[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 9/9] gnttab: don't silently truncate GFNs in compat setup-table handling
- To: Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
- Date: Fri, 7 Oct 2022 19:57:28 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KV3BC7c7AkDoU8ohIWYMl6OirBPFWsYjUCGZ7KbiEQ4=; b=luEyM58TiOAYAAiQteTftwbQ9+OKZkyVrXVJJN8nJT394wGl0WR9e5i1dk/emFn9JjkoX7vTK36BG9M8jqalZ0zb9KPn9rRLA63uU1rMq5MsA4TZS+i2nHbO/Nmkos8iIf8ysfjidfSVbZbbf/PLDyxCV6vLr1PQUeqyVS7WrXL+hHzCYwFNG2rrHEVBT2otMBWKwCEE08rzTN5SJTYaMvLiQeeoIvyQB4VC7LEIWVvNITownHzZQxdmqJ+VKAr9iNXOdlyQ7ZAMTaOhsKw+RPgH08uc9Xmfr7WZQ0IJMbS0/qlu+dS7OVl+HwRUZqAaRwk916HQF0L2kRgDHhS/WA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FxL2fFPDiRxbXkWj58LRuX2hxFRJxh5Nqbb5ye/7PjwrnywVeeb9nmepkJcopipPQd1SjSC4XamrmcQqBEEzkg8XBBGuJJGjY0lum7HMilofY8o9GhpVygSIXuOV1o+LIRlOUD+Sk13+01TAjhdjfxZsH0cd5uJjNwcWjVBs8rAAjrS72h21DgxxYfvD11I+4b947nyv07kej/+2TxDOlE9dU5AYHocso28k1u4VocbHftDcsyJqMkJocdYoMUPpdV6k89V6nsKhXOqfYKj7EWx/gB2EL4bpbp/CNZcX6gcSUlzgMUMfrIPCka186Lnhys0TxqD8OF3ybUtvltYhvg==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: George Dunlap <George.Dunlap@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
- Delivery-date: Fri, 07 Oct 2022 19:58:01 +0000
- Ironport-data: A9a23:jhRuoK5AUEEu30Xpul9fWAxRtOLGchMFZxGqfqrLsTDasY5as4F+v jNMDWGAaPiJYTb3fd92aYyx9x4BsJ7dmIRjHFdopC00Hi5G8cbLO4+Ufxz6V8+wwm8vb2o8t plDNYOQRCwQZiWBzvt4GuG59RGQ7YnRGvymTras1hlZHWdMUD0mhQ9oh9k3i4tphcnRKw6Ws Jb5rta31GWNglaYCUpJrfPewP9TlK6q4mlB5gRhPaojUGL2zBH5MrpOfcldEFOgKmVkNrbSb /rOyri/4lTY838FYj9yuu+mGqGiaue60Tmm0hK6aYD76vRxjnVaPpIAHOgdcS9qZwChxLid/ jnvWauYEm/FNoWU8AgUvoIx/ytWZcWq85efSZSzXFD6I+QrvBIAzt03ZHzaM7H09c53DEV3y /MfEAorSQCluNPuye+kCdRF05FLwMnDZOvzu1lG5BSAV7MKZM6GRK/Ho9hFwD03m8ZCW+7EY NYUYiZuaxKGZABTPlAQC9Q1m+LAanvXKmUE7g7K4/dmpTGMkGSd05C0WDbRUvWMSd9YgQCzo WXe8n6iKhobKMae2XyO9XfEaurnzXmlBdNPTezQGvhCmkCp72ANEEYqRXi9/dKZlHKMQeJ5A hlBksYphe1onKCxdfH/VRClpH+PvjYHRsFdVeY97Wml2qfSpgqUGGUAZjpAc8A98t87QyQw0 V2ElM+vAiZg2JWUVnC15rqStSm1OyUeMSkFfyBsZQkY59jupqkjgxSJScxseIaulcH8Ezz0x zGMrQA9iq8VgMpN0L+0lXjYhxq8q56PSRQ6jjg7RUqg5wJ9IYKgOYqh7AGB6e4addnFCF6co HIDhs6SqvgUCo2AnzCMR+NLG6y14/GCM3vXhlsH84QdyglBMkWLJeh4iAyS7m80WirYUVcFu HPuhD4=
- Ironport-hdrordr: A9a23:jfeWPqilFi0gEna4hyUdeTOG0nBQX3l13DAbv31ZSRFFG/FwyP rCoB1L73XJYWgqM03IwerwQ5VpQRvnhP1ICRF4B8buYOCUghrTEGgE1/qv/9SAIVy1ygc578 tdmsdFebrN5DRB7PoSpTPIa+rIo+P3v5xA592uqUuFJDsCA84P0+46MHfjLqQcfnglOXNNLu v52iMxnUvERZ14VKSGL0hAe9KGi8zAlZrgbxJDLQUg8hOygTSh76O/OwSE3z8FOgk/gIsKwC zgqUjU96+ju/a0xlv3zGnI9albn9Pn159qGNGMsM4IMT/h4zzYJLiJGofy/wzdktvfrWrCo+ O85yvI+P4DrE85S1vF4ycFHTOQlgrGpUWSkGNwykGT3PARDAhKd/apw7gpPCcxonBQwu2Vms hwrh2knosSAhXakCvn4d/UExlsi0qvuHIn1fUelnpFTOIlGfZsRKEkjTRo+a07bVTHwZFiFP MrANDX5f5Qf1/fZ3fFvnN3yNjpWngoBB+JTkULp8TQilFt7TtE5lpdwNZakmYL9Zo7RZUB7+ PYMr5wnLULSsMNd6pyCOoIXMPyAG3QRhDHNn6UPD3cZek6EmOIr4Sy7KQ+5emsdpBNxJwumI 7ZWFcdrmI2c1KGM7z74HSKyGG5fIyQZ0Wf9igF3ekJhlTVfsuaDQSTDFYzjsCnv/ITRsXGRv fbAuMlP8Pe
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
- Thread-index: AQHXmmNdHWNgMIrF1UaLY8uP4AWVM64F2UcA
- Thread-topic: [PATCH 9/9] gnttab: don't silently truncate GFNs in compat setup-table handling
On 26/08/2021 11:15, Jan Beulich wrote:
> Returning back truncated frame numbers is unhelpful: Quite likely
> they're not owned by the domain (if it's PV), or we may misguide the
> guest into writing grant entries into a page that it actually uses for
> other purposes.
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> ---
> RFC: Arguably in the 32-bit PV case it may be necessary to instead put
> in place an explicit address restriction when allocating
> ->shared_raw[N]. This is currently implicit by alloc_xenheap_page()
> only returning memory covered by the direct-map.
Yet another reason why having the grant table be Xen memory, rather than
guest memory, was a terrible idea. Changing this is in consideration
for the encrypted vm work.
Its fine for now, but is fragile and liable to break for e.g. an
xmalloc() -> vmalloc() conversion, or when we get 5-level paging and the
directmap boundary moves above 16T.
> --- a/xen/common/compat/grant_table.c
> +++ b/xen/common/compat/grant_table.c
> @@ -175,8 +175,15 @@ int compat_grant_table_op(unsigned int c
> i < (_s_)->nr_frames; ++i ) \
> { \
> compat_pfn_t frame = (_s_)->frame_list.p[i]; \
> - if ( __copy_to_compat_offset((_d_)->frame_list, \
> - i, &frame, 1) ) \
> + if ( frame != (_s_)->frame_list.p[i] ) \
> + { \
> + if ( VALID_M2P((_s_)->frame_list.p[i]) ) \
> + (_s_)->status = GNTST_address_too_big; \
> + else \
> + frame |= 0x80000000U;\
Space before the \. (This is one reason why I hate this style. The
borderline illegibility makes it almost impossible to spot style problems.)
With the adjustment from the previous patch, you'll need a break in here.
But for !valid case, shouldn't we saturate to ~0u ? I recall from the
migration work that various kernels disagree on what constitutes an
invalid MFN.
Then again, I can't see what legitimate case we'd have for a truncation
and an invalid M2P entry needing translating.
~Andrew
> + } \
> + else if ( __copy_to_compat_offset((_d_)->frame_list,
> \
> + i, &frame, 1) ) \
> (_s_)->status = GNTST_bad_virt_addr; \
> } \
> } while (0)
>
>
|