From: Paul Durrant <Paul.Durrant@citrix.com>
To: 'Jan Beulich' <JBeulich@suse.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>,
Wei Liu <wei.liu2@citrix.com>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
Andrew Cooper <Andrew.Cooper3@citrix.com>,
"Tim (Xen.org)" <tim@xen.org>,
George Dunlap <George.Dunlap@citrix.com>,
Julien Grall <julien.grall@arm.com>,
"xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>,
Ian Jackson <Ian.Jackson@citrix.com>,
Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: Re: [PATCH v12 05/11] x86/mm: add HYPERVISOR_memory_op to acquire guest resources
Date: Mon, 30 Oct 2017 12:05:09 +0000 [thread overview]
Message-ID: <0b37627274184e76865a0a73062f8c90@AMSPEX02CL03.citrite.net> (raw)
In-Reply-To: <59F21AC7020000780018A489@prv-mh.provo.novell.com>
> -----Original Message-----
> From: Jan Beulich [mailto:JBeulich@suse.com]
> Sent: 26 October 2017 16:27
> To: Paul Durrant <Paul.Durrant@citrix.com>
> Cc: Julien Grall <julien.grall@arm.com>; Andrew Cooper
> <Andrew.Cooper3@citrix.com>; Wei Liu <wei.liu2@citrix.com>; George
> Dunlap <George.Dunlap@citrix.com>; Ian Jackson <Ian.Jackson@citrix.com>;
> Stefano Stabellini <sstabellini@kernel.org>; xen-devel@lists.xenproject.org;
> Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>; Daniel De Graaf
> <dgdegra@tycho.nsa.gov>; Tim (Xen.org) <tim@xen.org>
> Subject: Re: [PATCH v12 05/11] x86/mm: add HYPERVISOR_memory_op to
> acquire guest resources
>
> >>> On 17.10.17 at 15:24, <paul.durrant@citrix.com> wrote:
> > @@ -535,6 +588,48 @@ int compat_memory_op(unsigned int cmd,
> XEN_GUEST_HANDLE_PARAM(void) compat)
> > rc = -EFAULT;
> > break;
> >
> > + case XENMEM_acquire_resource:
> > + {
> > + const xen_ulong_t *xen_frame_list =
> > + (xen_ulong_t *)(nat.mar + 1);
> > + compat_ulong_t *compat_frame_list =
> > + (compat_ulong_t *)(nat.mar + 1);
> > +
> > + if ( cmp.mar.nr_frames == 0 )
>
> Doesn't this need to be compat_handle_is_null(cmp.mar.frame_list), or
> a combination of both?
Sorry, yes this was a hang-over from the old scheme.
>
> > + {
> > +
> DEFINE_XEN_GUEST_HANDLE(compat_mem_acquire_resource_t);
> > +
> > + if ( __copy_field_to_guest(
> > + guest_handle_cast(compat,
> > + compat_mem_acquire_resource_t),
> > + &cmp.mar, nr_frames) )
> > + return -EFAULT;
> > + }
> > + else
> > + {
> > + /*
> > + * NOTE: the smaller compat array overwrites the native
> > + * array.
> > + */
>
> I think I had already asked for a respective BUILD_BUG_ON().
You asked for the comment. I can't find where you asked for a BUILD_BUG_ON() but I can certainly add one.
>
> > --- a/xen/common/memory.c
> > +++ b/xen/common/memory.c
> > @@ -965,6 +965,95 @@ static long xatp_permission_check(struct domain
> *d, unsigned int space)
> > return xsm_add_to_physmap(XSM_TARGET, current->domain, d);
> > }
> >
> > +static int acquire_resource(
> > + XEN_GUEST_HANDLE_PARAM(xen_mem_acquire_resource_t) arg)
> > +{
> > + struct domain *d, *currd = current->domain;
> > + xen_mem_acquire_resource_t xmar;
> > + unsigned long mfn_list[2];
> > + int rc;
> > +
> > + if ( copy_from_guest(&xmar, arg, 1) )
> > + return -EFAULT;
> > +
> > + if ( xmar.pad != 0 )
> > + return -EINVAL;
> > +
> > + if ( guest_handle_is_null(xmar.frame_list) )
> > + {
> > + /* Special case for querying implementation limit */
> > + if ( xmar.nr_frames == 0 )
>
> Perhaps invert the condition to reduce ...
>
> > + {
> > + xmar.nr_frames = ARRAY_SIZE(mfn_list);
> > +
> > + if ( __copy_field_to_guest(arg, &xmar, nr_frames) )
> > + return -EFAULT;
> > +
> > + return 0;
> > + }
>
> ... overall indentation?
>
> > + return -EINVAL;
> > + }
> > +
> > + if ( xmar.nr_frames == 0 )
> > + return -EINVAL;
>
> Why? (Almost?) everywhere else zero counts are simply no-ops, which
> result in success returns.
Ok, I'll drop the check.
>
> > + if ( xmar.nr_frames > ARRAY_SIZE(mfn_list) )
> > + return -E2BIG;
> > +
> > + d = rcu_lock_domain_by_any_id(xmar.domid);
>
> This being a tools only interface, why "by_any_id" instead of
> "remote_domain_by_id"? In particular ...
>
> > + if ( d == NULL )
> > + return -ESRCH;
> > +
> > + rc = xsm_domain_resource_map(XSM_DM_PRIV, d);
>
> ... an unprivileged dm domain should probably not be permitted to
> invoke this on itself.
True.
>
> > + if ( rc )
> > + goto out;
> > +
> > + switch ( xmar.type )
> > + {
> > + default:
> > + rc = -EOPNOTSUPP;
> > + break;
> > + }
> > +
> > + if ( rc )
> > + goto out;
> > +
> > + if ( !paging_mode_translate(currd) )
> > + {
> > + if ( copy_to_guest(xmar.frame_list, mfn_list, xmar.nr_frames) )
> > + rc = -EFAULT;
> > + }
> > + else
> > + {
> > + xen_pfn_t gfn_list[ARRAY_SIZE(mfn_list)];
> > + unsigned int i;
> > +
> > + rc = -EFAULT;
> > + if ( copy_from_guest(gfn_list, xmar.frame_list, xmar.nr_frames) )
> > + goto out;
> > +
> > + for ( i = 0; i < xmar.nr_frames; i++ )
> > + {
> > + rc = set_foreign_p2m_entry(currd, gfn_list[i],
> > + _mfn(mfn_list[i]));
> > + if ( rc )
> > + {
> > + /*
> > + * Make sure rc is -EIO for any interation other than
> > + * the first.
>
> "iteration", but why is this important in the first place?
The header explains:
"If -EIO is returned then the frame_list has only been partially mapped and it is up to the caller to unmap all the GFNs."
Particularly, on ARM, set_foreign_p2m_entry() will always return -EOPNOTSUPP so I want to make sure that is returned.
>
> > --- a/xen/include/public/memory.h
> > +++ b/xen/include/public/memory.h
> > @@ -599,6 +599,47 @@ struct xen_reserved_device_memory_map {
> > typedef struct xen_reserved_device_memory_map
> > xen_reserved_device_memory_map_t;
> > DEFINE_XEN_GUEST_HANDLE(xen_reserved_device_memory_map_t);
> >
> > +/*
> > + * Get the pages for a particular guest resource, so that they can be
> > + * mapped directly by a tools domain.
> > + */
> > +#define XENMEM_acquire_resource 28
> > +struct xen_mem_acquire_resource {
> > + /* IN - the domain whose resource is to be mapped */
> > + domid_t domid;
> > + /* IN - the type of resource */
> > + uint16_t type;
> > + /*
> > + * IN - a type-specific resource identifier, which must be zero
> > + * unless stated otherwise.
> > + */
> > + uint32_t id;
> > + /* IN/OUT - As an IN parameter number of frames of the resource
> > + * to be mapped. However, if the specified value is 0 and
> > + * frame_list is NULL then this field will be set to the
> > + * maximum value supported by the implementation on return.
> > + */
> > + uint32_t nr_frames;
> > + uint32_t pad;
> > + /* IN - the index of the initial frame to be mapped. This parameter
> > + * is ignored if nr_frames is 0.
> > + */
> > + uint64_aligned_t frame;
> > + /* IN/OUT - If the tools domain is PV then, upon return, frame_list
> > + * will be populated with the MFNs of the resource.
> > + * If the tools domain is HVM then it is expected that, on
> > + * entry, frame_list will be populated with a list of GFNs
> > + * that will be mapped to the MFNs of the resource.
> > + * If -EIO is returned then the frame_list has only been
> > + * partially mapped and it is up to the caller to unmap all
> > + * the GFNs.
> > + * This parameter may be NULL if nr_frames is 0.
> > + */
> > + XEN_GUEST_HANDLE(xen_ulong_t) frame_list;
>
> This is still xen_ulong_t, which I can live with, but then you shouldn't
> copy into / out of arrays of other types in acquire_resource() (the
> more that this is common code, and iirc xen_ulong_t and
> unsigned long aren't the same thing on ARM32).
Given the weight of opinion, I'll change this to xen_pfn_t.
Paul
>
> Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-10-30 12:05 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-17 13:24 [PATCH v12 00/11] x86: guest resource mapping Paul Durrant
2017-10-17 13:24 ` [PATCH v12 01/11] x86/hvm/ioreq: maintain an array of ioreq servers rather than a list Paul Durrant
2017-10-17 13:24 ` [PATCH v12 02/11] x86/hvm/ioreq: simplify code and use consistent naming Paul Durrant
2017-10-17 13:24 ` [PATCH v12 03/11] x86/hvm/ioreq: use gfn_t in struct hvm_ioreq_page Paul Durrant
2017-10-17 13:24 ` [PATCH v12 04/11] x86/hvm/ioreq: defer mapping gfns until they are actually requsted Paul Durrant
2017-10-17 13:24 ` [PATCH v12 05/11] x86/mm: add HYPERVISOR_memory_op to acquire guest resources Paul Durrant
2017-10-17 14:45 ` Daniel De Graaf
2017-10-19 12:22 ` Julien Grall
2017-10-19 12:57 ` Paul Durrant
2017-10-19 13:29 ` Julien Grall
2017-10-19 13:35 ` Paul Durrant
2017-10-19 14:12 ` Julien Grall
2017-10-19 14:49 ` Paul Durrant
2017-10-19 15:11 ` Jan Beulich
2017-10-19 15:37 ` Julien Grall
2017-10-19 15:47 ` Jan Beulich
2017-10-19 16:06 ` Julien Grall
2017-10-19 16:21 ` Julien Grall
2017-10-20 6:24 ` Jan Beulich
2017-10-20 8:26 ` Paul Durrant
2017-10-20 10:00 ` Julien Grall
2017-10-20 10:10 ` Paul Durrant
2017-10-23 18:04 ` Julien Grall
2017-10-25 8:40 ` Paul Durrant
2017-10-20 6:17 ` Jan Beulich
2017-10-26 15:26 ` Jan Beulich
2017-10-26 15:32 ` Julien Grall
2017-10-26 15:39 ` Jan Beulich
2017-10-27 10:46 ` Julien Grall
2017-10-27 15:19 ` Paul Durrant
2017-10-30 12:08 ` Julien Grall
2017-10-30 13:10 ` Paul Durrant
2017-10-30 12:05 ` Paul Durrant [this message]
2017-10-17 13:24 ` [PATCH v12 06/11] x86/hvm/ioreq: add a new mappable resource type Paul Durrant
2017-10-19 12:31 ` Julien Grall
2017-10-19 12:58 ` Paul Durrant
2017-10-19 13:08 ` Julien Grall
2017-10-19 13:08 ` Paul Durrant
2017-10-26 15:36 ` Jan Beulich
2017-10-17 13:24 ` [PATCH v12 07/11] x86/mm: add an extra command to HYPERVISOR_mmu_update Paul Durrant
2017-10-17 13:24 ` [PATCH v12 08/11] tools/libxenforeignmemory: add support for resource mapping Paul Durrant
2017-10-17 13:24 ` [PATCH v12 09/11] tools/libxenforeignmemory: reduce xenforeignmemory_restrict code footprint Paul Durrant
2017-10-17 13:24 ` [PATCH v12 10/11] common: add a new mappable resource type: XENMEM_resource_grant_table Paul Durrant
2017-10-26 15:46 ` Jan Beulich
2017-10-17 13:24 ` [PATCH v12 11/11] tools/libxenctrl: use new xenforeignmemory API to seed grant table Paul Durrant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0b37627274184e76865a0a73062f8c90@AMSPEX02CL03.citrite.net \
--to=paul.durrant@citrix.com \
--cc=Andrew.Cooper3@citrix.com \
--cc=George.Dunlap@citrix.com \
--cc=Ian.Jackson@citrix.com \
--cc=JBeulich@suse.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=julien.grall@arm.com \
--cc=konrad.wilk@oracle.com \
--cc=sstabellini@kernel.org \
--cc=tim@xen.org \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).