From: Julien Grall <julien.grall@linaro.org>
To: Ian Campbell <Ian.Campbell@eu.citrix.com>
Cc: "paolo.valente@unimore.it" <paolo.valente@unimore.it>,
Keir Fraser <keir@xen.org>,
Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
Tim Deegan <tim@xen.org>,
Dario Faggioli <dario.faggioli@citrix.com>,
"xen.org" <Ian.Jackson@eu.citrix.com>,
"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>,
Julien Grall <julien.grall@citrix.com>,
Eric Trudeau <etrudeau@broadcom.com>,
Jan Beulich <JBeulich@suse.com>,
Arianna Avanzini <avanzini.arianna@gmail.com>,
"viktor.kleinik@globallogic.com" <viktor.kleinik@globallogic.com>
Subject: Re: [PATCH v4 4/7] xen, common: add the XEN_DOMCTL_memory_mapping hypercall
Date: Tue, 01 Apr 2014 17:00:43 +0100 [thread overview]
Message-ID: <533AE2AB.1080404@linaro.org> (raw)
In-Reply-To: <1396366745.8667.246.camel@kazak.uk.xensource.com>
On 04/01/2014 04:39 PM, Ian Campbell wrote:
> On Tue, 2014-04-01 at 16:16 +0100, Julien Grall wrote:
>> On 04/01/2014 03:52 PM, Ian Campbell wrote:
>>> On Tue, 2014-03-25 at 13:17 +0000, Julien Grall wrote:
>>>>> diff --git a/xen/common/domctl.c b/xen/common/domctl.c
>>>>> index 7cf610a..ae120d9 100644
>>>>> --- a/xen/common/domctl.c
>>>>> +++ b/xen/common/domctl.c
>>>>> @@ -818,6 +818,71 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
>>>>> }
>>>>> break;
>>>>>
>>>>> + case XEN_DOMCTL_memory_mapping:
>>>>> + {
>>>>> + unsigned long gfn = op->u.memory_mapping.first_gfn;
>>>>> + unsigned long mfn = op->u.memory_mapping.first_mfn;
>>>>> + unsigned long nr_mfns = op->u.memory_mapping.nr_mfns;
>>>>> + unsigned long mfn_end = mfn + nr_mfns;
>>>>> + unsigned long gfn_end = gfn + nr_mfns;
>>>>> + int add = op->u.memory_mapping.add_mapping;
>>>>> +
>>>>> + ret = -EINVAL;
>>>>> + if ( (mfn_end - 1) < mfn || /* wrap? */
>>>>> + ((mfn | (mfn_end - 1)) >> (paddr_bits - PAGE_SHIFT)) ||
>>>>> + (gfn_end - 1) < gfn ) /* wrap? */
>>>>> + return ret;
>>>>
>>>>
>>>> Would not it be better to only rely on the GFN when the toolstack is
>>>> removing the mapping?
>>>
>>> I'm not sure I get what you mean, the gfn is an input to add as well.
>>>
>>>> I know this is not the previous behavior, but most of the hypercall
>>>> which deal with removing mapping only take GFN.
>>>
>>> Regardless of my confusion above any semantic change should be done
>>> separately from the move of the code from x86 to generic and whatever
>>> minor updates that entails for the ARM case.
>>
>>
>> I didn't intend to ask "remove the field mfn". When a mapping is
>> removed, the MFN is useless because we can retrieve it from the GFN.
>>
>> It won't impact x86, because removing a GFN that doesn't have mapping
>> should also fail.
>>
>> When I was reading the code, x86 seems to lack of some check during
>> the removing part: a privileged guest (e.g a domain that have permission
>> to remove a MMIO range) can remove any MMIO range as long as the
>> MFN is in the permitted range. So the MFN may not be mapped to the GFN.
>>
>> This will result to a mismatch between the actually mapped MFN
>> and the permitted range.
>
> Is the solution to that not to add the checks rather than remove them?
Which check? To give an example:
In the p2m we have this list of directly MMIO
gfn 0xab => mfn 0x2b
gfn 0xac => mfn 0x2c
gfn 0xad => mfn 0x3b
gfn 0xae => mfn 0x3c
The current domain as permission on: 0x2b-0x2c
It's valid (but wrong) to call DOMCTL_memory_mapping with:
add = 0
gfn = 0xac
mfn = 0x2b
nr_mfns = 1
As you can see mfn doesn't match the gfn, but the code will let you do that.
What I suggest is two have something similar to:
for (i = 0; i < nr_mfns; i++)
{
mfn = p2m_lookup(d, gfn);
clear p2m
remove rigth
}
--
Julien Grall
next prev parent reply other threads:[~2014-04-01 16:00 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-25 2:02 [PATCH v4 0/7] Implement the XEN_DOMCTL_memory_mapping hypercall for ARM Arianna Avanzini
2014-03-25 2:02 ` [PATCH v4 1/7] arch, arm: domain build: let dom0 access I/O memory of mapped devices Arianna Avanzini
2014-03-25 12:37 ` Julien Grall
2014-03-25 2:02 ` [PATCH v4 2/7] arch, arm: add consistency checks to REMOVE p2m changes Arianna Avanzini
2014-03-25 12:18 ` Stefano Stabellini
2014-03-25 12:51 ` Julien Grall
2014-03-25 13:10 ` Julien Grall
2014-03-25 17:41 ` Ian Campbell
2014-03-25 2:02 ` [PATCH v4 3/7] arch, arm: let map_mmio_regions() take pfn as parameters Arianna Avanzini
2014-03-25 12:22 ` Stefano Stabellini
2014-03-25 12:54 ` Julien Grall
2014-03-28 12:51 ` Arianna Avanzini
2014-03-28 13:31 ` Julien Grall
2014-03-25 13:00 ` Julien Grall
2014-03-25 2:02 ` [PATCH v4 4/7] xen, common: add the XEN_DOMCTL_memory_mapping hypercall Arianna Avanzini
2014-03-25 9:33 ` Jan Beulich
2014-03-28 13:24 ` Arianna Avanzini
2014-03-28 13:30 ` Jan Beulich
2014-03-25 12:35 ` Stefano Stabellini
2014-03-25 14:10 ` Jan Beulich
2014-03-25 15:10 ` Stefano Stabellini
2014-03-25 15:36 ` Jan Beulich
2014-03-25 15:42 ` Stefano Stabellini
2014-04-01 15:01 ` Ian Campbell
2014-04-01 15:18 ` Jan Beulich
2014-04-01 15:37 ` Ian Campbell
2014-03-25 13:17 ` Julien Grall
2014-04-01 14:52 ` Ian Campbell
2014-04-01 15:16 ` Julien Grall
2014-04-01 15:39 ` Ian Campbell
2014-04-01 16:00 ` Julien Grall [this message]
2014-04-02 9:43 ` Ian Campbell
2014-04-02 10:06 ` Jan Beulich
2014-04-02 10:19 ` Ian Campbell
2014-04-02 10:53 ` Jan Beulich
2014-04-05 12:08 ` Arianna Avanzini
2014-04-06 16:23 ` Stefano Stabellini
2014-04-07 7:01 ` Jan Beulich
2014-03-25 2:02 ` [PATCH v4 5/7] tools, libxl: parse optional start gfn from the iomem config option Arianna Avanzini
2014-03-25 15:39 ` Julien Grall
2014-03-25 15:45 ` Julien Grall
2014-03-25 16:27 ` Ian Campbell
2014-03-25 2:02 ` [PATCH v4 6/7] tools, libxl: add helpers to establish if guest is auto-translated Arianna Avanzini
2014-03-25 2:02 ` [PATCH v4 7/7] tools, libxl: handle the iomem parameter with the memory_mapping hcall Arianna Avanzini
2014-04-01 15:13 ` Ian Campbell
2014-04-01 15:26 ` Julien Grall
2014-04-01 15:34 ` Ian Campbell
2014-04-01 20:52 ` Daniel De Graaf
2014-04-02 9:45 ` Ian Campbell
2014-04-02 14:14 ` Daniel De Graaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=533AE2AB.1080404@linaro.org \
--to=julien.grall@linaro.org \
--cc=Ian.Campbell@eu.citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=avanzini.arianna@gmail.com \
--cc=dario.faggioli@citrix.com \
--cc=etrudeau@broadcom.com \
--cc=julien.grall@citrix.com \
--cc=keir@xen.org \
--cc=paolo.valente@unimore.it \
--cc=stefano.stabellini@eu.citrix.com \
--cc=tim@xen.org \
--cc=viktor.kleinik@globallogic.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.