From: David Vrabel <david.vrabel@citrix.com>
To: Ian Campbell <Ian.Campbell@citrix.com>,
David Vrabel <david.vrabel@citrix.com>
Cc: xen-devel@lists.xenproject.org,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
Jenny Herbert <jennifer.herbert@citrix.com>,
Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Subject: Re: [PATCH 11/12] xen/gntdev: mark userspace PTEs as special on x86 PV guests
Date: Wed, 7 Jan 2015 13:23:37 +0000 [thread overview]
Message-ID: <54AD3359.4000004@citrix.com> (raw)
In-Reply-To: <1420632674.18631.66.camel@citrix.com>
On 07/01/15 12:11, Ian Campbell wrote:
> On Tue, 2015-01-06 at 18:57 +0000, David Vrabel wrote:
>> In an x86 PV guest, get_user_pages_fast() on a userspace address range
>> containing foreign mappings does not work correctly because the M2P
>> lookup of the MFN from a userspace PTE may return the wrong page.
>>
>> Force get_user_pages_fast() to fail on such addresses by marking the PTEs
>> as special.
>>
>> If Xen has XENFEAT_gnttab_map_avail_bits (available since at least
>> 4.0),
>
> http://wiki.xenproject.org/wiki/Xen_Kernel_Feature_Matrix says the dom0
> pvpops already requires >= 4.0 too, which matches my recollection
> (something to do with a new APIC interface which upstream insisted on
> during upstreaming, IIRC), but both could be out of date...
gntdev is usable by driver domains and useful for inter-domain comms so
it isn't limited to dom0 use only and Linux still needs to run on Xen
3.2 (I think that's the oldest still available on AWS).
Because of the m2p override limitation, gntdev is currently unsafe[1] to
use by untrusted userspace apps so there's no (new) security issues here.
However, we could disable gntdev if this feature is messing unless
overridden by a module option. Opinions on this?
David
[1] mapping a ref twice or a two refs for the same frame can corrupt
kernel state is various exciting ways because of messed up page ref counts.
next prev parent reply other threads:[~2015-01-07 13:24 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-06 18:57 [RFC PATCH 00/12] xen: fix many long-standing grant mapping bugs David Vrabel
2015-01-06 18:57 ` [PATCH 01/12] mm: allow for an alternate set of pages for userspace mappings David Vrabel
2015-01-06 18:57 ` [PATCH 02/12] mm: add 'foreign' alias for the 'pinned' page flag David Vrabel
2015-01-07 17:12 ` Konrad Rzeszutek Wilk
2015-01-06 18:57 ` [PATCH 03/12] xen/grant-table: pre-populate kernel unmap ops for xen_gnttab_unmap_refs() David Vrabel
2015-01-06 18:57 ` [PATCH 04/12] xen: remove scratch frames for ballooned pages and m2p override David Vrabel
2015-01-06 18:57 ` [PATCH 05/12] x86/xen: require ballooned pages for grant maps David Vrabel
2015-01-06 18:57 ` [PATCH 06/12] xen: mark grant mapped pages as foreign David Vrabel
2015-01-07 11:53 ` Ian Campbell
2015-01-09 16:03 ` Stefano Stabellini
2015-01-09 16:19 ` Ian Campbell
2015-01-09 16:39 ` David Vrabel
2015-01-09 16:46 ` Stefano Stabellini
2015-01-09 16:47 ` Ian Campbell
2015-01-06 18:57 ` [PATCH 07/12] xen-netback: use foreign page information from the pages themselves David Vrabel
2015-01-07 11:57 ` Ian Campbell
2015-01-06 18:57 ` [PATCH 08/12] xen/grant-table: add a mechanism to safely unmap pages that are in use David Vrabel
2015-01-07 12:00 ` Ian Campbell
2015-01-07 12:06 ` Ian Campbell
2015-01-07 13:07 ` David Vrabel
2015-01-07 13:24 ` Ian Campbell
2015-01-07 13:30 ` David Vrabel
2015-01-07 13:33 ` Ian Campbell
2015-01-09 16:11 ` Stefano Stabellini
2015-01-06 18:57 ` [PATCH 09/12] xen/gntdev: safely unmap grants in case they are still " David Vrabel
2015-01-06 18:57 ` [PATCH 10/12] xen-blkback: " David Vrabel
2015-01-06 18:57 ` [PATCH 11/12] xen/gntdev: mark userspace PTEs as special on x86 PV guests David Vrabel
2015-01-07 12:11 ` Ian Campbell
2015-01-07 13:23 ` David Vrabel [this message]
2015-01-07 13:32 ` Ian Campbell
2015-01-06 18:57 ` [PATCH 12/12] xen/gntdev: provide a set of pages for each VMA David Vrabel
2015-01-09 15:55 ` Stefano Stabellini
2015-01-09 16:05 ` Stefano Stabellini
2015-01-09 16:41 ` David Vrabel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54AD3359.4000004@citrix.com \
--to=david.vrabel@citrix.com \
--cc=Ian.Campbell@citrix.com \
--cc=boris.ostrovsky@oracle.com \
--cc=jennifer.herbert@citrix.com \
--cc=stefano.stabellini@eu.citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.