[PATCH 0/2] Misc vcpu_op() adjustments

[PATCH 0/2] Misc vcpu_op() adjustments

[Andrew Cooper]

Andrew Cooper (2):
  xen/domain: Block more speculative out-of-bound accesses
  xen/arm: Misc improvements to do_common_cpu_on()

 xen/arch/arm/vpsci.c       | 8 +++-----
 xen/common/compat/domain.c | 2 +-
 2 files changed, 4 insertions(+), 6 deletions(-)

-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[Xen-devel] [PATCH 0/2] Misc vcpu_op() adjustments

[Andrew Cooper]

Andrew Cooper (2):
  xen/domain: Block more speculative out-of-bound accesses
  xen/arm: Misc improvements to do_common_cpu_on()

 xen/arch/arm/vpsci.c       | 8 +++-----
 xen/common/compat/domain.c | 2 +-
 2 files changed, 4 insertions(+), 6 deletions(-)

-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[PATCH 1/2] xen/domain: Block more speculative out-of-bound accesses

[Andrew Cooper]

c/s f8303458 restricted speculative access for do_vcpu_op(), but neglected its
compat counterpart, which is reachable by guests using the 32bit ABI.

Make an identical adjustment.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Wei Liu <wei.liu2@citrix.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien.grall@arm.com>
CC: Norbert Manthey <nmanthey@amazon.de>
---
 xen/common/compat/domain.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/common/compat/domain.c b/xen/common/compat/domain.c
index 88bfdc8..39877b3 100644
--- a/xen/common/compat/domain.c
+++ b/xen/common/compat/domain.c
@@ -39,7 +39,7 @@ int compat_vcpu_op(int cmd, unsigned int vcpuid, XEN_GUEST_HANDLE_PARAM(void) ar
     struct vcpu *v;
     int rc = 0;
 
-    if ( vcpuid >= d->max_vcpus || (v = d->vcpu[vcpuid]) == NULL )
+    if ( (v = domain_vcpu(d, vcpuid)) == NULL )
         return -ENOENT;
 
     switch ( cmd )
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[Xen-devel] [PATCH 1/2] xen/domain: Block more speculative out-of-bound accesses

[Andrew Cooper]

c/s f8303458 restricted speculative access for do_vcpu_op(), but neglected its
compat counterpart, which is reachable by guests using the 32bit ABI.

Make an identical adjustment.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Wei Liu <wei.liu2@citrix.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien.grall@arm.com>
CC: Norbert Manthey <nmanthey@amazon.de>
---
 xen/common/compat/domain.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/common/compat/domain.c b/xen/common/compat/domain.c
index 88bfdc8..39877b3 100644
--- a/xen/common/compat/domain.c
+++ b/xen/common/compat/domain.c
@@ -39,7 +39,7 @@ int compat_vcpu_op(int cmd, unsigned int vcpuid, XEN_GUEST_HANDLE_PARAM(void) ar
     struct vcpu *v;
     int rc = 0;
 
-    if ( vcpuid >= d->max_vcpus || (v = d->vcpu[vcpuid]) == NULL )
+    if ( (v = domain_vcpu(d, vcpuid)) == NULL )
         return -ENOENT;
 
     switch ( cmd )
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[PATCH 2/2] xen/arm: Misc improvements to do_common_cpu_on()

[Andrew Cooper]

 * Use domain_vcpu() rather than opencoding the lookup.  Amongst other things,
   domain_vcpu() is spectre-v1-safe.
 * Unlock the domain immediately after arch_set_info_guest() completes.  There
   is no need for free_vcpu_guest_context() to be within the critical region,
   and moving the call simplifies the error case.

No practical change in functionaltiy.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien.grall@arm.com>
---
 xen/arch/arm/vpsci.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/xen/arch/arm/vpsci.c b/xen/arch/arm/vpsci.c
index 9f4e5b8..c1e250b 100644
--- a/xen/arch/arm/vpsci.c
+++ b/xen/arch/arm/vpsci.c
@@ -33,7 +33,7 @@ static int do_common_cpu_on(register_t target_cpu, register_t entry_point,
 
     vcpuid = vaffinity_to_vcpuid(target_cpu);
 
-    if ( vcpuid >= d->max_vcpus || (v = d->vcpu[vcpuid]) == NULL )
+    if ( (v = domain_vcpu(d, vcpuid)) == NULL )
         return PSCI_INVALID_PARAMETERS;
 
     /* THUMB set is not allowed with 64-bit domain */
@@ -82,14 +82,12 @@ static int do_common_cpu_on(register_t target_cpu, register_t entry_point,
 
     domain_lock(d);
     rc = arch_set_info_guest(v, ctxt);
+    domain_unlock(d);
+
     free_vcpu_guest_context(ctxt);
 
     if ( rc < 0 )
-    {
-        domain_unlock(d);
         return PSCI_DENIED;
-    }
-    domain_unlock(d);
 
     vcpu_wake(v);
 
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[Xen-devel] [PATCH 2/2] xen/arm: Misc improvements to do_common_cpu_on()

[Andrew Cooper]

 * Use domain_vcpu() rather than opencoding the lookup.  Amongst other things,
   domain_vcpu() is spectre-v1-safe.
 * Unlock the domain immediately after arch_set_info_guest() completes.  There
   is no need for free_vcpu_guest_context() to be within the critical region,
   and moving the call simplifies the error case.

No practical change in functionaltiy.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien.grall@arm.com>
---
 xen/arch/arm/vpsci.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/xen/arch/arm/vpsci.c b/xen/arch/arm/vpsci.c
index 9f4e5b8..c1e250b 100644
--- a/xen/arch/arm/vpsci.c
+++ b/xen/arch/arm/vpsci.c
@@ -33,7 +33,7 @@ static int do_common_cpu_on(register_t target_cpu, register_t entry_point,
 
     vcpuid = vaffinity_to_vcpuid(target_cpu);
 
-    if ( vcpuid >= d->max_vcpus || (v = d->vcpu[vcpuid]) == NULL )
+    if ( (v = domain_vcpu(d, vcpuid)) == NULL )
         return PSCI_INVALID_PARAMETERS;
 
     /* THUMB set is not allowed with 64-bit domain */
@@ -82,14 +82,12 @@ static int do_common_cpu_on(register_t target_cpu, register_t entry_point,
 
     domain_lock(d);
     rc = arch_set_info_guest(v, ctxt);
+    domain_unlock(d);
+
     free_vcpu_guest_context(ctxt);
 
     if ( rc < 0 )
-    {
-        domain_unlock(d);
         return PSCI_DENIED;
-    }
-    domain_unlock(d);
 
     vcpu_wake(v);
 
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH 1/2] xen/domain: Block more speculative out-of-bound accesses

[Norbert Manthey]

On 4/24/19 20:10, Andrew Cooper wrote:
> c/s f8303458 restricted speculative access for do_vcpu_op(), but neglected its
> compat counterpart, which is reachable by guests using the 32bit ABI.
>
> Make an identical adjustment.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Norbert Manthey <nmanthey@amazon.de>
> ---
> CC: Jan Beulich <JBeulich@suse.com>
> CC: Wei Liu <wei.liu2@citrix.com>
> CC: Roger Pau Monné <roger.pau@citrix.com>
> CC: Stefano Stabellini <sstabellini@kernel.org>
> CC: Julien Grall <julien.grall@arm.com>
> CC: Norbert Manthey <nmanthey@amazon.de>
> ---
>  xen/common/compat/domain.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/xen/common/compat/domain.c b/xen/common/compat/domain.c
> index 88bfdc8..39877b3 100644
> --- a/xen/common/compat/domain.c
> +++ b/xen/common/compat/domain.c
> @@ -39,7 +39,7 @@ int compat_vcpu_op(int cmd, unsigned int vcpuid, XEN_GUEST_HANDLE_PARAM(void) ar
>      struct vcpu *v;
>      int rc = 0;
>  
> -    if ( vcpuid >= d->max_vcpus || (v = d->vcpu[vcpuid]) == NULL )
> +    if ( (v = domain_vcpu(d, vcpuid)) == NULL )
>          return -ENOENT;
>  
>      switch ( cmd )




Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrer: Christian Schlaeger, Ralf Herbrich
Ust-ID: DE 289 237 879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH 1/2] xen/domain: Block more speculative out-of-bound accesses

[Norbert Manthey]

On 4/24/19 20:10, Andrew Cooper wrote:
> c/s f8303458 restricted speculative access for do_vcpu_op(), but neglected its
> compat counterpart, which is reachable by guests using the 32bit ABI.
>
> Make an identical adjustment.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Norbert Manthey <nmanthey@amazon.de>
> ---
> CC: Jan Beulich <JBeulich@suse.com>
> CC: Wei Liu <wei.liu2@citrix.com>
> CC: Roger Pau Monné <roger.pau@citrix.com>
> CC: Stefano Stabellini <sstabellini@kernel.org>
> CC: Julien Grall <julien.grall@arm.com>
> CC: Norbert Manthey <nmanthey@amazon.de>
> ---
>  xen/common/compat/domain.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/xen/common/compat/domain.c b/xen/common/compat/domain.c
> index 88bfdc8..39877b3 100644
> --- a/xen/common/compat/domain.c
> +++ b/xen/common/compat/domain.c
> @@ -39,7 +39,7 @@ int compat_vcpu_op(int cmd, unsigned int vcpuid, XEN_GUEST_HANDLE_PARAM(void) ar
>      struct vcpu *v;
>      int rc = 0;
>  
> -    if ( vcpuid >= d->max_vcpus || (v = d->vcpu[vcpuid]) == NULL )
> +    if ( (v = domain_vcpu(d, vcpuid)) == NULL )
>          return -ENOENT;
>  
>      switch ( cmd )




Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrer: Christian Schlaeger, Ralf Herbrich
Ust-ID: DE 289 237 879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH 1/2] xen/domain: Block more speculative out-of-bound accesses

[Jan Beulich]

>>> On 24.04.19 at 20:10, <andrew.cooper3@citrix.com> wrote:
> c/s f8303458 restricted speculative access for do_vcpu_op(), but neglected its
> compat counterpart, which is reachable by guests using the 32bit ABI.
> 
> Make an identical adjustment.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Reviewed-by: Jan Beulich <jbeulich@suse.com>



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH 1/2] xen/domain: Block more speculative out-of-bound accesses

[Jan Beulich]

>>> On 24.04.19 at 20:10, <andrew.cooper3@citrix.com> wrote:
> c/s f8303458 restricted speculative access for do_vcpu_op(), but neglected its
> compat counterpart, which is reachable by guests using the 32bit ABI.
> 
> Make an identical adjustment.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Reviewed-by: Jan Beulich <jbeulich@suse.com>



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH 2/2] xen/arm: Misc improvements to do_common_cpu_on()

[Julien Grall]

Hi Andrew,

On 24/04/2019 19:10, Andrew Cooper wrote:
>   * Use domain_vcpu() rather than opencoding the lookup.  Amongst other things,
>     domain_vcpu() is spectre-v1-safe.
>   * Unlock the domain immediately after arch_set_info_guest() completes.  There
>     is no need for free_vcpu_guest_context() to be within the critical region,
>     and moving the call simplifies the error case.
> 
> No practical change in functionaltiy.

s/functionaltiy/functionality/

> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Reviewed-by: Julien Grall <julien.grall@arm.com>

I will fix up the typo and queue it in my next-4.13 branch.

Cheers,

-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH 2/2] xen/arm: Misc improvements to do_common_cpu_on()

[Julien Grall]

Hi Andrew,

On 24/04/2019 19:10, Andrew Cooper wrote:
>   * Use domain_vcpu() rather than opencoding the lookup.  Amongst other things,
>     domain_vcpu() is spectre-v1-safe.
>   * Unlock the domain immediately after arch_set_info_guest() completes.  There
>     is no need for free_vcpu_guest_context() to be within the critical region,
>     and moving the call simplifies the error case.
> 
> No practical change in functionaltiy.

s/functionaltiy/functionality/

> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Reviewed-by: Julien Grall <julien.grall@arm.com>

I will fix up the typo and queue it in my next-4.13 branch.

Cheers,

-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel