From: Corneliu ZUZU <czuzu@bitdefender.com>
To: xen-devel@lists.xen.org
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
Tamas K Lengyel <tamas@tklengyel.com>,
Razvan Cojocaru <rcojocaru@bitdefender.com>,
Jan Beulich <jbeulich@suse.com>
Subject: Re: [PATCH v3 4/8] x86/vm_event/monitor/cr: check for vm-event subscriber on domctl
Date: Thu, 7 Jul 2016 11:18:03 +0300 [thread overview]
Message-ID: <e441fda8-ebd9-d484-efa2-2df52cd93b54@bitdefender.com> (raw)
In-Reply-To: <1467820378-13448-1-git-send-email-czuzu@bitdefender.com>
On 7/6/2016 6:52 PM, Corneliu ZUZU wrote:
> Enforce presence of a monitor vm-event subscriber when the toolstack user calls
> xc_monitor_write_ctrlreg (XEN_DOMCTL_MONITOR_EVENT_WRITE_CTRLREG domctl).
> Without this change, ASSERT(v->arch.vm_event) @ hvm_set_cr0 and such would fail
> if the toolstack user calls xc_monitor_write_ctrlreg(...) w/ enable = true,
> without first calling xc_monitor_enable().
>
> Also adjust returned error code for similar check from -EINVAL to more
> descriptive -ENOSYS (XEN_DOMCTL_MONITOR_OP_EMULATE_EACH_REP).
>
> Signed-off-by: Corneliu ZUZU <czuzu@bitdefender.com>
> ---
> xen/arch/x86/monitor.c | 7 +++++++
> xen/include/asm-x86/monitor.h | 2 +-
> 2 files changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/xen/arch/x86/monitor.c b/xen/arch/x86/monitor.c
> index 42f31bf..4d4db33 100644
> --- a/xen/arch/x86/monitor.c
> +++ b/xen/arch/x86/monitor.c
> @@ -188,6 +188,13 @@ int arch_monitor_domctl_event(struct domain *d,
> unsigned int ctrlreg_bitmask;
> bool_t old_status;
>
> + /*
> + * Enabling cr-write vm-events without a vm_event subscriber is
> + * meaningless.
> + */
> + if ( !vm_event_domain_initialised(d) )
> + return -ENOSYS;
> +
> /* sanity check: avoid left-shift undefined behavior */
> if ( unlikely(mop->u.mov_to_cr.index > 31) )
> return -EINVAL;
> diff --git a/xen/include/asm-x86/monitor.h b/xen/include/asm-x86/monitor.h
> index 9238ec8..2213124 100644
> --- a/xen/include/asm-x86/monitor.h
> +++ b/xen/include/asm-x86/monitor.h
> @@ -52,7 +52,7 @@ int arch_monitor_domctl_op(struct domain *d, struct xen_domctl_monitor_op *mop)
> if ( vm_event_domain_initialised(d) )
> d->arch.mem_access_emulate_each_rep = !!mop->event;
> else
> - rc = -EINVAL;
> + rc = -ENOSYS;
>
> domain_unpause(d);
> break;
But this also doesn't guarantee the ASSERT not failing, as I now
realize, simply because with this patch v->arch.vm_event can *still be
NULL* even with a *non-zero d->monitor.write_ctrlreg_enabled*.
Can happen for example if:
1) the toolstack user calls *xc_monitor_enable()* to enable domain
monitoring (calls *vm_event_init_domain()* along the way)
2) the toolstack user calls *xc_monitor_write_ctrlreg()* to enable *CR0*
exiting - this will succeed since the user *first called
xc_monitor_enable()* - which *will result in having a non-zero
d->monitor.write_ctrlreg_enabled*
3) the toolstack user calls *xc_mem_paging_enable() followed by
xc_mem_paging_disable()*; this *will call
vm_event_disable()->vm_event_cleanup_domain()* along the way which *will
xfree v->arch.vm_event*, but _will not_ call
*arch_monitor_cleanup_domain()* (see vm_event_domctl) which zeroes out
d->monitor.write_ctrlreg_enabled
4) a CR0-write is intercepted after these operations which will
ASSERT(v->arch.vm_event) in hvm_set_cr0(), which will subsequently fail
This issue happens because *vm_event_cleanup()* domain *xfrees
arch_vm_event along with its write_data field* needed by the monitor
subsystem, even a vm-event subsystem other than the monitor one is
uninitialized. I'm wondering why vm_event_{init,cleanup}_domain()
allocate/free *monitor-specific* resources (arch_vm_event fields) even
when they're called as a result of
XEN_DOMCTL_VM_EVENT_OP_PAGING/XEN_DOMCTL_VM_EVENT_OP_SHARING domctl.
Tamas, Razvan, this seems wrong, shouldn't most operations currently
done in *vm_event_{init,cleanup}_domain* actually be done in
*arch_monitor_{init,cleanup}_domain* instead?
I propose the following refactoring:
- define:
struct arch_vm_event_monitor {
uint32_t emulate_flags;
struct vm_event_emul_read_data *emul_read_data;
struct monitor_write_data write_data;
}
- change
struct arch_vm_event {
struct arch_vm_event_monitor *monitor; // monitor
subsystem-stuff!
}
- allocate *arch_vm_event* (but don't touch its *monitor* field) in
*vm_event_init_domain()*
- allocate/free *arch_vm_event->monitor* in
*arch_monitor_{init,cleanup}_domain()*, but *only free write_data if
there are no uncommitted writes*
- call arch_monitor_cleanup_domain() *before* vm_event_cleanup_domain()
and only free arch_vm_event in the latter if arch_vm_event->monitor was
freed in the former
- on domain/vcpu destroyal free everything left allocated
(arch_vm_event->monitor and arch_vm_event)
Sounds good?
Thanks,
Corneliu.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-07-07 8:18 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-06 15:49 [PATCH v3 0/8] x86/vm-event: Adjustments & fixes Corneliu ZUZU
2016-07-06 15:49 ` [PATCH v3 1/8] x86/vmx_update_guest_cr: minor optimization Corneliu ZUZU
2016-07-08 11:39 ` Corneliu ZUZU
2016-07-08 11:48 ` Jan Beulich
2016-07-08 11:55 ` Corneliu ZUZU
2016-07-08 12:11 ` Jan Beulich
2016-07-08 12:18 ` Ping: " Corneliu ZUZU
2016-07-11 2:37 ` Tian, Kevin
2016-07-06 15:50 ` [PATCH v3 2/8] x86/vm-event/monitor: relocate code-motion more appropriately Corneliu ZUZU
2016-07-08 7:21 ` Jan Beulich
2016-07-08 10:22 ` Corneliu ZUZU
2016-07-08 10:37 ` Jan Beulich
2016-07-08 11:33 ` Corneliu ZUZU
2016-07-08 11:53 ` Jan Beulich
2016-07-08 11:57 ` Corneliu ZUZU
2016-07-08 15:50 ` Tamas K Lengyel
2016-07-08 17:58 ` Corneliu ZUZU
2016-07-11 2:52 ` Tian, Kevin
2016-07-06 15:51 ` [PATCH v3 3/8] x86/vm-event/monitor: don't compromise monitor_write_data on domain cleanup Corneliu ZUZU
2016-07-08 7:35 ` Jan Beulich
2016-07-08 10:28 ` Corneliu ZUZU
2016-07-08 10:38 ` Jan Beulich
2016-07-06 15:52 ` [PATCH v3 4/8] x86/vm_event/monitor/cr: check for vm-event subscriber on domctl Corneliu ZUZU
2016-07-06 16:01 ` Jan Beulich
2016-07-06 16:15 ` Corneliu ZUZU
2016-07-06 16:20 ` Corneliu ZUZU
2016-07-07 7:30 ` Jan Beulich
2016-07-07 7:53 ` Corneliu ZUZU
2016-07-07 8:18 ` Corneliu ZUZU [this message]
2016-07-06 15:53 ` [PATCH v3 5/8] x86/vm_event_resume: surround VM_EVENT_REASON_MOV_TO_MSR w/ CONFIG_X86 Corneliu ZUZU
2016-07-06 15:54 ` [PATCH v3 6/8] x86/vm-event: minor ASSERT fix, add 'unlikely' Corneliu ZUZU
2016-07-07 8:27 ` Jan Beulich
2016-07-07 8:35 ` Corneliu ZUZU
2016-07-07 8:53 ` Jan Beulich
2016-07-07 23:24 ` Tamas K Lengyel
2016-07-06 15:55 ` [PATCH v3 7/8] minor fixes (formatting, comments, unused includes etc.) Corneliu ZUZU
2016-07-08 7:56 ` Jan Beulich
2016-07-08 10:37 ` Corneliu ZUZU
2016-07-06 15:55 ` [PATCH v3 8/8] minor #include change Corneliu ZUZU
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e441fda8-ebd9-d484-efa2-2df52cd93b54@bitdefender.com \
--to=czuzu@bitdefender.com \
--cc=andrew.cooper3@citrix.com \
--cc=jbeulich@suse.com \
--cc=rcojocaru@bitdefender.com \
--cc=tamas@tklengyel.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.