From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.6 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5AAFC43467 for ; Thu, 15 Oct 2020 16:53:31 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 638002225E for ; Thu, 15 Oct 2020 16:53:31 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="By1+sZx/" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 638002225E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from list by lists.xenproject.org with outflank-mailman.7612.20077 (Exim 4.92) (envelope-from ) id 1kT6VC-0007Ca-PF; Thu, 15 Oct 2020 16:53:18 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 7612.20077; Thu, 15 Oct 2020 16:53:18 +0000 X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1kT6VC-0007By-AI; Thu, 15 Oct 2020 16:53:18 +0000 Received: by outflank-mailman (input) for mailman id 7612; Thu, 15 Oct 2020 16:53:15 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1kT6O3-0004yr-6v for xen-devel@lists.xenproject.org; Thu, 15 Oct 2020 16:45:55 +0000 Received: from mail-lf1-x143.google.com (unknown [2a00:1450:4864:20::143]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id f79a2b4f-f75a-40b3-8756-6dcebdebe072; Thu, 15 Oct 2020 16:45:07 +0000 (UTC) Received: by mail-lf1-x143.google.com with SMTP id l2so4404508lfk.0 for ; Thu, 15 Oct 2020 09:45:07 -0700 (PDT) Received: from otyshchenko.www.tendawifi.com ([212.22.223.21]) by smtp.gmail.com with ESMTPSA id v13sm1482495ljh.66.2020.10.15.09.45.05 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 15 Oct 2020 09:45:05 -0700 (PDT) Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1kT6O3-0004yr-6v for xen-devel@lists.xenproject.org; Thu, 15 Oct 2020 16:45:55 +0000 X-Inumbo-ID: f79a2b4f-f75a-40b3-8756-6dcebdebe072 Received: from mail-lf1-x143.google.com (unknown [2a00:1450:4864:20::143]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id f79a2b4f-f75a-40b3-8756-6dcebdebe072; Thu, 15 Oct 2020 16:45:07 +0000 (UTC) Received: by mail-lf1-x143.google.com with SMTP id l2so4404508lfk.0 for ; Thu, 15 Oct 2020 09:45:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=N4sHZjBrvdP2nIgCwj1N8kQLOeVN1MHVkf9kqSUqzcc=; b=By1+sZx/D6fqGrtAeMnWCLm09vNkxpnpy1Oh0Ydg6B/fHRp9Eviq44+yZSendm4Mlz eClZjLs66cfhBMRPcJRLl3oYkHIXXnFNtscK2P8CI8eyvnAWyra3P/bzaUXqW2CAK8wa QL3Xjbg/T0W2xOI7Ijx+p9QHpNJ28y4Q+89b3dpHDO1RvWmpO94UpPBNC6prmpqpp/oS OxriwipPOOH7AEEe6BkOwWjlIrbAXg8HHRPx+8kh39tJ8GSpnw7HLGZwMpt/Fw8Z5UaE VFbBBQ9Y38smL9Np9XmjvQjiE8qHCySg/II1Rl+LI42vhBJefGorQzGy0B8WJ3TpfiXO Olpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=N4sHZjBrvdP2nIgCwj1N8kQLOeVN1MHVkf9kqSUqzcc=; b=IqW703Q9/JUAg1mvP2iG/5Ab0eZ2OEpS+erqwBPKzIa7tudreTRfswHUM+u1AcF+nr RsmckKlxW5CSCsitmOMEwpa3UtKJAqg670FKG1OMY1rDru03GfF1e391gjpXEOzRejaN mqUo+5SHlKPA/uuekd0YySeFnUu6vhd0BI7gJAqLFBEqRRFg97UBssec/O0lQ7iCdFL2 VMKEcRAQw8RAwfiz+qIOZKjCz9KDM/ML9OiTeMqmtWoqHVyME1lhFOCJK7Srm5SttXFX jdC+kAXuD+RY1aRLNH8jzn/uDhn/uvX0/5Xj5yUZ/5AS01Th8DYU2AnYgJfE3BIuLuGl C9Dg== X-Gm-Message-State: AOAM53196ntoFRXDeQk7WwRt3u7WYmT+uWJlMM0O496JSQxcBP3/6pc4 tZbyIzaUw3R0x0zA7zSp3//NPXV5iTAA4w== X-Google-Smtp-Source: ABdhPJwhpoAS/UbyhzkuTItYICvt8rJ4Yol/uOLfyGdXlBHd66uiyGvQNddJO4lJY91mCIZH3jo+ww== X-Received: by 2002:a19:824f:: with SMTP id e76mr1281242lfd.572.1602780306328; Thu, 15 Oct 2020 09:45:06 -0700 (PDT) Received: from otyshchenko.www.tendawifi.com ([212.22.223.21]) by smtp.gmail.com with ESMTPSA id v13sm1482495ljh.66.2020.10.15.09.45.05 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 15 Oct 2020 09:45:05 -0700 (PDT) From: Oleksandr Tyshchenko To: xen-devel@lists.xenproject.org Cc: Oleksandr Tyshchenko , Stefano Stabellini , Julien Grall , Volodymyr Babchuk , Paul Durrant , Julien Grall Subject: [PATCH V2 13/23] xen/ioreq: Use guest_cmpxchg64() instead of cmpxchg() Date: Thu, 15 Oct 2020 19:44:24 +0300 Message-Id: <1602780274-29141-14-git-send-email-olekstysh@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1602780274-29141-1-git-send-email-olekstysh@gmail.com> References: <1602780274-29141-1-git-send-email-olekstysh@gmail.com> From: Oleksandr Tyshchenko The cmpxchg() in hvm_send_buffered_ioreq() operates on memory shared with the emulator domain (and the target domain if the legacy interface is used). In order to be on the safe side we need to switch to guest_cmpxchg64() to prevent a domain to DoS Xen on Arm. As there is no plan to support the legacy interface on Arm, we will have a page to be mapped in a single domain at the time, so we can use s->emulator in guest_cmpxchg64() safely. Thankfully the only user of the legacy interface is x86 so far and there is not concern regarding the atomics operations. Please note, that the legacy interface *must* not be used on Arm without revisiting the code. Signed-off-by: Oleksandr Tyshchenko CC: Julien Grall --- Please note, this is a split/cleanup/hardening of Julien's PoC: "Add support for Guest IO forwarding to a device emulator" Changes RFC -> V1: - new patch Changes V1 -> V2: - move earlier to avoid breaking arm32 compilation - add an explanation to commit description and hvm_allow_set_param() - pass s->emulator --- xen/arch/arm/hvm.c | 4 ++++ xen/common/ioreq.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/xen/arch/arm/hvm.c b/xen/arch/arm/hvm.c index 8951b34..9694e5a 100644 --- a/xen/arch/arm/hvm.c +++ b/xen/arch/arm/hvm.c @@ -31,6 +31,10 @@ #include +/* + * The legacy interface (which involves magic IOREQ pages) *must* not be used + * without revisiting the code. + */ static int hvm_allow_set_param(const struct domain *d, unsigned int param) { switch ( param ) diff --git a/xen/common/ioreq.c b/xen/common/ioreq.c index 98fffae..8612159 100644 --- a/xen/common/ioreq.c +++ b/xen/common/ioreq.c @@ -28,6 +28,7 @@ #include #include +#include #include #include @@ -1317,7 +1318,7 @@ static int send_buffered_ioreq(struct ioreq_server *s, ioreq_t *p) new.read_pointer = old.read_pointer - n * IOREQ_BUFFER_SLOT_NUM; new.write_pointer = old.write_pointer - n * IOREQ_BUFFER_SLOT_NUM; - cmpxchg(&pg->ptrs.full, old.full, new.full); + guest_cmpxchg64(s->emulator, &pg->ptrs.full, old.full, new.full); } notify_via_xen_event_channel(d, s->bufioreq_evtchn); -- 2.7.4