From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Mukesh Rathor <mukesh.rathor@oracle.com>
Cc: george.dunlap@eu.citrix.com, Xen-devel@lists.xensource.com,
tim@xen.org, keir.xen@gmail.com, JBeulich@suse.com
Subject: Re: [V3 PATCH 7/9] pvh: change xsm_add_to_physmap
Date: Wed, 27 Nov 2013 11:46:27 -0500 [thread overview]
Message-ID: <529621E3.8090906@tycho.nsa.gov> (raw)
In-Reply-To: <1385519230-21132-8-git-send-email-mukesh.rathor@oracle.com>
On 11/26/2013 09:27 PM, Mukesh Rathor wrote:
> In preparation for the next patch, we update xsm_add_to_physmap to
> allow for checking of foreign domain. Thus, the current domain must
> have the right to update the mappings of target domain with pages from
> foreign domain.
>
> Signed-off-by: Mukesh Rathor <mukesh.rathor@oracle.com>
> CC: dgdegra@tycho.nsa.gov
> ---
> xen/arch/x86/mm.c | 16 +++++++++++++---
> xen/include/xsm/dummy.h | 10 ++++++++--
> xen/include/xsm/xsm.h | 6 +++---
> xen/xsm/flask/hooks.c | 10 ++++++++--
> 4 files changed, 32 insertions(+), 10 deletions(-)
The XSM changes look good; however, the calling code needs a bit of
tweaking. Currently, if domain 0 is specified as the foreign domain,
the check is skipped, and the check is also run unnecessarily when
foreign_domid is nonzero but the operation is not XENMAPSPACE_gmfn_foreign.
The locking in this version also implies a potential TOCTOU bug, but
which in reality is impossible to trigger due to the existing RCU lock
held on (d). I would suggest passing the foreign struct domain instead
of the domid, as below.
An unrelated question about XENMAPSPACE_gmfn_foreign that came up while
looking at this: is the domain parameter (d) supposed to be ignored
here, with maps always modifying the current domain? I would have
expected this call to manipulate d's physmap, with the common case being
(d == current->domain).
---
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 797fbc7..9afbcb9 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -4531,23 +4531,17 @@ static int handle_iomem_range(unsigned long s, unsigned long e, void *p)
* Returns: 0 ==> success
*/
static int xenmem_add_foreign_to_pmap(unsigned long fgfn, unsigned long gpfn,
- domid_t foreign_domid)
+ struct domain *fdom)
{
p2m_type_t p2mt, p2mt_prev;
int rc = 0;
unsigned long prev_mfn, mfn = 0;
- struct domain *fdom, *currd = current->domain;
+ struct domain *currd = current->domain;
struct page_info *page = NULL;
- if ( currd->domain_id == foreign_domid || foreign_domid == DOMID_SELF ||
- !is_pvh_domain(currd) )
+ if ( currd == fdom || !fdom || !is_pvh_domain(currd) )
return -EINVAL;
- /* Note, access check is done in the caller via xsm_add_to_physmap */
- if ( !is_control_domain(currd) ||
- (fdom = get_pg_owner(foreign_domid)) == NULL )
- return -EPERM;
-
/* following will take a refcnt on the mfn */
page = get_page_from_gfn(fdom, fgfn, &p2mt, P2M_ALLOC);
if ( !page || !p2m_is_valid(p2mt) )
@@ -4579,7 +4573,7 @@ static int xenmem_add_foreign_to_pmap(unsigned long fgfn, unsigned long gpfn,
{
gdprintk(XENLOG_WARNING, "set_foreign_p2m_entry failed. "
"gpfn:%lx mfn:%lx fgfn:%lx fd:%d\n",
- gpfn, mfn, fgfn, foreign_domid);
+ gpfn, mfn, fgfn, fdom->domain_id);
put_page(page);
rc = -EINVAL;
}
@@ -4590,14 +4584,13 @@ static int xenmem_add_foreign_to_pmap(unsigned long fgfn, unsigned long gpfn,
*/
put_gfn(currd, gpfn);
- put_pg_owner(fdom);
return rc;
}
static int xenmem_add_to_physmap_once(
struct domain *d,
const struct xen_add_to_physmap *xatp,
- domid_t foreign_domid)
+ struct domain *foreign_dom)
{
struct page_info *page = NULL;
unsigned long gfn = 0; /* gcc ... */
@@ -4660,7 +4653,7 @@ static int xenmem_add_to_physmap_once(
case XENMAPSPACE_gmfn_foreign:
{
rc = xenmem_add_foreign_to_pmap(xatp->idx, xatp->gpfn,
- foreign_domid);
+ foreign_dom);
return rc;
}
@@ -4729,7 +4722,7 @@ static int xenmem_add_to_physmap(struct domain *d,
start_xatp = *xatp;
while ( xatp->size > 0 )
{
- rc = xenmem_add_to_physmap_once(d, xatp, DOMID_INVALID);
+ rc = xenmem_add_to_physmap_once(d, xatp, NULL);
if ( rc < 0 )
return rc;
@@ -4755,11 +4748,12 @@ static int xenmem_add_to_physmap(struct domain *d,
return rc;
}
- return xenmem_add_to_physmap_once(d, xatp, DOMID_INVALID);
+ return xenmem_add_to_physmap_once(d, xatp, NULL);
}
static int xenmem_add_to_physmap_range(struct domain *d,
- struct xen_add_to_physmap_range *xatpr)
+ struct xen_add_to_physmap_range *xatpr,
+ struct domain *foreign_dom)
{
int rc;
@@ -4779,7 +4773,7 @@ static int xenmem_add_to_physmap_range(struct domain *d,
xatp.space = xatpr->space;
xatp.idx = idx;
xatp.gpfn = gpfn;
- rc = xenmem_add_to_physmap_once(d, &xatp, xatpr->foreign_domid);
+ rc = xenmem_add_to_physmap_once(d, &xatp, foreign_dom);
if ( copy_to_guest_offset(xatpr->errs, xatpr->size-1, &rc, 1) )
return -EFAULT;
@@ -4855,25 +4849,29 @@ long arch_memory_op(int op, XEN_GUEST_HANDLE_PARAM(void) arg)
if ( d == NULL )
return -ESRCH;
- if ( xatpr.foreign_domid )
+ if ( xatpr.space == XENMAPSPACE_gmfn_foreign )
{
- if ( (fd = rcu_lock_domain_by_any_id(xatpr.foreign_domid)) == NULL )
+ fd = get_pg_owner(xatpr.foreign_domid);
+ if ( fd == NULL )
{
rcu_unlock_domain(d);
return -ESRCH;
}
- rcu_unlock_domain(fd);
}
if ( (rc = xsm_add_to_physmap(XSM_TARGET, current->domain, d, fd)) )
{
rcu_unlock_domain(d);
+ if (fd)
+ put_pg_owner(fd);
return rc;
}
- rc = xenmem_add_to_physmap_range(d, &xatpr);
+ rc = xenmem_add_to_physmap_range(d, &xatpr, fd);
rcu_unlock_domain(d);
+ if (fd)
+ put_pg_owner(fd);
if ( rc == -EAGAIN )
rc = hypercall_create_continuation(
next prev parent reply other threads:[~2013-11-27 16:46 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-27 2:27 [V3 PATCH 0/9]: PVH dom0 Mukesh Rathor
2013-11-27 2:27 ` [V3 PATCH 1/9] PVH dom0: iommu related changes Mukesh Rathor
2013-11-27 2:27 ` [V3 PATCH 2/9] PVH dom0: create add_mem_mapping_for_xlate() function Mukesh Rathor
2013-12-02 12:16 ` Jan Beulich
2013-11-27 2:27 ` [V3 PATCH 3/9] PVH dom0: move some pv specific code to static functions Mukesh Rathor
2013-12-02 12:30 ` Jan Beulich
2013-11-27 2:27 ` [V3 PATCH 4/9] dom0: construct_dom0 changes Mukesh Rathor
2013-12-02 12:36 ` Jan Beulich
2013-11-27 2:27 ` [V3 PATCH 5/9] PVH dom0: implement XENMEM_add_to_physmap_range for x86 Mukesh Rathor
2013-12-02 12:47 ` Jan Beulich
2013-12-03 0:05 ` Mukesh Rathor
2013-12-03 7:48 ` Jan Beulich
2013-12-03 19:49 ` Mukesh Rathor
2013-12-04 8:03 ` Jan Beulich
2013-11-27 2:27 ` [V3 PATCH 6/9] PVH dom0: Introduce p2m_map_foreign Mukesh Rathor
2013-11-27 2:27 ` [V3 PATCH 7/9] pvh: change xsm_add_to_physmap Mukesh Rathor
2013-11-27 16:46 ` Daniel De Graaf [this message]
2013-11-27 20:29 ` Mukesh Rathor
2013-11-29 9:21 ` Jan Beulich
2013-12-02 12:55 ` Jan Beulich
2013-11-27 2:27 ` [V3 PATCH 8/9] pvh dom0: Add and remove foreign pages Mukesh Rathor
2013-12-02 12:57 ` Jan Beulich
2013-11-27 2:27 ` [V3 PATCH 9/9] pvh dom0: add opt_dom0pvh to setup.c Mukesh Rathor
2013-11-27 15:00 ` George Dunlap
2013-11-27 20:12 ` Mukesh Rathor
2013-11-28 11:54 ` George Dunlap
2013-11-29 9:29 ` Jan Beulich
2013-12-02 13:00 ` Jan Beulich
2013-12-02 15:09 ` Roger Pau Monné
2013-12-02 19:30 ` Mukesh Rathor
2013-12-02 19:38 ` Roger Pau Monné
2013-12-02 20:38 ` Mukesh Rathor
2013-12-02 20:46 ` Mukesh Rathor
2013-12-03 2:33 ` Mukesh Rathor
2013-12-03 10:30 ` Roger Pau Monné
2013-12-03 19:51 ` Mukesh Rathor
2013-12-03 10:54 ` Jan Beulich
2013-11-28 12:07 ` [V3 PATCH 0/9]: PVH dom0 George Dunlap
2013-11-29 9:17 ` Jan Beulich
2013-12-02 11:39 ` George Dunlap
2013-12-01 23:53 ` Mukesh Rathor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=529621E3.8090906@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=JBeulich@suse.com \
--cc=Xen-devel@lists.xensource.com \
--cc=george.dunlap@eu.citrix.com \
--cc=keir.xen@gmail.com \
--cc=mukesh.rathor@oracle.com \
--cc=tim@xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.