[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/2] xen/mm: don't unconditionally clear PGC_need_scrub in alloc_heap_pages()

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Ayden Bottos <aydenbottos12@xxxxxxxxx>
  • Date: Thu, 26 Mar 2026 01:15:52 +1100
  • Arc-authentication-results: i=1; mx.google.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=r7y6YKolCJv5+RCixJGv6yuwL2cEKqM475jxEEtn/XU=; fh=g1WkAsZ2h5zzPyv9sSr+bkKXIKzQT0CMUrA/Ka8vWHk=; b=OkjO2PL677FWqSWeqkcAt7CjYNuWLGx77gZ3OAGoZAhsgRsNqZIM8R51QseWvaZ6/o +gjeqTdobjMQtStevKF/NA+crjM+cNisDCUJ05qOJ+OLHiCqXnzJa2lUPZFVnVnxlHlp wfcy7uyhuawbEV1PakV0PTPvjXfnuEv1mN81lEWfQUjy7ABXBKaG0/sWrGrJeSoAujoW MDwEKvZKF0qHvsU84b4nGgPAWAck0clIkIYWIaGDfYY59f29JViD0jXBq7hkj2BnjTV0 18zaID6zGx8MU/cq7CQP/1+utzIO3xKC0WrU7HGKSdcgmhRtDLx0awOpRUfmf/2gEyJg 53Pg==; darn=lists.xenproject.org
  • Arc-seal: i=1; a=rsa-sha256; t=1774448164; cv=none; d=google.com; s=arc-20240605; b=PkiGqVneoTAN8tT6/3QfKjxN4t4IpqHI375XykqZCGLWvPYFNIC3sp67A4aoOBCVkn U2PyXrklrhbSaTTESZykcwnfAAjn61wgQ1Z8iOD1u/yJnVupCTEEIYVyywrrO63r56gL FWEGc0WtPyD8dggd/f58ccKjT4SeNo+JnnWz8gxrhleJKznHyPUcdG6QsEIvd4pg+PsQ OLbctyM1c33peAr6H/cdtPezAX0eYIZkQyG+VR+ziRCmDPMXt1tW+HhuqdmlFfEM6+Ay S07f2/cvwSC53mYHZbdCDPggNnEj9FzpP4agHEwqeRPzUWBwLejnXTPX28l1ZacS7aaA MDBA==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=20251104 header.d=gmail.com header.i="@gmail.com" header.h="Content-Transfer-Encoding:Cc:To:Subject:Message-ID:Date:From:In-Reply-To:References:MIME-Version"
  • Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Wed, 25 Mar 2026 14:51:16 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
This looks good to me. I would also add a brief comment in mm.h to
make the contract clearer for future callers: MEMF_keep_scrub is an
internal allocator flag and only valid together with MEMF_no_scrub.

On Thu, Mar 26, 2026 at 12:37 AM Jan Beulich <jbeulich@xxxxxxxx> wrote:
>
> On 25.03.2026 11:08, Roger Pau Monne wrote:
> > alloc_heap_pages() will unconditionally clear PGC_need_scrub, even when
> > MEMF_no_scrub is requested.  This is kind of expected as otherwise some
> > callers will assert on seeing non-expected flags set on the count_info
> > field.
> >
> > Introduce a new MEMF bit to signal to alloc_heap_pages() that non-scrubbed
> > pages should keep the PGC_need_scrub bit set. This fixes returning dirty
> > pages from alloc_domheap_pages() without the PGC_need_scrub bit set for
> > populate_physmap() to consume.
> >
> > With the above change alloc_domheap_pages() needs an adjustment to cope
> > with allocated pages possibly having the PGC_need_scrub set.
> >
> > Fixes: 83a784a15b47 ("xen/mm: allow deferred scrub of physmap populate 
> > allocated pages")
> > Reported-by: Ayden Bottos <aydenbottos12@xxxxxxxxx>
> > Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
>
> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
> with one nit (minor request) at the bottom.
>
> > ---
> > This issue was initially reported to the Xen Security Team, and it did turn
> > out to not require an XSA only because the code hasn't been part of any
> > release, otherwise an XSA would have been issued.
> >
> > The Security Team would like to thanks Ayden for the prompt report.
> >
> > In the scrubbing loop in alloc_heap_pages() i should better be unsigned
> > long.
>
> This issue is wider than just that function. As long as MAX_ORDER <= 
> BITS_PER_INT,
> I think we could have all such loops consistently use unsigned int induction
> variables. But of course switching to unsigned long would be okay as well, 
> just
> perhaps a little less efficient on (at least) x86. My main wish would be for 
> all
> of those variables to be consistent in type (and hence all involved literal
> number suffixes also being consistently U or UL).
>
> > --- a/xen/include/xen/mm.h
> > +++ b/xen/include/xen/mm.h
> > @@ -208,6 +208,8 @@ struct npfec {
> >  #define  MEMF_no_refcount (1U<<_MEMF_no_refcount)
> >  #define _MEMF_populate_on_demand 1
> >  #define  MEMF_populate_on_demand (1U<<_MEMF_populate_on_demand)
> > +#define _MEMF_keep_scrub  2
> > +#define  MEMF_keep_scrub  (1U<<_MEMF_keep_scrub)
> >  #define _MEMF_no_dma      3
> >  #define  MEMF_no_dma      (1U<<_MEMF_no_dma)
> >  #define _MEMF_exact_node  4
>
> Irrespective of all the similar issues in surrounding code, may I ask that << 
> be
> surrounded by blanks in the new addition, to conform to ./CODING_STYLE?
>
> As an aside, I wonder whether we really need the separate _MEMF_keep_scrub, 
> but
> the same likely applies to most other _MEMF_*.
>
> Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.