All of lore.kernel.org
 help / color / mirror / Atom feed
From: Julien Grall <julien@xen.org>
To: Jan Beulich <jbeulich@suse.com>
Cc: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>,
	"Andrew Cooper" <andrew.cooper3@citrix.com>,
	"George Dunlap" <george.dunlap@citrix.com>,
	"Ian Jackson" <iwj@xenproject.org>, "Wei Liu" <wl@xen.org>,
	"Roger Pau Monné" <roger.pau@citrix.com>,
	"Stefano Stabellini" <sstabellini@kernel.org>
Subject: Re: [PATCH 1/2] gnttab: remove guest_physmap_remove_page() call from gnttab_map_frame()
Date: Thu, 23 Sep 2021 13:40:04 +0500	[thread overview]
Message-ID: <8c685481-a74d-9aa6-c1db-4d22c95a4eda@xen.org> (raw)
In-Reply-To: <474bd675-b42e-3f9f-03d6-f7afc26e10c5@suse.com>

Hi Jan,

On 22/09/2021 15:47, Jan Beulich wrote:
> On 22.09.2021 12:28, Julien Grall wrote:
>> Hi,
>>
>> On 22/09/2021 14:42, Jan Beulich wrote:
>>> On 22.09.2021 11:26, Roger Pau Monné wrote:
>>>> On Tue, Sep 21, 2021 at 12:12:05PM +0200, Jan Beulich wrote:
>>>>> On 21.09.2021 10:32, Roger Pau Monné wrote:
>>>>>> On Mon, Sep 20, 2021 at 05:27:17PM +0200, Jan Beulich wrote:
>>>>>>> On 20.09.2021 12:20, Roger Pau Monné wrote:
>>>>>>>> On Mon, Sep 13, 2021 at 08:41:47AM +0200, Jan Beulich wrote:
>>>>>>>>> --- a/xen/include/asm-arm/grant_table.h
>>>>>>>>> +++ b/xen/include/asm-arm/grant_table.h
>>>>>>>>> +        if ( gfn_eq(ogfn, INVALID_GFN) || gfn_eq(ogfn, gfn) ||           \
>>>>>>>>
>>>>>>>> I'm slightly confused by this checks, don't you need to check for
>>>>>>>> gfn_eq(gfn, INVALID_GFN) (not ogfn) in order to call
>>>>>>>> guest_physmap_remove_page?
>>>>>>>
>>>>>>> Why? It's ogfn which gets passed to the function. And it indeed is the
>>>>>>> prior GFN's mapping that we want to remove here.
>>>>>>>
>>>>>>>> Or assuming that ogfn is not invalid can be used to imply a removal?
>>>>>>>
>>>>>>> That implication can be (and on x86 is) used for the incoming argument,
>>>>>>> i.e. "gfn". I don't think "ogfn" can serve this purpose.
>>>>>>
>>>>>> I guess I'm confused due to the ogfn checks done on the Arm side that
>>>>>> are not performed on x86. So on Arm you always need to explicitly
>>>>>> unhook the previous GFN before attempting to setup a new mapping,
>>>>>> while on x86 you only need to do this when it's a removal in order to
>>>>>> clear the entry?
>>>>>
>>>>> The difference isn't with guest_physmap_add_entry() (both x86 and
>>>>> Arm only insert a new mapping there), but with
>>>>> xenmem_add_to_physmap_one(): Arm's variant doesn't care about prior
>>>>> mappings. And gnttab_map_frame() gets called only from there. This
>>>>> is effectively what the first paragraph of the description is about.
>>>>
>>>> OK, sorry, it wasn't clear to me from the description. Could you
>>>> explicitly mention in the description that the removal is moved into
>>>> gnttab_set_frame_gfn on Arm in order to cope with the fact that
>>>> xenmem_add_to_physmap_one doesn't perform it.
>>>
>>> Well, it's not really "in order to cope" - that's true for the placement
>>> prior to this change as well, so not a justification for the change.
>>> Nevertheless I've tried to make this more clear by changing the 1st
>>> paragraph to:
>>>
>>> "Without holding appropriate locks, attempting to remove a prior mapping
>>>    of the underlying page is pointless, as the same (or another) mapping
>>>    could be re-established by a parallel request on another vCPU. Move the
>>>    code to Arm's gnttab_set_frame_gfn(); it cannot be dropped there since
>>>    xenmem_add_to_physmap_one() doesn't call it either (unlike on x86). Of
>>>    course this new placement doesn't improve things in any way as far as
>>>    the security of grant status frame mappings goes (see XSA-379). Proper
>>>    locking would be needed here to allow status frames to be mapped
>>>    securely."
>>>
>>>> TBH I think it would be in our best interest to try to make
>>>> xenmem_add_to_physmap_one behave as close as possible between arches.
>>>> This discrepancy between x86 and Arm regarding page removal is just
>>>> going to bring more trouble in the long term, and hiding the
>>>> differences inside gnttab_set_frame_gfn just makes it even more
>>>> obscure.
>>>
>>> Stefano, Julien?
>>
>> This would be ideal as I don't particular like the approach taken in
>> this patch. But AFAICT, this would require us to implement an M2P. Or is
>> there another way to do it?
> 
> For the purpose of just XENMAPSPACE_grant_table the "restricted" M2P
> (to just grant table pages), as introduced by an on-list patch, would
> do afaict. That wouldn't remove all the differences between the two
> implementations, but at least the one affecting the difference in how
> gnttab_map_frame() needs to behave.

This would work. I will add it in my todo list but I am not such when I 
will have time to look at it. I am happy if someone else wants to look 
at it.

Cheers,

-- 
Julien Grall


  reply	other threads:[~2021-09-23  8:40 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-13  6:39 [PATCH 0/2] grant table and add-to-physmap adjustments on top of XSAs 379 and 384 Jan Beulich
2021-09-13  6:41 ` [PATCH 1/2] gnttab: remove guest_physmap_remove_page() call from gnttab_map_frame() Jan Beulich
2021-09-20 10:20   ` Roger Pau Monné
2021-09-20 15:27     ` Jan Beulich
2021-09-21  8:32       ` Roger Pau Monné
2021-09-21 10:12         ` Jan Beulich
2021-09-22  9:26           ` Roger Pau Monné
2021-09-22  9:42             ` Jan Beulich
2021-09-22 10:00               ` Roger Pau Monné
2021-09-28 13:36                 ` Ping: " Jan Beulich
2021-09-22 10:28               ` Julien Grall
2021-09-22 10:47                 ` Jan Beulich
2021-09-23  8:40                   ` Julien Grall [this message]
2021-11-25 16:37   ` Julien Grall
2021-11-26  8:07     ` Jan Beulich
2021-12-01 18:19       ` Julien Grall
2021-12-02  9:09   ` Julien Grall
2021-12-02 10:12     ` Jan Beulich
2021-12-02 11:05       ` Julien Grall
2021-12-02 16:12     ` Oleksandr
2021-09-13  6:42 ` [PATCH 2/2] memory: XENMEM_add_to_physmap (almost) wrapping checks Jan Beulich
2021-10-14 11:29   ` Julien Grall
2021-10-14 14:10     ` Jan Beulich
2021-10-15  9:26       ` Julien Grall
2021-10-18 13:25         ` Jan Beulich
2021-09-27 20:41 ` [PATCH 0/2] grant table and add-to-physmap adjustments on top of XSAs 379 and 384 Oleksandr

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8c685481-a74d-9aa6-c1db-4d22c95a4eda@xen.org \
    --to=julien@xen.org \
    --cc=andrew.cooper3@citrix.com \
    --cc=george.dunlap@citrix.com \
    --cc=iwj@xenproject.org \
    --cc=jbeulich@suse.com \
    --cc=roger.pau@citrix.com \
    --cc=sstabellini@kernel.org \
    --cc=wl@xen.org \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.