From: "Chen, Tiejun" <tiejun.chen@intel.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: yang.z.zhang@intel.com, kevin.tian@intel.com, tim@xen.org,
xen-devel@lists.xen.org
Subject: Re: [v7][RFC][PATCH 01/13] xen: RMRR fix
Date: Thu, 30 Oct 2014 16:21:47 +0800 [thread overview]
Message-ID: <5451F51B.6080700@intel.com> (raw)
In-Reply-To: <5450B7510200007800042FF1@mail.emea.novell.com>
On 2014/10/29 16:45, Jan Beulich wrote:
>>>> On 29.10.14 at 03:51, <tiejun.chen@intel.com> wrote:
>> On 2014/10/29 8:48, Chen, Tiejun wrote:
>>> On 2014/10/28 17:34, Jan Beulich wrote:
>>>>>>> On 28.10.14 at 09:36, <tiejun.chen@intel.com> wrote:
>>>>> On 2014/10/27 17:41, Jan Beulich wrote:
>>>>>>>>> On 27.10.14 at 03:00, <tiejun.chen@intel.com> wrote:
>>>>>>> n 2014/10/24 18:52, Jan Beulich wrote:
>>>>>>>>>>> On 24.10.14 at 09:34, <tiejun.chen@intel.com> wrote:
>>>>>>>>> Now in our case we add a rule:
>>>>>>>>> - if p2m_access_n is set we also set this mapping.
>>>>>>>>
>>>>>>>> Does that not conflict with eventual use mem-access makes of this
>>>>>>>> type?
>>>>>
>>>>> Do you mean what will happen after we reset these ranges as
>>>>> p2m_access_rw? We already reserve these ranges guest shouldn't access
>>>>> these range actually. And a guest still maliciously access them, that
>>>>> device may not work well.
>>>>
>>>> mem-access is functionality used by a control domain, not the domain
>>>
>>> I really don't know this mechanism so thanks for your good coverage.
>>>
>>>> itself. You need to make sure that neither your use of p2m_access_n
>>>> can confuse the mem-access code, nor that their use can confuse you.
>>>
>>> Absolutely, but I think I need to know more about mem-access firstly.
>>>
>>
>> I think these reserved device memory shouldn't be pocked since any write
>> may affect device. Even, what if a device with RMRR isn't assign current
>> domain? And read also should not be allowed since this still may
>> introduce some potential unexpected behavior to device.
>>
>> So if mem_access is trying to access those RMRR range, could we let
>> mem_access exit directly with some message? I mean we can check if we're
>> accessing those RMRR ranges in case of XENMEM_access_op_set_access.
>
> Sounds reasonable at first glance.
>
I think we just guarantee no one set mem_access for those ranges, but
its fine to get mem_access:
diff --git a/xen/common/mem_access.c b/xen/common/mem_access.c
index 6c2724b..4c84f88 100644
--- a/xen/common/mem_access.c
+++ b/xen/common/mem_access.c
@@ -55,6 +55,31 @@ void mem_access_resume(struct domain *d)
}
}
+/* We can't expose reserved device memory. */
+static int mem_access_check_rdm(struct domain *d, uint64_aligned_t start,
+ uint32_t nr)
+{
+ uint32_t i;
+ uint64_aligned_t gfn;
+ int rc = 0;
+
+ if ( !is_hardware_domain(d) )
+ {
+ for ( i = 0; i < nr; i++ )
+ {
+ gfn = start + i;
+ rc =
iommu_get_reserved_device_memory(p2m_check_reserved_device_memory,
+ &gfn);
+ if ( rc < 0 )
+ printk(XENLOG_WARNING
+ "Domain %d can't check reserved device memory.\n",
+ d->domain_id);
+ }
+ }
+
+ return rc;
+}
+
int mem_access_memop(unsigned long cmd,
XEN_GUEST_HANDLE_PARAM(xen_mem_access_op_t) arg)
{
@@ -99,6 +124,15 @@ int mem_access_memop(unsigned long cmd,
((mao.pfn + mao.nr - 1) > domain_get_maximum_gpfn(d))) )
break;
+ rc = mem_access_check_rdm(d, mao.pfn, mao.nr);
+ if ( rc == 1 )
+ {
+ printk(XENLOG_WARNING
+ "Domain %d: we shouldn't mem_access reserved device
memory.\n",
+ d->domain_id);
+ break;
+ }
+
rc = p2m_set_mem_access(d, mao.pfn, mao.nr, start_iter,
MEMOP_CMD_MASK, mao.access);
if ( rc > 0 )
Thanks
Tiejun
next prev parent reply other threads:[~2014-10-30 8:21 UTC|newest]
Thread overview: 180+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-24 7:34 [v7][RFC][PATCH 01/13] xen: RMRR fix Tiejun Chen
2014-10-24 7:34 ` [v7][RFC][PATCH 01/13] introduce XENMEM_reserved_device_memory_map Tiejun Chen
2014-10-24 14:11 ` Jan Beulich
2014-10-27 2:11 ` Chen, Tiejun
2014-10-27 2:18 ` Chen, Tiejun
2014-10-27 9:42 ` Jan Beulich
2014-10-28 2:22 ` Chen, Tiejun
2014-10-27 13:35 ` Julien Grall
2014-10-28 2:35 ` Chen, Tiejun
2014-10-28 10:36 ` Jan Beulich
2014-10-29 0:40 ` Chen, Tiejun
2014-10-29 8:53 ` Jan Beulich
2014-10-30 2:53 ` Chen, Tiejun
2014-10-30 9:10 ` Jan Beulich
2014-10-31 1:03 ` Chen, Tiejun
2014-10-24 7:34 ` [v7][RFC][PATCH 02/13] tools/libxc: introduce hypercall for xc_reserved_device_memory_map Tiejun Chen
2014-10-24 7:34 ` [v7][RFC][PATCH 03/13] tools/libxc: check if modules space is overlapping with reserved device memory Tiejun Chen
2014-10-24 7:34 ` [v7][RFC][PATCH 04/13] hvmloader/util: get reserved device memory maps Tiejun Chen
2014-10-24 14:22 ` Jan Beulich
2014-10-27 3:12 ` Chen, Tiejun
2014-10-27 9:45 ` Jan Beulich
2014-10-28 5:21 ` Chen, Tiejun
2014-10-28 9:48 ` Jan Beulich
2014-10-29 6:54 ` Chen, Tiejun
2014-10-29 9:05 ` Jan Beulich
2014-10-30 5:55 ` Chen, Tiejun
2014-10-30 9:13 ` Jan Beulich
2014-10-31 2:20 ` Chen, Tiejun
2014-10-31 8:14 ` Jan Beulich
2014-11-03 2:22 ` Chen, Tiejun
2014-11-03 8:53 ` Jan Beulich
2014-11-03 9:32 ` Chen, Tiejun
2014-11-03 9:45 ` Jan Beulich
2014-11-03 9:55 ` Chen, Tiejun
2014-11-03 10:02 ` Jan Beulich
2014-11-21 6:26 ` Chen, Tiejun
2014-11-21 7:43 ` Tian, Kevin
2014-11-21 7:54 ` Jan Beulich
2014-11-21 8:01 ` Tian, Kevin
2014-11-21 8:54 ` Chen, Tiejun
2014-11-21 9:33 ` Jan Beulich
2014-10-24 14:27 ` Jan Beulich
2014-10-27 5:07 ` Chen, Tiejun
2014-10-24 7:34 ` [v7][RFC][PATCH 05/13] hvmloader/mmio: reconcile guest mmio with reserved device memory Tiejun Chen
2014-10-24 14:42 ` Jan Beulich
2014-10-27 7:12 ` Chen, Tiejun
2014-10-27 9:56 ` Jan Beulich
2014-10-28 7:11 ` Chen, Tiejun
2014-10-28 9:56 ` Jan Beulich
2014-10-29 7:03 ` Chen, Tiejun
2014-10-29 9:08 ` Jan Beulich
2014-10-30 3:18 ` Chen, Tiejun
2014-10-24 7:34 ` [v7][RFC][PATCH 06/13] hvmloader/ram: check if guest memory is out of reserved device memory maps Tiejun Chen
2014-10-24 14:56 ` Jan Beulich
2014-10-27 8:09 ` Chen, Tiejun
2014-10-27 10:17 ` Jan Beulich
2014-10-28 7:47 ` Chen, Tiejun
2014-10-28 10:06 ` Jan Beulich
2014-10-29 7:43 ` Chen, Tiejun
2014-10-29 9:15 ` Jan Beulich
2014-10-30 3:11 ` Chen, Tiejun
2014-10-30 9:20 ` Jan Beulich
2014-10-31 5:41 ` Chen, Tiejun
2014-10-31 6:21 ` Tian, Kevin
2014-10-31 7:02 ` Chen, Tiejun
2014-10-31 8:20 ` Jan Beulich
2014-11-03 5:49 ` Chen, Tiejun
2014-11-03 8:56 ` Jan Beulich
2014-11-03 9:40 ` Chen, Tiejun
2014-11-03 9:51 ` Jan Beulich
2014-11-03 11:32 ` Chen, Tiejun
2014-11-03 11:43 ` Jan Beulich
2014-11-03 11:58 ` Chen, Tiejun
2014-11-03 12:34 ` Jan Beulich
2014-11-04 5:05 ` Chen, Tiejun
2014-11-04 7:54 ` Jan Beulich
2014-11-05 2:59 ` Chen, Tiejun
2014-11-05 17:00 ` Jan Beulich
2014-11-06 9:28 ` Chen, Tiejun
2014-11-06 10:06 ` Jan Beulich
2014-11-07 10:27 ` Chen, Tiejun
2014-11-07 11:08 ` Jan Beulich
2014-11-11 6:32 ` Chen, Tiejun
2014-11-11 7:49 ` Chen, Tiejun
2014-11-11 9:03 ` Jan Beulich
2014-11-11 9:06 ` Jan Beulich
2014-11-11 9:42 ` Chen, Tiejun
2014-11-11 10:07 ` Jan Beulich
2014-11-12 1:36 ` Chen, Tiejun
2014-11-12 8:37 ` Jan Beulich
2014-11-12 8:45 ` Chen, Tiejun
2014-11-12 9:02 ` Jan Beulich
2014-11-12 9:13 ` Chen, Tiejun
2014-11-12 9:56 ` Jan Beulich
2014-11-12 10:18 ` Chen, Tiejun
2014-11-19 8:17 ` Tian, Kevin
2014-11-20 7:45 ` Tian, Kevin
2014-11-20 8:04 ` Jan Beulich
2014-11-20 8:51 ` Tian, Kevin
2014-11-20 14:40 ` Tian, Kevin
2014-11-20 14:46 ` Jan Beulich
2014-11-20 20:11 ` Konrad Rzeszutek Wilk
2014-11-21 0:32 ` Tian, Kevin
2014-11-12 3:05 ` Chen, Tiejun
2014-11-12 8:55 ` Jan Beulich
2014-11-12 10:18 ` Chen, Tiejun
2014-11-12 10:24 ` Jan Beulich
2014-11-12 10:32 ` Chen, Tiejun
2014-11-13 3:09 ` Chen, Tiejun
2014-11-14 2:21 ` Chen, Tiejun
2014-11-14 8:21 ` Jan Beulich
2014-11-17 7:31 ` Chen, Tiejun
2014-11-17 7:57 ` Chen, Tiejun
2014-11-17 10:05 ` Jan Beulich
2014-11-17 11:08 ` Chen, Tiejun
2014-11-17 11:17 ` Jan Beulich
2014-11-17 11:32 ` Chen, Tiejun
2014-11-17 11:51 ` Jan Beulich
2014-11-18 3:08 ` Chen, Tiejun
2014-11-18 8:01 ` Jan Beulich
2014-11-18 8:16 ` Chen, Tiejun
2014-11-18 9:33 ` Jan Beulich
2014-11-19 1:26 ` Chen, Tiejun
2014-11-20 7:31 ` Jan Beulich
2014-11-20 8:12 ` Chen, Tiejun
2014-11-20 8:59 ` Jan Beulich
2014-11-20 10:28 ` Chen, Tiejun
2014-11-11 8:59 ` Jan Beulich
2014-11-11 9:35 ` Chen, Tiejun
2014-11-11 9:42 ` Jan Beulich
2014-11-11 9:51 ` Chen, Tiejun
2014-10-24 7:34 ` [v7][RFC][PATCH 07/13] xen/x86/p2m: introduce p2m_check_reserved_device_memory Tiejun Chen
2014-10-24 15:02 ` Jan Beulich
2014-10-27 8:50 ` Chen, Tiejun
2014-10-24 7:34 ` [v7][RFC][PATCH 08/13] xen/x86/p2m: set p2m_access_n for reserved device memory mapping Tiejun Chen
2014-10-24 15:11 ` Jan Beulich
2014-10-27 9:05 ` Chen, Tiejun
2014-10-27 10:33 ` Jan Beulich
2014-10-28 8:26 ` Chen, Tiejun
2014-10-28 10:12 ` Jan Beulich
2014-10-29 8:20 ` Chen, Tiejun
2014-10-29 9:20 ` Jan Beulich
2014-10-30 7:39 ` Chen, Tiejun
2014-10-30 9:24 ` Jan Beulich
2014-10-31 2:50 ` Chen, Tiejun
2014-10-31 8:25 ` Jan Beulich
2014-11-03 6:20 ` Chen, Tiejun
2014-11-03 9:00 ` Jan Beulich
2014-11-03 9:51 ` Chen, Tiejun
2014-11-03 10:03 ` Jan Beulich
2014-11-03 11:48 ` Chen, Tiejun
2014-11-03 11:53 ` Jan Beulich
2014-11-04 1:35 ` Chen, Tiejun
2014-11-04 8:02 ` Jan Beulich
2014-11-04 10:41 ` Chen, Tiejun
2014-11-04 11:41 ` Jan Beulich
2014-11-04 11:51 ` Chen, Tiejun
2014-10-24 7:34 ` [v7][RFC][PATCH 09/13] xen/x86/ept: handle reserved device memory in ept_handle_violation Tiejun Chen
2014-10-24 7:34 ` [v7][RFC][PATCH 10/13] xen/x86/p2m: introduce set_identity_p2m_entry Tiejun Chen
2014-10-24 7:34 ` [v7][RFC][PATCH 11/13] xen:vtd: create RMRR mapping Tiejun Chen
2014-10-24 7:34 ` [v7][RFC][PATCH 12/13] xen/vtd: re-enable USB device assignment Tiejun Chen
2014-10-24 7:34 ` [v7][RFC][PATCH 13/13] xen/vtd: group assigned device with RMRR Tiejun Chen
2014-10-24 10:52 ` [v7][RFC][PATCH 01/13] xen: RMRR fix Jan Beulich
2014-10-27 2:00 ` Chen, Tiejun
2014-10-27 9:41 ` Jan Beulich
2014-10-28 8:36 ` Chen, Tiejun
2014-10-28 9:34 ` Jan Beulich
2014-10-28 9:39 ` Razvan Cojocaru
2014-10-29 0:51 ` Chen, Tiejun
2014-10-29 0:48 ` Chen, Tiejun
2014-10-29 2:51 ` Chen, Tiejun
2014-10-29 8:45 ` Jan Beulich
2014-10-30 8:21 ` Chen, Tiejun [this message]
2014-10-30 9:07 ` Jan Beulich
2014-10-31 3:11 ` Chen, Tiejun
2014-10-29 8:44 ` Jan Beulich
2014-10-30 2:51 ` Chen, Tiejun
2014-10-30 22:15 ` Tim Deegan
2014-10-31 2:53 ` Chen, Tiejun
2014-10-31 9:10 ` Tim Deegan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5451F51B.6080700@intel.com \
--to=tiejun.chen@intel.com \
--cc=JBeulich@suse.com \
--cc=kevin.tian@intel.com \
--cc=tim@xen.org \
--cc=xen-devel@lists.xen.org \
--cc=yang.z.zhang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).