From: George Dunlap <george.dunlap@eu.citrix.com>
To: xen-devel@lists.xen.org
Cc: George Dunlap <george.dunlap@eu.citrix.com>,
Jan Beulich <beulich@suse.com>, Keir Fraser <keir@xen.org>,
Tim Deegan <tim@xen.org>
Subject: [PATCH v15 04/19] pvh: Tolerate HVM guests having no ioreq page
Date: Mon, 11 Nov 2013 14:57:06 +0000 [thread overview]
Message-ID: <1384181841-22739-5-git-send-email-george.dunlap@eu.citrix.com> (raw)
In-Reply-To: <1384181841-22739-1-git-send-email-george.dunlap@eu.citrix.com>
PVH guests don't have a backing device model emulator (qemu); just
tolerate this situation explicitly, rather than special-casing PVH.
For unhandled IO, hvmemul_do_io() will now return X86EMUL_OKAY, which
is I believe what would be the effect if qemu didn't have a handler
for the IO.
This also fixes a potetial DoS in the host from the reworked series:
If the guest makes a hypercall which sends an invalidate request, it
would have crashed the host.
Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>
---
CC: Mukesh Rathor <mukesh.rathor@oracle.com>
CC: Jan Beulich <beulich@suse.com>
CC: Tim Deegan <tim@xen.org>
CC: Keir Fraser <keir@xen.org>
---
xen/arch/x86/hvm/emulate.c | 31 ++++++++++++++++++++++++++-----
xen/arch/x86/hvm/hvm.c | 11 ++++++++---
xen/arch/x86/hvm/io.c | 8 +++++---
xen/include/asm-x86/hvm/io.h | 2 +-
xen/include/asm-x86/hvm/support.h | 3 +--
5 files changed, 41 insertions(+), 14 deletions(-)
diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c
index f39c173..590dcfe 100644
--- a/xen/arch/x86/hvm/emulate.c
+++ b/xen/arch/x86/hvm/emulate.c
@@ -58,10 +58,22 @@ static int hvmemul_do_io(
struct vcpu *curr = current;
struct hvm_vcpu_io *vio;
ioreq_t *p = get_ioreq(curr);
+ ioreq_t _ioreq;
unsigned long ram_gfn = paddr_to_pfn(ram_gpa);
p2m_type_t p2mt;
struct page_info *ram_page;
int rc;
+ int has_dm = 1;
+
+ /* Domains without a backing DM, don't have an ioreq page. Just
+ * point to a struct on the stack, initialising the state as
+ * needed. */
+ if ( !p )
+ {
+ has_dm = 0;
+ p = &_ioreq;
+ p->state = STATE_IOREQ_NONE;
+ }
/* Check for paged out page */
ram_page = get_page_from_gfn(curr->domain, ram_gfn, &p2mt, P2M_UNSHARE);
@@ -211,7 +223,7 @@ static int hvmemul_do_io(
p->state = STATE_IORESP_READY;
if ( !vio->mmio_retry )
{
- hvm_io_assist();
+ hvm_io_assist(p);
vio->io_state = HVMIO_none;
}
else
@@ -219,11 +231,20 @@ static int hvmemul_do_io(
vio->io_state = HVMIO_handle_mmio_awaiting_completion;
break;
case X86EMUL_UNHANDLEABLE:
- rc = X86EMUL_RETRY;
- if ( !hvm_send_assist_req(curr) )
- vio->io_state = HVMIO_none;
- else if ( p_data == NULL )
+ /* If there is no backing DM, just ignore accesses */
+ if ( !has_dm )
+ {
rc = X86EMUL_OKAY;
+ vio->io_state = HVMIO_none;
+ }
+ else
+ {
+ rc = X86EMUL_RETRY;
+ if ( !hvm_send_assist_req(curr) )
+ vio->io_state = HVMIO_none;
+ else if ( p_data == NULL )
+ rc = X86EMUL_OKAY;
+ }
break;
default:
BUG();
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 85f9857..7aa1e8a 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -347,13 +347,15 @@ void hvm_do_resume(struct vcpu *v)
check_wakeup_from_wait();
/* NB. Optimised for common case (p->state == STATE_IOREQ_NONE). */
- p = get_ioreq(v);
+ if ( !(p = get_ioreq(v)) )
+ goto check_inject_trap;
+
while ( p->state != STATE_IOREQ_NONE )
{
switch ( p->state )
{
case STATE_IORESP_READY: /* IORESP_READY -> NONE */
- hvm_io_assist();
+ hvm_io_assist(p);
break;
case STATE_IOREQ_READY: /* IOREQ_{READY,INPROCESS} -> IORESP_READY */
case STATE_IOREQ_INPROCESS:
@@ -368,6 +370,7 @@ void hvm_do_resume(struct vcpu *v)
}
}
+ check_inject_trap:
/* Inject pending hw/sw trap */
if ( v->arch.hvm_vcpu.inject_trap.vector != -1 )
{
@@ -1227,7 +1230,9 @@ bool_t hvm_send_assist_req(struct vcpu *v)
if ( unlikely(!vcpu_start_shutdown_deferral(v)) )
return 0; /* implicitly bins the i/o operation */
- p = get_ioreq(v);
+ if ( !(p = get_ioreq(v)) )
+ return 0;
+
if ( unlikely(p->state != STATE_IOREQ_NONE) )
{
/* This indicates a bug in the device model. Crash the domain. */
diff --git a/xen/arch/x86/hvm/io.c b/xen/arch/x86/hvm/io.c
index feb0406..0389c56 100644
--- a/xen/arch/x86/hvm/io.c
+++ b/xen/arch/x86/hvm/io.c
@@ -150,7 +150,10 @@ void send_timeoffset_req(unsigned long timeoff)
void send_invalidate_req(void)
{
struct vcpu *v = current;
- ioreq_t *p = get_ioreq(v);
+ ioreq_t *p;
+
+ if ( !(p = get_ioreq(v)) )
+ return;
if ( p->state != STATE_IOREQ_NONE )
{
@@ -262,11 +265,10 @@ int handle_pio(uint16_t port, unsigned int size, int dir)
return 1;
}
-void hvm_io_assist(void)
+void hvm_io_assist(ioreq_t *p)
{
struct vcpu *curr = current;
struct hvm_vcpu_io *vio = &curr->arch.hvm_vcpu.hvm_io;
- ioreq_t *p = get_ioreq(curr);
enum hvm_io_state io_state;
rmb(); /* see IORESP_READY /then/ read contents of ioreq */
diff --git a/xen/include/asm-x86/hvm/io.h b/xen/include/asm-x86/hvm/io.h
index b0718b8..6f4cb96 100644
--- a/xen/include/asm-x86/hvm/io.h
+++ b/xen/include/asm-x86/hvm/io.h
@@ -121,7 +121,7 @@ int handle_mmio(void);
int handle_mmio_with_translation(unsigned long gva, unsigned long gpfn);
int handle_pio(uint16_t port, unsigned int size, int dir);
void hvm_interrupt_post(struct vcpu *v, int vector, int type);
-void hvm_io_assist(void);
+void hvm_io_assist(ioreq_t *p);
void hvm_dpci_eoi(struct domain *d, unsigned int guest_irq,
union vioapic_redir_entry *ent);
diff --git a/xen/include/asm-x86/hvm/support.h b/xen/include/asm-x86/hvm/support.h
index 52aef1f..3529499 100644
--- a/xen/include/asm-x86/hvm/support.h
+++ b/xen/include/asm-x86/hvm/support.h
@@ -32,8 +32,7 @@ static inline ioreq_t *get_ioreq(struct vcpu *v)
struct domain *d = v->domain;
shared_iopage_t *p = d->arch.hvm_domain.ioreq.va;
ASSERT((v == current) || spin_is_locked(&d->arch.hvm_domain.ioreq.lock));
- ASSERT(d->arch.hvm_domain.ioreq.va != NULL);
- return &p->vcpu_ioreq[v->vcpu_id];
+ return p ? &p->vcpu_ioreq[v->vcpu_id] : NULL;
}
#define HVM_DELIVER_NO_ERROR_CODE -1
--
1.7.9.5
next prev parent reply other threads:[~2013-11-11 14:57 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-11 14:57 [PATCH v15 00/18] Introduce PVH domU support George Dunlap
2013-11-11 14:57 ` [PATCH v15 01/19] Allow vmx_update_debug_state to be called when v!=current George Dunlap
2013-11-11 14:57 ` [PATCH v15 02/19] libxc: Move temporary grant table mapping to end of memory George Dunlap
2013-11-11 14:57 ` [PATCH v15 03/19] pvh prep: code motion George Dunlap
2013-11-11 14:57 ` George Dunlap [this message]
2013-11-11 14:57 ` [PATCH v15 05/19] pvh prep: Introduce pv guest type and has_hvm_container macros George Dunlap
2013-11-12 13:34 ` Jan Beulich
2013-11-12 15:12 ` George Dunlap
2013-11-11 14:57 ` [PATCH v15 06/19] pvh: Introduce PVH guest type George Dunlap
2013-11-11 14:57 ` [PATCH v15 07/19] pvh: Disable unneeded features of HVM containers George Dunlap
2013-11-12 13:51 ` Jan Beulich
2013-11-12 14:56 ` George Dunlap
2013-11-12 15:03 ` Jan Beulich
2013-11-12 15:08 ` George Dunlap
2013-11-11 14:57 ` [PATCH v15 08/19] pvh: vmx-specific changes George Dunlap
2013-11-12 14:03 ` Jan Beulich
2013-11-12 15:06 ` George Dunlap
2013-11-12 15:24 ` Jan Beulich
2013-11-11 14:57 ` [PATCH v15 09/19] pvh: Do not allow PVH guests to change paging modes George Dunlap
2013-11-11 14:57 ` [PATCH v15 10/19] pvh: PVH access to hypercalls George Dunlap
2013-11-11 14:57 ` [PATCH v15 11/19] pvh: Use PV e820 George Dunlap
2013-11-11 14:57 ` [PATCH v15 12/19] pvh: Set up more PV stuff in set_info_guest George Dunlap
2013-11-11 14:57 ` [PATCH v15 13/19] pvh: PV cpuid George Dunlap
2013-11-11 14:57 ` [PATCH v15 14/19] pvh: Use PV handlers for PIO George Dunlap
2013-11-12 14:33 ` Jan Beulich
2013-11-12 16:54 ` George Dunlap
2013-11-12 17:00 ` Jan Beulich
2013-11-11 14:57 ` [PATCH v15 15/19] pvh: Disable 32-bit guest support for now George Dunlap
2013-11-11 14:57 ` [PATCH v15 16/19] pvh: Restrict tsc_mode to NEVER_EMULATE " George Dunlap
2013-11-11 14:57 ` [PATCH v15 17/19] pvh: Documentation George Dunlap
2013-11-11 14:57 ` [PATCH v15 18/19] pvh tools: libxc changes to build a PVH guest George Dunlap
2013-11-12 11:33 ` Ian Jackson
2013-11-11 14:57 ` [PATCH v15 19/19] pvh tools: libxl changes to create " George Dunlap
2013-11-12 11:38 ` Ian Jackson
2013-11-11 15:30 ` [PATCH v15 00/18] Introduce PVH domU support George Dunlap
2013-11-11 17:17 ` Keir Fraser
2013-11-12 7:19 ` Dong, Eddie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1384181841-22739-5-git-send-email-george.dunlap@eu.citrix.com \
--to=george.dunlap@eu.citrix.com \
--cc=beulich@suse.com \
--cc=keir@xen.org \
--cc=tim@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).