[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC XEN PATCH v4 2/5] x86/pvh: Allow (un)map_pirq when caller isn't DOMID_SELF


  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: "Chen, Jiqian" <Jiqian.Chen@xxxxxxx>
  • Date: Tue, 9 Jan 2024 07:58:15 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kxueewzXbPVw3Zgi9Y61KkYrapyjpxz5Ae2hR6rqlOg=; b=ARrFi4kryRzpNze1jvXnZW1cJ+AQ/HU4UyzNBF41zuxTVXsKbIN3S7IuCMpzu6hBgn71wrNZiWuXMDfPOmUnW2uYxuLJY9Hi5c6FD6dcpzwYGAnrQG6fg5BilltN/pacUzySAxBnwSOfZTk/lAr0ayASky1lrA7QL2/56+foNXEeiqtUlX3HuLm9+2Akmcj3lSzFOavmAglyMk0eHc2EU7nXzKDiowyaEenqPF1WhR4cQImY9jsQcbBMp3mc1EQUFjZNYuvBGED5LIcZ3FNxjo+nzaa05eMNABPcqMaZ4G0Fv0WH/t5OFHA8P99Ot6SqtZmqhiBXCHEh9H6OERTz5w==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VDFwk74PE/blCj5dP0LK/42MUreRy4VAiIBn0Ot+cd01a+kywwN789X9lciaVekwELBZ50z8ntAbT2Kl6+DZv/lR//f8tSGtuXJxZYQHPtzxb9EPTRO6FMR+MfG6CdiGyhxW2N8/i0+9hrajDHTnipWurRtM4/ikadtnS6HYh1N6L+glW6qc6pYQPxoxHmipT+NrfjsnzhyrXK3e3VAeK/+zydoICJlKR7xvownwmxyxgcuYNrXDGx9NuDx0LybggUed+3iFKV9LD4sPXMcDYTK/KASBkCM+URRzV0DKs+6onSPRwffDWJbS49qA9JgJrh2YenTe4BCf3HWaSYtb7A==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amd.com;
  • Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, "Hildebrand, Stewart" <Stewart.Hildebrand@xxxxxxx>, "Huang, Ray" <Ray.Huang@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, "Chen, Jiqian" <Jiqian.Chen@xxxxxxx>
  • Delivery-date: Tue, 09 Jan 2024 07:58:29 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHaP6YuSUk29qg8QEWwkYk64ozIULDL9CiAgAOrDICAAImKAP//gTEAgAH/ogA=
  • Thread-topic: [RFC XEN PATCH v4 2/5] x86/pvh: Allow (un)map_pirq when caller isn't DOMID_SELF

On 2024/1/8 17:25, Jan Beulich wrote:
> On 08.01.2024 10:15, Chen, Jiqian wrote:
>> On 2024/1/8 16:47, Jan Beulich wrote:
>>> On 06.01.2024 01:46, Stefano Stabellini wrote:
>>>> On Fri, 5 Jan 2024, Jiqian Chen wrote:
>>>>> @@ -72,8 +73,30 @@ long hvm_physdev_op(int cmd, 
>>>>> XEN_GUEST_HANDLE_PARAM(void) arg)
>>>>>  
>>>>>      switch ( cmd )
>>>>>      {
>>>>> -    case PHYSDEVOP_map_pirq:
>>>>> -    case PHYSDEVOP_unmap_pirq:
>>>>> +    case PHYSDEVOP_map_pirq: {
>>>>> +        physdev_map_pirq_t map;
>>>>> +
>>>>> +        if ( copy_from_guest(&map, arg, 1) != 0 )
>>>>> +            return -EFAULT;
>>>>> +
>>>>> +        if ( !has_pirq(currd) && map.domid == DOMID_SELF )
>>>>> +            return -ENOSYS;
>>>>
>>>> This looks OK to me although there is already another copy_from_guest in
>>>> do_physdev_op, but I don't see an easy way to make it better.
>>>
>>> How can double reads of hypercall args ever be okay? The new check clearly
>>> needs to be inserted in the code path where the structure is being read
>>> already anyway.
>> I also tried to add this check in PHYSDEVOP_map_pirq in physdev.c, but pv 
>> has no flag X86_EMU_USE_PIRQ too.
>> If want to add it into physdev.c and combine Stefano's opinions, this check 
>> may be like:
>>
>> diff --git a/xen/arch/x86/physdev.c b/xen/arch/x86/physdev.c
>> index 47c4da0af7e1..c38d4d405726 100644
>> --- a/xen/arch/x86/physdev.c
>> +++ b/xen/arch/x86/physdev.c
>> @@ -303,11 +303,19 @@ ret_t do_physdev_op(int cmd, 
>> XEN_GUEST_HANDLE_PARAM(void) arg)
>>      case PHYSDEVOP_map_pirq: {
>>          physdev_map_pirq_t map;
>>          struct msi_info msi;
>> +        struct domain *d;
>>
>>          ret = -EFAULT;
>>          if ( copy_from_guest(&map, arg, 1) != 0 )
>>              break;
>>
>> +        d = rcu_lock_domain_by_any_id(map.domid);
>> +        if ( d == NULL )
>> +            return -ESRCH;
>> +        if ( !is_pv_domain(d) && !has_pirq(d) )
>> +            return -ENOSYS;
>> +        rcu_unlock_domain(d);
>> +
>>          switch ( map.type )
>>          {
>>          case MAP_PIRQ_TYPE_MSI_SEG:
> 
> Well, yes, perhaps kind of like that, but with rcu_unlock_domain() called
> on the error 2nd return path as well, and without abusing ENOSYS.
Ok, will call rcu_unlock_domain on 2nd error path, and change ENOSYS to 
EOPNOTSUPP.

> 
> Jan

-- 
Best regards,
Jiqian Chen.

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.