From: "Roger Pau Monné" <roger.pau@citrix.com>
To: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>, Wei Liu <wl@xen.org>,
xen-devel@lists.xenproject.org
Subject: Re: [PATCH] x86/mm: re-implement get_page_light() using an atomic increment
Date: Mon, 4 Mar 2024 09:50:07 +0100 [thread overview]
Message-ID: <ZeWLP14w8UUeVncq@macbook> (raw)
In-Reply-To: <6796aeba-52a2-426b-94e5-1852946dce98@suse.com>
On Mon, Mar 04, 2024 at 08:54:34AM +0100, Jan Beulich wrote:
> On 01.03.2024 13:42, Roger Pau Monne wrote:
> > The current usage of a cmpxchg loop to increase the value of page count is not
> > optimal on amd64, as there's already an instruction to do an atomic add to a
> > 64bit integer.
> >
> > Switch the code in get_page_light() to use an atomic increment, as that avoids
> > a loop construct. This slightly changes the order of the checks, as current
> > code will crash before modifying the page count_info if the conditions are not
> > correct, while with the proposed change the crash will happen immediately
> > after having carried the counter increase. Since we are crashing anyway, I
> > don't believe the re-ordering to have any meaningful impact.
>
> While I consider this argument fine for ...
>
> > --- a/xen/arch/x86/mm.c
> > +++ b/xen/arch/x86/mm.c
> > @@ -2580,16 +2580,10 @@ bool get_page(struct page_info *page, const struct domain *domain)
> > */
> > static void get_page_light(struct page_info *page)
> > {
> > - unsigned long x, nx, y = page->count_info;
> > + unsigned long old_pgc = arch_fetch_and_add(&page->count_info, 1);
> >
> > - do {
> > - x = y;
> > - nx = x + 1;
> > - BUG_ON(!(x & PGC_count_mask)); /* Not allocated? */
>
> ... this check, I'm afraid ...
>
> > - BUG_ON(!(nx & PGC_count_mask)); /* Overflow? */
>
> ... this is a problem unless we discount the possibility of an overflow
> happening in practice: If an overflow was detected only after the fact,
> there would be a window in time where privilege escalation was still
> possible from another CPU. IOW at the very least the description will
> need extending further. Personally I wouldn't chance it and leave this
> as a loop.
So you are worried because this could potentially turn a DoS into an
information leak during the brief period of time where the page
counter has overflowed into the PGC state.
My understating is the BUG_ON() was a mere protection against bad code
that could mess with the counter, but that the counter overflowing is
not a real issue during normal operation.
Thanks, Roger.
next prev parent reply other threads:[~2024-03-04 8:50 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-01 12:42 [PATCH] x86/mm: re-implement get_page_light() using an atomic increment Roger Pau Monne
2024-03-01 15:06 ` Andrew Cooper
2024-03-04 7:54 ` Jan Beulich
2024-03-04 8:50 ` Roger Pau Monné [this message]
2024-03-04 8:54 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZeWLP14w8UUeVncq@macbook \
--to=roger.pau@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=jbeulich@suse.com \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.