From: Roger Pau Monne <roger.pau@citrix.com>
To: <xen-devel@lists.xenproject.org>
Cc: Roger Pau Monne <roger.pau@citrix.com>,
Ian Jackson <iwj@xenproject.org>, Wei Liu <wl@xen.org>,
Andrew Cooper <andrew.cooper3@citrix.com>,
"George Dunlap" <george.dunlap@citrix.com>,
Jan Beulich <jbeulich@suse.com>, "Julien Grall" <julien@xen.org>,
Stefano Stabellini <sstabellini@kernel.org>,
"Anthony PERARD" <anthony.perard@citrix.com>,
Juergen Gross <jgross@suse.com>
Subject: [PATCH 6/6] gnttab: allow disabling grant table per-domain
Date: Fri, 17 Sep 2021 17:46:25 +0200 [thread overview]
Message-ID: <20210917154625.89315-7-roger.pau@citrix.com> (raw)
In-Reply-To: <20210917154625.89315-1-roger.pau@citrix.com>
Allow setting max_grant_version to 0 in order to disable grant table
usage by a domain. This prevents allocating the grant-table structure
inside of Xen and requires guards to be added in several functions in
order to prevent dereferencing the structure.
Note that a domain without a grant table could still use some of the
grant related hypercalls, it could for example issue a GNTTABOP_copy
of a grant reference from a remote domain into a local frame.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
---
docs/man/xl.cfg.5.pod.in | 4 +-
tools/libs/light/libxl_dom.c | 2 +-
xen/common/grant_table.c | 97 ++++++++++++++++++++++++++++++++++--
3 files changed, 95 insertions(+), 8 deletions(-)
diff --git a/docs/man/xl.cfg.5.pod.in b/docs/man/xl.cfg.5.pod.in
index c5a447dfcd..d507540c2c 100644
--- a/docs/man/xl.cfg.5.pod.in
+++ b/docs/man/xl.cfg.5.pod.in
@@ -583,8 +583,8 @@ L<xl.conf(5)>.
=item B<max_grant_version=NUMBER>
Specify the maximum grant table version the domain is allowed to use. Current
-supported versions are 1 and 2. The default value is settable via
-L<xl.conf(5)>.
+supported versions are 1 and 2. Setting to 0 disables the grant table for the
+domain. The default value is settable via L<xl.conf(5)>.
=item B<transitive_grants=BOOLEAN>
diff --git a/tools/libs/light/libxl_dom.c b/tools/libs/light/libxl_dom.c
index e9f58ee4b2..afc8b88497 100644
--- a/tools/libs/light/libxl_dom.c
+++ b/tools/libs/light/libxl_dom.c
@@ -598,7 +598,7 @@ static int libxl__build_dom(libxl__gc *gc, uint32_t domid,
LOGE(ERROR, "xc_dom_boot_image failed");
goto out;
}
- if ( (ret = xc_dom_gnttab_init(dom)) != 0 ) {
+ if ( info->max_grant_version && (ret = xc_dom_gnttab_init(dom)) != 0 ) {
LOGE(ERROR, "xc_dom_gnttab_init failed");
goto out;
}
diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index 280dbc850a..68ea742498 100644
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -1027,6 +1027,12 @@ map_grant_ref(
}
lgt = ld->grant_table;
+ if ( !lgt )
+ {
+ gdprintk(XENLOG_INFO, "%pd has no grant table\n", ld);
+ op->status = GNTST_bad_domain;
+ return;
+ }
handle = get_maptrack_handle(lgt);
if ( unlikely(handle == INVALID_MAPTRACK_HANDLE) )
{
@@ -1037,6 +1043,14 @@ map_grant_ref(
}
rgt = rd->grant_table;
+ if ( !rgt )
+ {
+ put_maptrack_handle(lgt, handle);
+ rcu_unlock_domain(rd);
+ gdprintk(XENLOG_INFO, "%pd has no grant table\n", rd);
+ op->status = GNTST_bad_domain;
+ return;
+ }
grant_read_lock(rgt);
/* Bounds check on the grant ref */
@@ -1367,6 +1381,13 @@ unmap_common(
ld = current->domain;
lgt = ld->grant_table;
+ if ( !lgt )
+ {
+ gdprintk(XENLOG_INFO, "%pd has no grant table\n", ld);
+ op->status = GNTST_bad_domain;
+ return;
+ }
+
if ( unlikely(op->handle >= lgt->maptrack_limit) )
{
gdprintk(XENLOG_INFO, "Bad d%d handle %#x\n",
@@ -1406,6 +1427,13 @@ unmap_common(
TRACE_1D(TRC_MEM_PAGE_GRANT_UNMAP, dom);
rgt = rd->grant_table;
+ if ( !rgt )
+ {
+ rcu_unlock_domain(rd);
+ gdprintk(XENLOG_INFO, "%pd has no grant table\n", rd);
+ op->status = GNTST_bad_domain;
+ return;
+ }
grant_read_lock(rgt);
@@ -1556,6 +1584,12 @@ unmap_common_complete(struct gnttab_unmap_common *op)
rcu_lock_domain(rd);
rgt = rd->grant_table;
+ if ( !rgt )
+ {
+ rcu_unlock_domain(rd);
+ op->status = GNTST_bad_domain;
+ return;
+ }
grant_read_lock(rgt);
@@ -1931,10 +1965,7 @@ int grant_table_init(struct domain *d, int max_grant_frames,
if ( max_grant_version < 0 )
max_grant_version = opt_gnttab_max_version;
if ( !max_grant_version )
- {
- dprintk(XENLOG_INFO, "Invalid grant table version 0 requested\n");
- return -EINVAL;
- }
+ return 0;
if ( max_grant_version > opt_gnttab_max_version )
{
dprintk(XENLOG_INFO,
@@ -2056,6 +2087,11 @@ gnttab_setup_table(
}
gt = d->grant_table;
+ if ( !gt )
+ {
+ op.status = GNTST_bad_domain;
+ goto out;
+ }
grant_write_lock(gt);
if ( unlikely(op.nr_frames > gt->max_grant_frames) )
@@ -2138,6 +2174,11 @@ gnttab_query_size(
}
gt = d->grant_table;
+ if ( !gt )
+ {
+ op.status = GNTST_bad_domain;
+ goto out;
+ }
grant_read_lock(gt);
@@ -2302,6 +2343,13 @@ gnttab_transfer(
goto put_gfn_and_copyback;
}
+ if ( unlikely(!e->grant_table) )
+ {
+ gdprintk(XENLOG_INFO, "%pd has no grant table\n", e);
+ gop.status = GNTST_bad_domain;
+ goto unlock_and_copyback;
+ }
+
if ( xsm_grant_transfer(XSM_HOOK, d, e) )
{
gop.status = GNTST_permission_denied;
@@ -2888,6 +2936,12 @@ static int gnttab_copy_claim_buf(const struct gnttab_copy *op,
if ( op->flags & gref_flag )
{
+ if ( !buf->domain->grant_table )
+ {
+ rc = GNTST_bad_domain;
+ goto out;
+ }
+
rc = acquire_grant_for_copy(buf->domain, ptr->u.ref,
current->domain->domain_id,
buf->read_only,
@@ -3092,6 +3146,9 @@ gnttab_set_version(XEN_GUEST_HANDLE_PARAM(gnttab_set_version_t) uop)
int res;
unsigned int i, nr_ents;
+ if ( !gt )
+ return -ENODEV;
+
if ( copy_from_guest(&op, uop, 1) )
return -EFAULT;
@@ -3270,6 +3327,11 @@ gnttab_get_status_frames(XEN_GUEST_HANDLE_PARAM(gnttab_get_status_frames_t) uop,
}
gt = d->grant_table;
+ if ( !gt )
+ {
+ op.status = GNTST_bad_domain;
+ goto out2;
+ }
op.status = GNTST_okay;
@@ -3332,7 +3394,11 @@ gnttab_get_version(XEN_GUEST_HANDLE_PARAM(gnttab_get_version_t) uop)
return rc;
}
- op.version = d->grant_table->gt_version;
+ if ( d->grant_table )
+ op.version = d->grant_table->gt_version;
+ else
+ /* Use 0 to signal no grant table. */
+ op.version = 0;
rcu_unlock_domain(d);
@@ -3351,6 +3417,12 @@ swap_grant_ref(grant_ref_t ref_a, grant_ref_t ref_b)
struct active_grant_entry *act_b = NULL;
s16 rc = GNTST_okay;
+ if ( !gt )
+ {
+ rcu_unlock_domain(d);
+ return GNTST_bad_domain;
+ }
+
grant_write_lock(gt);
/* Bounds check on the grant refs */
@@ -3872,6 +3944,9 @@ void grant_table_warn_active_grants(struct domain *d)
#define WARN_GRANT_MAX 10
+ if ( !gt )
+ return;
+
grant_read_lock(gt);
nr_ents = nr_grant_entries(gt);
@@ -3953,6 +4028,9 @@ int mem_sharing_gref_to_gfn(struct grant_table *gt, grant_ref_t ref,
int rc = 0;
uint16_t flags = 0;
+ if ( !gt )
+ return -ENODEV;
+
grant_read_lock(gt);
if ( gt->gt_version < 1 )
@@ -4069,6 +4147,9 @@ unsigned int gnttab_resource_max_frames(const struct domain *d, unsigned int id)
const struct grant_table *gt = d->grant_table;
unsigned int nr = 0;
+ if ( !gt )
+ return 0;
+
/* Don't need the grant lock. This limit is fixed at domain create time. */
switch ( id )
{
@@ -4100,6 +4181,9 @@ int gnttab_acquire_resource(
if ( !nr_frames )
return rc;
+ if ( !gt )
+ return -ENODEV;
+
final_frame = frame + nr_frames - 1;
/* Grow table if necessary. */
@@ -4156,6 +4240,9 @@ int gnttab_map_frame(struct domain *d, unsigned long idx, gfn_t gfn, mfn_t *mfn)
struct grant_table *gt = d->grant_table;
bool status = false;
+ if ( !gt )
+ return -ENODEV;
+
grant_write_lock(gt);
if ( evaluate_nospec(gt->gt_version == 2) && (idx & XENMAPIDX_grant_table_status) )
--
2.33.0
next prev parent reply other threads:[~2021-09-17 15:47 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-17 15:46 [PATCH 0/6] gnttab: add per-domain controls Roger Pau Monne
2021-09-17 15:46 ` [PATCH 1/6] gnttab: allow setting max version per-domain Roger Pau Monne
2021-09-17 15:46 ` [PATCH 2/6] gnttab: allow per-domain control over transitive grants Roger Pau Monne
2021-09-20 9:32 ` Andrew Cooper
2021-09-20 11:45 ` Roger Pau Monné
2021-09-17 15:46 ` [PATCH 3/6] tools/console: use xenforeigmemory to map console ring Roger Pau Monne
2021-09-20 10:32 ` Ian Jackson
2021-09-17 15:46 ` [PATCH 4/6] tools/xenstored: use atexit to close interfaces Roger Pau Monne
2021-09-20 7:17 ` Roger Pau Monné
2021-09-20 9:22 ` Juergen Gross
2021-09-20 10:53 ` Roger Pau Monné
2021-09-20 10:57 ` Ian Jackson
2021-09-20 11:02 ` Juergen Gross
2021-09-20 12:21 ` Ian Jackson
2021-09-20 10:34 ` Ian Jackson
2021-09-20 10:39 ` Juergen Gross
2021-09-17 15:46 ` [PATCH DNA 5/6] tools/xenstored: restore support for mapping ring as foreign memory Roger Pau Monne
2021-09-20 8:24 ` Juergen Gross
2021-09-20 10:42 ` Roger Pau Monné
2021-09-20 10:51 ` Juergen Gross
2021-09-20 10:35 ` Ian Jackson
2021-09-17 15:46 ` Roger Pau Monne [this message]
2021-09-17 16:06 ` [PATCH 0/6] gnttab: add per-domain controls Christian Lindig
2021-09-20 7:26 ` Roger Pau Monné
2021-09-20 8:24 ` Edwin Torok
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210917154625.89315-7-roger.pau@citrix.com \
--to=roger.pau@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=anthony.perard@citrix.com \
--cc=george.dunlap@citrix.com \
--cc=iwj@xenproject.org \
--cc=jbeulich@suse.com \
--cc=jgross@suse.com \
--cc=julien@xen.org \
--cc=sstabellini@kernel.org \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).