From: Jan Beulich <jbeulich@suse.com>
To: George Dunlap <george.dunlap@citrix.com>
Cc: "George Dunlap" <George.Dunlap@eu.citrix.com>,
"Andrew Cooper" <andrew.cooper3@citrix.com>,
"Roger Pau Monné" <roger.pau@citrix.com>, "Wei Liu" <wl@xen.org>,
"xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
Subject: Re: [Xen-devel] [PATCH 1/4] x86/mm: mod_l<N>_entry() have no need to use __copy_from_user()
Date: Fri, 20 Dec 2019 16:00:23 +0100 [thread overview]
Message-ID: <bac4bd7d-4985-9dfe-c644-270b288c435f@suse.com> (raw)
In-Reply-To: <e88e6746-c544-d53d-7251-0a3faf905f77@citrix.com>
On 20.12.2019 15:54, George Dunlap wrote:
> On 12/20/19 2:52 PM, Jan Beulich wrote:
>> On 20.12.2019 15:47, George Dunlap wrote:
>>> On 12/20/19 2:42 PM, Andrew Cooper wrote:
>>>> On 20/12/2019 14:19, Jan Beulich wrote:
>>>>> mod_l1_entry()'s need to do so went away with commit 2d0557c5cb ("x86:
>>>>> Fold page_info lock into type_info"), and the other three never had such
>>>>> a need, at least going back as far as 3.2.0.
>>>>>
>>>>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
>>>>
>>>> These presumably want ACCESS_ONCE() to avoid introducing repeated read
>>>> vulnerabilities? While the mappings might be safe, they still point to
>>>> live guest data.
>>>
>>> The L1 itself should be mapped read-only by the guest, and locked at
>>> this point, no?
>>
>> True, but I think it won't hurt to use ACCESS_ONCE() nevertheless
>> - it makes the code more obviously safe independent of any locking
>> knowledge.
>
> But that might give someone the idea that that it *was* safe to do the
> type adjustments without the page being locked, which it certainly isn't.
It isn't in the common case, but we couldn't, for example, put
in ASSERT()s in place of using ACCESS_ONCE(), as new_guest_cr3()'s
use of mod_l4_entry() is without lock, yet still safe (because of
acting on the otherwise immutable L4 table of a 32-bit guest).
FAOD this code path also doesn't need the ACCESS_ONCE() (for the
same reason).
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
next prev parent reply other threads:[~2019-12-20 15:00 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-20 14:16 [Xen-devel] [PATCH 0/4] x86/mm: XSA-299 / 309 / 310 follow-up Jan Beulich
2019-12-20 14:19 ` [Xen-devel] [PATCH 1/4] x86/mm: mod_l<N>_entry() have no need to use __copy_from_user() Jan Beulich
2019-12-20 14:42 ` Andrew Cooper
2019-12-20 14:47 ` George Dunlap
2019-12-20 14:52 ` Jan Beulich
2019-12-20 14:54 ` George Dunlap
2019-12-20 15:00 ` Jan Beulich [this message]
2019-12-20 14:48 ` Jan Beulich
2019-12-20 14:19 ` [Xen-devel] [PATCH 2/4] x86/mm: rename and tidy create_pae_xen_mappings() Jan Beulich
2019-12-20 15:33 ` Andrew Cooper
2020-01-06 14:23 ` Jan Beulich
2019-12-20 14:19 ` [Xen-devel] [PATCH 3/4] x86/mm: avoid IOMMU operations in more cases in _get_page_type() Jan Beulich
2019-12-20 14:47 ` Andrew Cooper
2019-12-20 14:20 ` [Xen-devel] [PATCH 4/4] x86/mm: drop redundant smp_wmb() from _put_final_page_type() Jan Beulich
2019-12-20 14:51 ` Andrew Cooper
2019-12-20 14:55 ` Jan Beulich
2019-12-20 14:59 ` Andrew Cooper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bac4bd7d-4985-9dfe-c644-270b288c435f@suse.com \
--to=jbeulich@suse.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=george.dunlap@citrix.com \
--cc=roger.pau@citrix.com \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.