All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Jan Beulich" <JBeulich@suse.com>
To: xen-devel <xen-devel@lists.xenproject.org>
Cc: Stefano Stabellini <sstabellini@kernel.org>,
	Wei Liu <wei.liu2@citrix.com>,
	George Dunlap <George.Dunlap@eu.citrix.com>,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	Ian Jackson <Ian.Jackson@eu.citrix.com>, Tim Deegan <tim@xen.org>
Subject: [PATCH 08/11] gnttab: remove host map in the event of a grant_map failure
Date: Wed, 21 Jun 2017 03:36:53 -0600	[thread overview]
Message-ID: <594A5A5502000078001650B6@prv-mh.provo.novell.com> (raw)
In-Reply-To: <594A57B10200007800165012@prv-mh.provo.novell.com>

[-- Attachment #1: Type: text/plain, Size: 1737 bytes --]

From: George Dunlap <george.dunlap@citrix.com>

The current code appropriately removes the reference and type counts
on failure, but leaves the mapping set up. As the only path which can
trigger this is failure from IOMMU manipulation, and as unprivileged
domains are being crashed in that case, this is not by itself a
security issue.

Reported-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: George Dunlap <george.dunlap@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -764,6 +764,7 @@ __gnttab_map_grant_ref(
     u32            old_pin;
     u32            act_pin;
     unsigned int   cache_flags, refcnt = 0, typecnt = 0;
+    bool           host_map_created = false;
     struct active_grant_entry *act = NULL;
     struct grant_mapping *mt;
     grant_entry_header_t *shah;
@@ -923,6 +924,8 @@ __gnttab_map_grant_ref(
                                            cache_flags);
             if ( rc != GNTST_okay )
                 goto undo_out;
+
+            host_map_created = true;
         }
     }
     else if ( owner == rd || owner == dom_cow )
@@ -960,6 +963,8 @@ __gnttab_map_grant_ref(
             rc = create_grant_host_mapping(op->host_addr, frame, op->flags, 0);
             if ( rc != GNTST_okay )
                 goto undo_out;
+
+            host_map_created = true;
         }
     }
     else
@@ -1030,6 +1035,12 @@ __gnttab_map_grant_ref(
     return;
 
  undo_out:
+    if ( host_map_created )
+    {
+        replace_grant_host_mapping(op->host_addr, frame, 0, op->flags);
+        gnttab_flush_tlb(ld);
+    }
+
     while ( typecnt-- )
         put_page_type(pg);
 




[-- Attachment #2: gnttab-remove-host-map.patch --]
[-- Type: text/plain, Size: 1794 bytes --]

gnttab: remove host map in the event of a grant_map failure

From: George Dunlap <george.dunlap@citrix.com>

The current code appropriately removes the reference and type counts
on failure, but leaves the mapping set up. As the only path which can
trigger this is failure from IOMMU manipulation, and as unprivileged
domains are being crashed in that case, this is not by itself a
security issue.

Reported-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: George Dunlap <george.dunlap@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -764,6 +764,7 @@ __gnttab_map_grant_ref(
     u32            old_pin;
     u32            act_pin;
     unsigned int   cache_flags, refcnt = 0, typecnt = 0;
+    bool           host_map_created = false;
     struct active_grant_entry *act = NULL;
     struct grant_mapping *mt;
     grant_entry_header_t *shah;
@@ -923,6 +924,8 @@ __gnttab_map_grant_ref(
                                            cache_flags);
             if ( rc != GNTST_okay )
                 goto undo_out;
+
+            host_map_created = true;
         }
     }
     else if ( owner == rd || owner == dom_cow )
@@ -960,6 +963,8 @@ __gnttab_map_grant_ref(
             rc = create_grant_host_mapping(op->host_addr, frame, op->flags, 0);
             if ( rc != GNTST_okay )
                 goto undo_out;
+
+            host_map_created = true;
         }
     }
     else
@@ -1030,6 +1035,12 @@ __gnttab_map_grant_ref(
     return;
 
  undo_out:
+    if ( host_map_created )
+    {
+        replace_grant_host_mapping(op->host_addr, frame, 0, op->flags);
+        gnttab_flush_tlb(ld);
+    }
+
     while ( typecnt-- )
         put_page_type(pg);
 

[-- Attachment #3: Type: text/plain, Size: 127 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

  parent reply	other threads:[~2017-06-21  9:36 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-21  9:25 [PATCH 00/11] assorted follow-ups to recent XSAs Jan Beulich
2017-06-21  9:30 ` [PATCH 01/11] public: adjust documentation following XSA-217 Jan Beulich
2017-06-21 11:26   ` Andrew Cooper
2017-06-21 15:44   ` George Dunlap
2017-06-21 15:54     ` Jan Beulich
2017-06-21 16:53       ` George Dunlap
2017-06-21 17:55         ` Stefano Stabellini
2017-06-22  6:59         ` Jan Beulich
2017-06-22  9:52           ` George Dunlap
2017-06-21  9:31 ` [PATCH 02/11] gnttab: remove redundant xenheap check from gnttab_transfer() Jan Beulich
2017-06-21 11:28   ` Andrew Cooper
2017-06-21  9:32 ` [PATCH 03/11] make steal_page() return a proper error value Jan Beulich
2017-06-21 11:39   ` Andrew Cooper
2017-06-22 10:01   ` Julien Grall
2017-06-21  9:33 ` [PATCH 04/11] domctl: restrict DOMCTL_set_target to HVM domains Jan Beulich
2017-06-21 11:41   ` Andrew Cooper
2017-06-21  9:34 ` [PATCH 05/11] evtchn: convert evtchn_port_is_*() to plain bool Jan Beulich
2017-06-21 11:46   ` Andrew Cooper
2017-06-21  9:35 ` [PATCH 06/11] ARM: simplify page type handling Jan Beulich
2017-06-21 23:53   ` Stefano Stabellini
2017-06-21  9:36 ` [PATCH 07/11] x86: fold identical error paths in xenmem_add_to_physmap_one() Jan Beulich
2017-06-21 11:53   ` Andrew Cooper
2017-06-21  9:36 ` Jan Beulich [this message]
2017-06-21  9:37 ` [PATCH 09/11] gnttab: avoid spurious maptrack handle allocation failures Jan Beulich
2017-06-21 12:02   ` Andrew Cooper
2017-06-21 12:19     ` Jan Beulich
2017-06-22 14:16     ` Jan Beulich
2017-06-21  9:38 ` [PATCH 10/11] gnttab: limit mapkind()'s iteration count Jan Beulich
2017-06-21 12:13   ` Andrew Cooper
2017-06-21  9:38 ` [PATCH 11/11] gnttab: drop useless locking Jan Beulich
2017-07-14 12:34   ` Ping: " Jan Beulich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=594A5A5502000078001650B6@prv-mh.provo.novell.com \
    --to=jbeulich@suse.com \
    --cc=George.Dunlap@eu.citrix.com \
    --cc=Ian.Jackson@eu.citrix.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=sstabellini@kernel.org \
    --cc=tim@xen.org \
    --cc=wei.liu2@citrix.com \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.