From: George Dunlap <george.dunlap@citrix.com>
To: Jan Beulich <JBeulich@suse.com>,
xen-devel <xen-devel@lists.xenproject.org>
Cc: George Dunlap <George.Dunlap@eu.citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
tamas@tklengyel.com, Tim Deegan <tim@xen.org>
Subject: Re: [PATCH 5/6] x86/mm: clean up SHARED_M2P{, _ENTRY} uses
Date: Tue, 12 Dec 2017 17:50:01 +0000 [thread overview]
Message-ID: <99bcb464-4c17-88ee-bf4c-c1f8c7c1db05@citrix.com> (raw)
In-Reply-To: <5A2FFEF40200007800196E31@prv-mh.provo.novell.com>
On 12/12/2017 03:08 PM, Jan Beulich wrote:
> Stop open-coding SHARED_M2P() and drop a pointless use of it from
> paging_mfn_is_dirty() (!VALID_M2P() is a superset of SHARED_M2P()) and
> another one from free_page_type() (prior assertions render this
> redundant).
>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
>
> --- a/xen/arch/x86/mm.c
> +++ b/xen/arch/x86/mm.c
> @@ -2371,9 +2371,7 @@ int free_page_type(struct page_info *pag
>
> gmfn = mfn_to_gmfn(owner, mfn_x(page_to_mfn(page)));
> ASSERT(VALID_M2P(gmfn));
> - /* Page sharing not supported for shadowed domains */
> - if(!SHARED_M2P(gmfn))
> - shadow_remove_all_shadows(owner, _mfn(gmfn));
> + shadow_remove_all_shadows(owner, _mfn(gmfn));
But that's an ASSERT(), not a BUG_ON(). Code after an ASSERT() needs to
make sure that if it turns out to be false in a non-debug run, nothing
worse than a BUG() will happen -- for instance, an information leak or a
privilege escalation.
xen/arch/x86/mm/shadow/common.c:sh_remove_shadows() looks up the page
struct for the mfn without checking if it's valid; so it will *probably*
end up accessing a wild pointer; at which point it would be better to
change the ASSERT(VALID_M2P()) into a BUG_ON(!VALID_M2P()).
Or, if we don't want to crash on a production box in that case, we
should leave the if() statement there.
> --- a/xen/arch/x86/mm/paging.c
> +++ b/xen/arch/x86/mm/paging.c
> @@ -369,8 +369,8 @@ int paging_mfn_is_dirty(struct domain *d
>
> /* We /really/ mean PFN here, even for non-translated guests. */
> pfn = _pfn(get_gpfn_from_mfn(mfn_x(gmfn)));
> - /* Shared pages are always read-only; invalid pages can't be dirty. */
> - if ( unlikely(SHARED_M2P(pfn_x(pfn)) || !VALID_M2P(pfn_x(pfn))) )
> + /* Invalid pages can't be dirty. */
> + if ( unlikely(!VALID_M2P(pfn_x(pfn))) )
> return 0;
Are you sure that it will always be the case in the future that
SHARED_MP2(x) implies !VALID_M2P(x)? (This is also relevant for my
previous comment.)
-George
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
next prev parent reply other threads:[~2017-12-12 17:50 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-12 14:53 [PATCH 0/6] XSA-248...251 follow-up Jan Beulich
2017-12-12 15:04 ` [PATCH 1/6] x86/shadow: drop further 32-bit relics Jan Beulich
2017-12-20 8:03 ` Tim Deegan
2017-12-12 15:05 ` [PATCH 2/6] x86/shadow: remove pointless loops over all vCPU-s Jan Beulich
2017-12-20 8:06 ` Tim Deegan
2017-12-12 15:06 ` [PATCH 3/6] x86/shadow: ignore sh_pin() failure in one more case Jan Beulich
2017-12-20 8:08 ` Tim Deegan
2017-12-12 15:07 ` [PATCH 4/6] x86/shadow: widen reference count Jan Beulich
2017-12-12 16:32 ` George Dunlap
2017-12-13 9:17 ` Jan Beulich
2017-12-13 10:32 ` George Dunlap
2017-12-13 14:20 ` Jan Beulich
2017-12-20 8:08 ` Tim Deegan
2017-12-12 15:08 ` [PATCH 5/6] x86/mm: clean up SHARED_M2P{,_ENTRY} uses Jan Beulich
2017-12-12 17:50 ` George Dunlap [this message]
2017-12-13 9:30 ` [PATCH 5/6] x86/mm: clean up SHARED_M2P{, _ENTRY} uses Jan Beulich
2017-12-18 16:56 ` Jan Beulich
2017-12-20 8:09 ` Tim Deegan
2017-12-12 15:09 ` [PATCH 6/6] x86: use paging_mark_pfn_dirty() Jan Beulich
2017-12-20 8:10 ` Tim Deegan
2017-12-20 9:37 ` [PATCH v2 0/3] XSA-248...251 follow-up Jan Beulich
2017-12-20 9:40 ` [PATCH v2 1/3] x86/shadow: widen reference count Jan Beulich
2017-12-20 9:41 ` [PATCH v2 2/3] x86/mm: clean up SHARED_M2P{, _ENTRY} uses Jan Beulich
2018-02-08 12:31 ` George Dunlap
2017-12-20 9:42 ` [PATCH v2 3/3] x86: use paging_mark_pfn_dirty() Jan Beulich
2017-12-20 9:44 ` Paul Durrant
2018-02-08 12:32 ` George Dunlap
2018-02-07 15:27 ` Ping: [PATCH v2 0/3] XSA-248...251 follow-up Jan Beulich
2018-02-08 12:34 ` George Dunlap
2018-02-13 7:44 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=99bcb464-4c17-88ee-bf4c-c1f8c7c1db05@citrix.com \
--to=george.dunlap@citrix.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=tamas@tklengyel.com \
--cc=tim@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).