From: "Roger Pau Monné" <roger.pau@citrix.com>
To: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Xen-devel <xen-devel@lists.xenproject.org>,
"George Dunlap" <George.Dunlap@eu.citrix.com>,
"Ian Jackson" <iwj@xenproject.org>,
"Jan Beulich" <JBeulich@suse.com>,
"Stefano Stabellini" <sstabellini@kernel.org>,
"Wei Liu" <wl@xen.org>, "Julien Grall" <julien@xen.org>,
"Paul Durrant" <paul@xen.org>,
"Michał Leszczyński" <michal.leszczynski@cert.pl>,
"Hubert Jasudowicz" <hubert.jasudowicz@cert.pl>,
"Tamas K Lengyel" <tamas@tklengyel.com>
Subject: Re: [PATCH v8 06/16] xen/memory: Fix mapping grant tables with XENMEM_acquire_resource
Date: Mon, 1 Feb 2021 13:07:52 +0100 [thread overview]
Message-ID: <YBfvGKkQWSisFHNs@Air-de-Roger> (raw)
In-Reply-To: <53a26fb9-9c43-d1c4-90cd-bb29d57e106b@citrix.com>
On Mon, Feb 01, 2021 at 11:11:37AM +0000, Andrew Cooper wrote:
> On 01/02/2021 10:10, Roger Pau Monné wrote:
> > On Sat, Jan 30, 2021 at 02:58:42AM +0000, Andrew Cooper wrote:
> >> + (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.mar)) /
> >> + sizeof(*xen_frame_list);
> >> +
> >> + if ( start_extent >= cmp.mar.nr_frames )
> >> + return -EINVAL;
> >> +
> >> + /*
> >> + * Adjust nat to account for work done on previous
> >> + * continuations, leaving cmp pristine. Hide the continaution
> >> + * from the native code to prevent double accounting.
> >> + */
> >> + nat.mar->nr_frames -= start_extent;
> >> + nat.mar->frame += start_extent;
> >> + cmd &= MEMOP_CMD_MASK;
> >> +
> >> + /*
> >> + * If there are two many frames to fit within the xlat buffer,
> >> + * we'll need to loop to marshal them all.
> >> + */
> >> + nat.mar->nr_frames = min(nat.mar->nr_frames, xlat_max_frames);
> >> +
> >> /*
> >> * frame_list is an input for translated guests, and an output
> >> * for untranslated guests. Only copy in for translated guests.
> >> @@ -444,14 +453,14 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) compat)
> >> cmp.mar.nr_frames) ||
> >> __copy_from_compat_offset(
> >> compat_frame_list, cmp.mar.frame_list,
> >> - 0, cmp.mar.nr_frames) )
> >> + start_extent, nat.mar->nr_frames) )
> >> return -EFAULT;
> >>
> >> /*
> >> * Iterate backwards over compat_frame_list[] expanding
> >> * compat_pfn_t to xen_pfn_t in place.
> >> */
> >> - for ( int x = cmp.mar.nr_frames - 1; x >= 0; --x )
> >> + for ( int x = nat.mar->nr_frames - 1; x >= 0; --x )
> >> xen_frame_list[x] = compat_frame_list[x];
> > Unrelated question, but I don't really see the point of iterating
> > backwards, wouldn't it be easy to use use the existing 'i' loop
> > counter and for a for ( i = 0; i < nat.mar->nr_frames; i++ )?
> >
> > (Not that you need to fix it here, just curious about why we use that
> > construct instead).
>
> Iterating backwards is totally critical.
>
> xen_frame_list and compat_frame_list are the same numerical pointer.
> We've just filled it 50% full with compat_pfn_t's, and need to turn
> these into xen_pfn_t's which are double the size.
>
> Iterating forwards would clobber every entry but the first.
Oh, I didn't realize they point to the same address. A comment would
help (not that you need to add it now).
> >
> >> }
> >> }
> >> @@ -600,9 +609,11 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) compat)
> >> case XENMEM_acquire_resource:
> >> {
> >> DEFINE_XEN_GUEST_HANDLE(compat_mem_acquire_resource_t);
> >> + unsigned int done;
> >>
> >> if ( compat_handle_is_null(cmp.mar.frame_list) )
> >> {
> >> + ASSERT(split == 0 && rc == 0);
> >> if ( __copy_field_to_guest(
> >> guest_handle_cast(compat,
> >> compat_mem_acquire_resource_t),
> >> @@ -611,6 +622,21 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) compat)
> >> break;
> >> }
> >>
> >> + if ( split < 0 )
> >> + {
> >> + /* Continuation occurred. */
> >> + ASSERT(rc != XENMEM_acquire_resource);
> >> + done = cmd >> MEMOP_EXTENT_SHIFT;
> >> + }
> >> + else
> >> + {
> >> + /* No continuation. */
> >> + ASSERT(rc == 0);
> >> + done = nat.mar->nr_frames;
> >> + }
> >> +
> >> + ASSERT(done <= nat.mar->nr_frames);
> >> +
> >> /*
> >> * frame_list is an input for translated guests, and an output for
> >> * untranslated guests. Only copy out for untranslated guests.
> >> @@ -626,7 +652,7 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) compat)
> >> */
> >> BUILD_BUG_ON(sizeof(compat_pfn_t) > sizeof(xen_pfn_t));
> >>
> >> - for ( i = 0; i < cmp.mar.nr_frames; i++ )
> >> + for ( i = 0; i < done; i++ )
> >> {
> >> compat_pfn_t frame = xen_frame_list[i];
> >>
> >> @@ -636,15 +662,45 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) compat)
> >> compat_frame_list[i] = frame;
> >> }
> >>
> >> - if ( __copy_to_compat_offset(cmp.mar.frame_list, 0,
> >> + if ( __copy_to_compat_offset(cmp.mar.frame_list, start_extent,
> >> compat_frame_list,
> >> - cmp.mar.nr_frames) )
> >> + done) )
> >> return -EFAULT;
> > Is it fine to return with a possibly pending continuation already
> > encoded here?
> >
> > Other places seem to crash the domain when that happens.
>
> Hmm. This is all a total mess. (Elsewhere the error handling is also
> broken - a caller who receives an error can't figure out how to recover)
>
> But yes - I think you're right - the only thing we can do here is `goto
> crash;` and woe betide any 32bit kernel which passes a pointer to a
> read-only buffer.
With that added:
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Thanks, Roger.
next prev parent reply other threads:[~2021-02-01 12:08 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-30 2:58 [PATCH v8 00/16] acquire_resource size and external IPT monitoring Andrew Cooper
2021-01-30 2:58 ` [PATCH v8 01/16] xen/memory: Reject out-of-range resource 'frame' values Andrew Cooper
2021-01-30 2:58 ` [PATCH v8 02/16] xen/gnttab: Rework resource acquisition Andrew Cooper
2021-01-30 2:58 ` [PATCH v8 03/16] xen/memory: Fix acquire_resource size semantics Andrew Cooper
2021-01-30 2:58 ` [PATCH v8 04/16] xen/memory: Improve compat XENMEM_acquire_resource handling Andrew Cooper
2021-01-30 2:58 ` [PATCH v8 05/16] xen/memory: Indent part of acquire_resource() Andrew Cooper
2021-01-30 2:58 ` [PATCH v8 06/16] xen/memory: Fix mapping grant tables with XENMEM_acquire_resource Andrew Cooper
2021-02-01 10:10 ` Roger Pau Monné
2021-02-01 11:11 ` Andrew Cooper
2021-02-01 12:07 ` Roger Pau Monné [this message]
2021-02-01 12:10 ` Andrew Cooper
2021-02-01 13:03 ` Jan Beulich
2021-02-01 14:04 ` Andrew Cooper
2021-02-01 14:32 ` Jan Beulich
2021-01-30 2:58 ` [PATCH v8 07/16] xen+tools: Introduce XEN_SYSCTL_PHYSCAP_vmtrace Andrew Cooper
2021-02-01 10:32 ` Roger Pau Monné
2021-01-30 2:58 ` [PATCH v8 08/16] xen/domain: Add vmtrace_size domain creation parameter Andrew Cooper
2021-02-01 10:51 ` Roger Pau Monné
2021-02-01 11:19 ` Andrew Cooper
2021-02-01 13:18 ` Jan Beulich
2021-02-01 14:22 ` Andrew Cooper
2021-02-01 14:36 ` Jan Beulich
2021-02-01 22:14 ` Andrew Cooper
2021-01-30 2:58 ` [PATCH v8 09/16] tools/[lib]xl: Add vmtrace_buf_size parameter Andrew Cooper
2021-01-30 2:58 ` [PATCH v8 10/16] xen/memory: Add a vmtrace_buf resource type Andrew Cooper
2021-01-30 2:58 ` [PATCH v8 11/16] x86/vmx: Add Intel Processor Trace support Andrew Cooper
2021-01-30 2:58 ` [PATCH v8 12/16] xen/domctl: Add XEN_DOMCTL_vmtrace_op Andrew Cooper
2021-02-01 12:01 ` Roger Pau Monné
2021-02-01 13:00 ` Andrew Cooper
2021-02-01 14:27 ` Roger Pau Monné
2021-01-30 2:58 ` [PATCH v8 13/16] tools/libxc: Add xc_vmtrace_* functions Andrew Cooper
2021-01-30 2:58 ` [PATCH v8 14/16] tools/misc: Add xen-vmtrace tool Andrew Cooper
2021-01-30 2:58 ` [PATCH v8 15/16] xen/vmtrace: support for VM forks Andrew Cooper
2021-01-30 2:58 ` [PATCH v8 16/16] x86/vm_event: Carry the vmtrace buffer position in vm_event Andrew Cooper
2021-02-01 9:51 ` Jan Beulich
2021-02-01 12:34 ` [PATCH v8 00/16] acquire_resource size and external IPT monitoring Oleksandr
2021-02-01 13:07 ` Andrew Cooper
2021-02-01 13:47 ` Oleksandr
2021-02-01 14:00 ` Andrew Cooper
2021-02-02 12:09 ` Oleksandr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YBfvGKkQWSisFHNs@Air-de-Roger \
--to=roger.pau@citrix.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=hubert.jasudowicz@cert.pl \
--cc=iwj@xenproject.org \
--cc=julien@xen.org \
--cc=michal.leszczynski@cert.pl \
--cc=paul@xen.org \
--cc=sstabellini@kernel.org \
--cc=tamas@tklengyel.com \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.