[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH RFC 07/10] domain: map/unmap GADDR based shared guest areas

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Fri, 20 Jan 2023 17:44:22 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uLwgvpGk16i6VK5d6cd5GVcGnGfPIhaxeruIgV1xLcY=; b=jpE6ma5sH5ETWwROH3/Ku0Q8wphktpkfAeoK6KkaJHa2T4fZL0Ouvf8MS4K1hpsYkrwNUPwhY5l6WPwSpga3uDFOjgIHQsyFCFyHzIaJxivio3Lz1laTxfz4ok8PX1gXl+APwwFHvA7jfsWi/GfeyUcdJvAQ8Hd+P7R0XOUxt4V02ipFnaKc/9/7jHT0gwM7gDLVG1EM9Eq+/ZvW7+FVpkug36DJNl3xy1f9mUbdH8lsjeZDXGtaPnmkz8JO4L2povK5kb/egeDTpAzsj+2QvPYKc5Dqm1TlaI2hCagEFhZaDFP3etpWpCAYKIVtuERJb+DWFv3IVOPc7UjtQwwtFg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GE816gH1VoayO7WeAStZC3EF+6OTVJr0aLbGc+wHJU7aBv6HEZ7xOdgcZrKGFn7db5YlMU87LVQUzjHFPSzUun4un9KHWLKgZQtj42HMABZ5ADPMIOi4O8UfXJa483JiIe5NhG2CqlcqHGUHANZTgX8J7sNPFLePna1Vwbs9Sw60PedeUhXud78SBu2fz/IDiw5GTAp1hd9q2K7swu79fF8PJQt1TnKhanN5C5gAOSPkku6bbVuPmy3BcMLcNH+iB8mMtMB+sxEs3iRGnug6j+NZrH3rvIuUedyvdrG1oc9Y0wZBj613Kdsa5VACiDO1kw3L3qzcgxYT9DjnptMfew==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: George Dunlap <George.Dunlap@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Fri, 20 Jan 2023 17:44:45 +0000
  • Ironport-data: A9a23:/XHWBqvh6N7Hp8+NKfa7C5zsW+fnVJxfMUV32f8akzHdYApBsoF/q tZmKWvTPKqDYmr9eN1wao6/pENSsMDdy95nHAZq/CpmFSkS+JbJXdiXEBz9bniYRiHhoOCLz O1FM4Wdc5pkJpP4jk3wWlQ0hSAkjclkfpKlVKiffHg0HVU/IMsYoUoLs/YjhYJ1isSODQqIu Nfjy+XSI1bg0DNvWo4uw/vrRChH4bKj51v0gnRkPaoQ5AaEzyFPZH4iDfrZw0XQE9E88tGSH 44v/JnhlkvF8hEkDM+Sk7qTWiXmlZaLYGBiIlIPM0STqkAqSh4ai87XB9JFAatjsB2bnsgZ9 Tl4ncfYpTHFnEH7sL91vxFwS0mSNEDdkVPNCSDXXce7lyUqf5ZwqhnH4Y5f0YAwo45K7W9yG fMwCzFUMzuexPuK36OAYbN3mNx4MY7qFdZK0p1g5Wmx4fcOZ7nmGv2Pz/kHmTA6i4ZJAOrUY NcfZXx3dhPcbhZTO1ARTpUjgOOvgXq5eDpdwL6XjfNvvy6Pk0ouiP60aIS9lt+iHK25mm6xo G7c8nu/KRYdLNGFkhKO8262h/+JliT+MG4XPOzjrqY12Q3ProAVIBZPDUnrqqO7sVe3YNdFB WhE4gd1vYFnoSRHSfG4BXVUukWsvBQRRt5RGO0S8xyWx+zf5APxLnMfUjdLZdgitck3bT8nz FmEm5XuHzMHmKKRYWKQ8PGTtzzaESoIKW4PYwcUQA1D5MPsyKkjgxSKQtt9HaqditzuBSq20 z2MtDI5hbgYkYgMzarTwLzcqzelp5yMRAhq4AzSBzqh9lkgPNDjYJG041/G6/oGNJyeUlSKo HkDnY6Z8fwKCpaO0ieKRY3hAY2U2hpMCxWE6XYHInXr323FF6KLFWyI3AxDGQ==
  • Ironport-hdrordr: A9a23:1G4cU6hEADeKy2nCPLEfy5z/U3BQXs0ji2hC6mlwRA09TyX4rb HMoB1/73SftN9/YgBDpTn+AtjkfZqxz/NICOoqXYtKPjOJhILAFugL0WKF+VHd8kbFl9K1u5 0OT0F2MqyVMWRH
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHY4457jyaOcvAnhkOdTNwMDM8hXq5O0KiAgFTsIQCAAMNSgIADpm+A
  • Thread-topic: [PATCH RFC 07/10] domain: map/unmap GADDR based shared guest areas
On 18/01/2023 9:59 am, Jan Beulich wrote:
> On 17.01.2023 23:20, Andrew Cooper wrote:
>> On 24/11/2022 9:29 pm, Julien Grall wrote:
>>> On 19/10/2022 09:43, Jan Beulich wrote:
>>>> The registration by virtual/linear address has downsides: At least on
>>>> x86 the access is expensive for HVM/PVH domains. Furthermore for 64-bit
>>>> PV domains the areas are inaccessible (and hence cannot be updated by
>>>> Xen) when in guest-user mode.
>>>>
>>>> In preparation of the introduction of new vCPU operations allowing to
>>>> register the respective areas (one of the two is x86-specific) by
>>>> guest-physical address, flesh out the map/unmap functions.
>>>>
>>>> Noteworthy differences from map_vcpu_info():
>>>> - areas can be registered more than once (and de-registered),
>>>> - remote vCPU-s are paused rather than checked for being down (which in
>>>>    principle can change right after the check),
>>>> - the domain lock is taken for a much smaller region.
>>>>
>>>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
>>>> ---
>>>> RFC: By using global domain page mappings the demand on the underlying
>>>>       VA range may increase significantly. I did consider to use per-
>>>>       domain mappings instead, but they exist for x86 only. Of course we
>>>>       could have arch_{,un}map_guest_area() aliasing global domain page
>>>>       mapping functions on Arm and using per-domain mappings on x86. Yet
>>>>       then again map_vcpu_info() doesn't do so either (albeit that's
>>>>       likely to be converted subsequently to use map_vcpu_area()
>>>> anyway).
>>>>
>>>> RFC: In map_guest_area() I'm not checking the P2M type, instead - just
>>>>       like map_vcpu_info() - solely relying on the type ref acquisition.
>>>>       Checking for p2m_ram_rw alone would be wrong, as at least
>>>>       p2m_ram_logdirty ought to also be okay to use here (and in similar
>>>>       cases, e.g. in Argo's find_ring_mfn()). p2m_is_pageable() could be
>>>>       used here (like altp2m_vcpu_enable_ve() does) as well as in
>>>>       map_vcpu_info(), yet then again the P2M type is stale by the time
>>>>       it is being looked at anyway without the P2M lock held.
>>>>
>>>> --- a/xen/common/domain.c
>>>> +++ b/xen/common/domain.c
>>>> @@ -1563,7 +1563,82 @@ int map_guest_area(struct vcpu *v, paddr
>>>>                      struct guest_area *area,
>>>>                      void (*populate)(void *dst, struct vcpu *v))
>>>>   {
>>>> -    return -EOPNOTSUPP;
>>>> +    struct domain *currd = v->domain;
>>>> +    void *map = NULL;
>>>> +    struct page_info *pg = NULL;
>>>> +    int rc = 0;
>>>> +
>>>> +    if ( gaddr )
>>> 0 is technically a valid (guest) physical address on Arm.
>> It is on x86 too, but that's not why 0 is generally considered an
>> invalid address.
>>
>> See the multitude of XSAs, and near-XSAs which have been caused by bad
>> logic in Xen caused by trying to make a variable held in struct
>> vcpu/domain have a default value other than 0.
>>
>> It's not impossible to write such code safely, and in this case I expect
>> it can be done by the NULLness (or not) of the mapping pointer, rather
>> than by stashing the gaddr, but history has proved repeatedly that this
>> is a very fertile source of security bugs.
> I'm checking a value passed in from the guest here. No checking of internal
> state can replace that. The checks on internal state leverage zero-init:
>
>  unmap:
>     if ( pg )
>     {
>         unmap_domain_page_global(map);
>         put_page_and_type(pg);
>     }
>
> It's also not clear to me whether, like Julien looks to have read it, you
> mean to ask that I revert back to using 0 as the "invalid" (i.e. request
> for unmap) indicator.

I'm merely asking you to be extra careful and not add bugs to the error
paths.  And it appears that you have done it based on the NULLness of
the mapping pointer, which is fine.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.