95/GcyFH/qMuIEehWho7ixNNa+2i 84xQDxjdhnfJTZIPU8aEskWl+a0nHjvNTZfrTp5oIJpsjaPklAtjdABNvLPQtupWd5yxH2Hg T7i3EmjLB0RLdKAnG/tHnWEw7WncTnAcIAYGaC89/VqqEaO3WFVAxoTPXOjqOS9ol6zXZRYM UN80ight68p72SwU8LwGRa/pRasrhMaHtZdDeA+wAWM0bbPpRaUAHAeSTxMY8Bgs9U5LQHGz XeMltLtQDdo6bucTCvE8q/O9Gzqfy8IMWUFeCkICxMf5MXuq50yiRSJSct/FKmyjZv+HjSYL y22kRXSTo471aYjv5hXN3id695wjvAlljII2zg=
  • Ironport-hdrordr: A9a23:l7sujK3Bj8RfxUDIC0nFMwqjBetxeYIsimQD101hICG9Lfb0qy n+pp4mPEHP4wr5AEtQ4uxpOMG7MBDhHQYc2/hcAV7QZnidhILOFvAs0WKC+UysJ8SazIJgPM hbAs9D4bHLbGSSyPyKmDVQcOxQjuVvkprY49s2pk0FJW4FV0gj1XYBNu/xKDwVeOAyP+tcKH Pq3Lsjm9PPQxQqR/X+IkNAc/nIptXNmp6jSwUBHQQb5A6Hii7twKLmEjCDty1uEw9n8PMHyy zoggb57qKsv7WQ0RnHzVLe6JxQhZ/I1sZDPsqRkcIYQw+cyTpAJb4RGYFqjgpF5N1H22xa1+ UkZC1Qefib3kmhO11dZyGdgjUIngxes0MKgmXo/EcL6faJOA7STfAxxL6xOyGplXbJ9rtHod 129nPcuJxNARzamiPho9DOShFxj0Kx5WEviOgJkhVkIMMjgZJq3PoiFXluYd499ePBmfIaOf grCNuZ6OddcFucYXyctm5zwMa0VnB2GhudWEANtsGczjATxRlCvgEl7d1amm1F+IM2SpFC6e iBOqN0lKtWRstTaa5mHu8OTca+F2SISxPRN2CZJ0jhCcg8Sjnwgo+y5K9w6PCheZQOwpd3kJ PdUElAvWp3YE7qAd3m5uw9zvkMehTIYd3A8LAv23EigMyMeFPCC1zxdHk+1829vv4YHsrXH/ 6uJZM+OY6XEVfT
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHYU9FUwjuogeCS0EWgGeBVFIanqKz3Yk2AgAAA74CAAAPwgIAA5uIAgAJydgA=
  • Thread-topic: [PATCH] IOMMU: make domctl handler tolerate NULL domain
On 20/04/2022 06:52, Jan Beulich wrote:
> On 19.04.2022 18:06, Andrew Cooper wrote:
>> On 19/04/2022 16:52, Juergen Gross wrote:
>>> On 19.04.22 17:48, Andrew Cooper wrote:
>>>> On 19/04/2022 10:39, Jan Beulich wrote:
>>>>> Besides the reporter's issue of hitting a NULL deref when
>>>>> !CONFIG_GDBSX,
>>>>> XEN_DOMCTL_test_assign_device can legitimately end up having NULL
>>>>> passed
>>>>> here, when the domctl was passed DOMID_INVALID.
>>>>>
>>>>> Fixes: 71e617a6b8f6 ("use is_iommu_enabled() where appropriate...")
>>>>> Reported-by: Cheyenne Wills <cheyenne.wills@xxxxxxxxx>
>>>>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
>>>>>
>>>>> --- a/xen/drivers/passthrough/iommu.c
>>>>> +++ b/xen/drivers/passthrough/iommu.c
>>>>> @@ -558,7 +558,7 @@ int iommu_do_domctl(
>>>>>   {
>>>>>       int ret = -ENODEV;
>>>>>   -    if ( !is_iommu_enabled(d) )
>>>>> +    if ( !(d ? is_iommu_enabled(d) : iommu_enabled) )
>>>>>           return -EOPNOTSUPP;
>>>> Having spent the better part of a day debugging this mess, this patch is
>>>> plain broken.
>>>>
>>>> It depends on Juergen's "xen/iommu: cleanup iommu related domctl
>>>> handling" patch, because otherwise it erroneously fails non-IOMMU
>>>> subops.
>>> Which is not a real problem, as it is being called after all other
>>> subops didn't match.
>> It is a real problem even now, because it is bogus for the host or
>> domain's IOMMU status to have any alteration to the
>> XEN_DOMCTL_gdbsx_guestmemio path.  The root cause of this bug is the
>> existing XEN_DOMCTL_gdbsx_guestmemio case being compiled out in the
>> !GDBSX case.
> I find your wording ("plain broken" in particular) irritating, to put
> it mildly. The change in behavior is that -EOPNOTSUPP may now be
> returned for the gdbsx operation instead of -ENOSYS.

It's not just gdbsx operations - it's every domctl subop whose case
statement happens to get conditionally compiled out:

XEN_DOMCTL_set_access_required
XEN_DOMCTL_debug_op
XEN_DOMCTL_mem_sharing_op
XEN_DOMCTL_audit_p2m

and every future domctl.  I didn't trying reasoning about the differing
populations of each arches arch_do_domctl().

>  And that's when
> it would better have been -EOPNOTSUPP in the first place.

This irrelevant unless you have a time machine, or you can prove that
the change doesn't break things.

For the record, I didn't know about Juergen's discovery of 2 ENOSYS vs
EOPNOTSUPP breakages in xen.git alone when writing the email.  The mass,
and spurious, change to almost 2^32 subops was enough to give pause for
thought.

>> It would be a more obvious problem if there were calls chained after
>> iommu_do_domctl() in the arch_domctl() default: blocks, because then it
>> wouldn't only be compiled-out functionality which hit this check.
> But that's not the case.

There is timebomb which just exploded on a user, and you've provided a
patch claiming to defuse it, when all you have done is swap out one
trigger for another.

Specifically, you've replaced a latent bug (nothing actually calls
test_assign_device with DOMID_INVALID) with a real error metastability
for logic that really does care about ENOSYS vs EOPNOTSUPP.

Yes - we should decide whether it ought be legal to call
test_assign_device with DOMID_INVALID or not, and then write the
reasoning down in the same patch which adjusts do_domctl() and/or
iommu_do_domctl() to have consistent behaviour.

But until iommu_do_domctl() is filtered to not operate on unrelated
subops, making this change breaks more things than it fixes.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.