From: Andrew Cooper <andrew.cooper3@citrix.com>
To: <paul@xen.org>, 'Xen-devel' <xen-devel@lists.xenproject.org>
Cc: "'Stefano Stabellini'" <sstabellini@kernel.org>,
"'Julien Grall'" <julien@xen.org>, "'Wei Liu'" <wl@xen.org>,
"'Konrad Rzeszutek Wilk'" <konrad.wilk@oracle.com>,
"'George Dunlap'" <George.Dunlap@eu.citrix.com>,
"'Michał Leszczyński'" <michal.leszczynski@cert.pl>,
"'Jan Beulich'" <JBeulich@suse.com>,
"'Ian Jackson'" <ian.jackson@citrix.com>,
"'Hubert Jasudowicz'" <hubert.jasudowicz@cert.pl>
Subject: Re: [PATCH 4/5] xen/memory: Fix acquire_resource size semantics
Date: Thu, 30 Jul 2020 20:46:25 +0100 [thread overview]
Message-ID: <474ff131-83d8-deff-4e3a-32392ea092b3@citrix.com> (raw)
In-Reply-To: <002b01d6664b$c7eb5f40$57c21dc0$@xen.org>
On 30/07/2020 09:31, Paul Durrant wrote:
>> -----Original Message-----
>> From: Xen-devel <xen-devel-bounces@lists.xenproject.org> On Behalf Of Andrew Cooper
>> Sent: 28 July 2020 12:37
>> To: Xen-devel <xen-devel@lists.xenproject.org>
>> Cc: Hubert Jasudowicz <hubert.jasudowicz@cert.pl>; Stefano Stabellini <sstabellini@kernel.org>; Julien
>> Grall <julien@xen.org>; Wei Liu <wl@xen.org>; Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>; George
>> Dunlap <George.Dunlap@eu.citrix.com>; Andrew Cooper <andrew.cooper3@citrix.com>; Paul Durrant
>> <paul@xen.org>; Jan Beulich <JBeulich@suse.com>; Michał Leszczyński <michal.leszczynski@cert.pl>; Ian
>> Jackson <ian.jackson@citrix.com>
>> Subject: [PATCH 4/5] xen/memory: Fix acquire_resource size semantics
>>
>> Calling XENMEM_acquire_resource with a NULL frame_list is a request for the
>> size of the resource, but the returned 32 is bogus.
>>
>> If someone tries to follow it for XENMEM_resource_ioreq_server, the acquire
>> call will fail as IOREQ servers currently top out at 2 frames, and it is only
>> half the size of the default grant table limit for guests.
>>
>> Also, no users actually request a resource size, because it was never wired up
>> in the sole implemenation of resource aquisition in Linux.
>>
>> Introduce a new resource_max_frames() to calculate the size of a resource, and
>> implement it the IOREQ and grant subsystems.
>>
>> It is impossible to guarentee that a mapping call following a successful size
> s/guarantee/guarantee
>
>> call will succedd (e.g. The target IOREQ server gets destroyed, or the domain
> s/succedd/succeed
>
>> switches from grant v2 to v1). Document the restriction, and use the
>> flexibility to simplify the paths to be lockless.
>>
>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
>> ---
>> CC: George Dunlap <George.Dunlap@eu.citrix.com>
>> CC: Ian Jackson <ian.jackson@citrix.com>
>> CC: Jan Beulich <JBeulich@suse.com>
>> CC: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
>> CC: Stefano Stabellini <sstabellini@kernel.org>
>> CC: Wei Liu <wl@xen.org>
>> CC: Julien Grall <julien@xen.org>
>> CC: Paul Durrant <paul@xen.org>
>> CC: Michał Leszczyński <michal.leszczynski@cert.pl>
>> CC: Hubert Jasudowicz <hubert.jasudowicz@cert.pl>
>> ---
>> xen/arch/x86/mm.c | 20 ++++++++++++++++
>> xen/common/grant_table.c | 19 +++++++++++++++
>> xen/common/memory.c | 55 +++++++++++++++++++++++++++++++++----------
>> xen/include/asm-x86/mm.h | 3 +++
>> xen/include/public/memory.h | 16 +++++++++----
>> xen/include/xen/grant_table.h | 8 +++++++
>> xen/include/xen/mm.h | 6 +++++
>> 7 files changed, 110 insertions(+), 17 deletions(-)
>>
>> diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
>> index 82bc676553..f73a90a2ab 100644
>> --- a/xen/arch/x86/mm.c
>> +++ b/xen/arch/x86/mm.c
>> @@ -4600,6 +4600,26 @@ int xenmem_add_to_physmap_one(
>> return rc;
>> }
>>
>> +unsigned int arch_resource_max_frames(
>> + struct domain *d, unsigned int type, unsigned int id)
>> +{
>> + unsigned int nr = 0;
>> +
>> + switch ( type )
>> + {
>> +#ifdef CONFIG_HVM
>> + case XENMEM_resource_ioreq_server:
>> + if ( !is_hvm_domain(d) )
>> + break;
>> + /* One frame for the buf-ioreq ring, and one frame per 128 vcpus. */
>> + nr = 1 + DIV_ROUND_UP(d->max_vcpus * sizeof(struct ioreq), PAGE_SIZE);
>> + break;
>> +#endif
>> + }
>> +
>> + return nr;
>> +}
>> +
>> int arch_acquire_resource(struct domain *d, unsigned int type,
>> unsigned int id, unsigned long frame,
>> unsigned int nr_frames, xen_pfn_t mfn_list[])
>> diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
>> index 122d1e7596..0962fc7169 100644
>> --- a/xen/common/grant_table.c
>> +++ b/xen/common/grant_table.c
>> @@ -4013,6 +4013,25 @@ static int gnttab_get_shared_frame_mfn(struct domain *d,
>> return 0;
>> }
>>
>> +unsigned int gnttab_resource_max_frames(struct domain *d, unsigned int id)
>> +{
>> + unsigned int nr = 0;
>> +
>> + /* Don't need the grant lock. This limit is fixed at domain create time. */
>> + switch ( id )
>> + {
>> + case XENMEM_resource_grant_table_id_shared:
>> + nr = d->grant_table->max_grant_frames;
>> + break;
>> +
>> + case XENMEM_resource_grant_table_id_status:
>> + nr = grant_to_status_frames(d->grant_table->max_grant_frames);
> Two uses of d->grant_table, so perhaps define a stack variable for it?
Can do.
> Also, should you not make sure 0 is returned in the case of a v1 table?
This was the case specifically discussed in the commit message, but
perhaps it needs expanding.
Doing so would be buggy.
Some utility is going to query the resource size, and then try to map it
(if it doesn't blindly know the size and/or subset it cares about already).
In between these two hypercalls from the utility, the guest can do a
v1=>v2 or v2=>v1 switch and make the resource spontaneously appear or
disappear.
The only case where we can know for certain whether the resource is
available is when we're in the map hypercall. Therefore, userspace has
to be able to get to the map call if there is potentially a resource
available.
The semantics of the size call are really "this resource might exist,
and if it does, this is how large it is".
As for the grant status frames specifically, I think making them a
mappable resource might have been a poor choice in hind sight.
Only the guest can switch between grant versions. GNTTABOP_set_version
strictly operates on current, unlike most of the other grant hypercalls
which take a domid and let dom0 specify something other than DOMID_SELF.
There is GNTTABOP_get_version, but it is racy to use in the same way as
described above, and if some utility does successfully map the status
frames, what will happen in practice is that a guest attempting to
switch from v2 back to v1 will have the set_version hypercall fail due
to outstanding refs on the frames.
~Andrew
next prev parent reply other threads:[~2020-07-30 19:46 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-28 11:37 [PATCH 0/5] Multiple fixes to XENMEM_acquire_resource Andrew Cooper
2020-07-28 11:37 ` [PATCH 1/5] xen/memory: Introduce CONFIG_ARCH_ACQUIRE_RESOURCE Andrew Cooper
2020-07-29 19:41 ` Jan Beulich
2020-07-30 8:02 ` Paul Durrant
2020-07-30 17:34 ` Andrew Cooper
2020-07-30 18:24 ` Paul Durrant
2020-07-30 9:50 ` Julien Grall
2020-07-30 17:28 ` Andrew Cooper
2020-07-30 18:30 ` Julien Grall
2020-07-28 11:37 ` [PATCH 2/5] xen/gnttab: Rework resource acquisition Andrew Cooper
2020-07-28 14:11 ` Andrew Cooper
2020-07-29 20:02 ` Jan Beulich
2020-09-22 13:10 ` Andrew Cooper
2020-09-22 13:34 ` Jan Beulich
2020-09-22 14:50 ` Andrew Cooper
2020-09-22 16:01 ` Jan Beulich
2020-07-30 8:14 ` Paul Durrant
2020-09-22 13:13 ` Andrew Cooper
2020-07-30 10:56 ` Julien Grall
2020-07-28 11:37 ` [PATCH 3/5] xen/memory: Fix compat XENMEM_acquire_resource for size requests Andrew Cooper
2020-07-29 20:09 ` Jan Beulich
2020-07-30 19:12 ` Andrew Cooper
2020-07-31 7:52 ` Jan Beulich
2020-07-30 8:19 ` Paul Durrant
2020-07-28 11:37 ` [PATCH 4/5] xen/memory: Fix acquire_resource size semantics Andrew Cooper
2020-07-30 8:31 ` Paul Durrant
2020-07-30 12:54 ` Julien Grall
2020-07-30 19:53 ` Andrew Cooper
2020-07-30 19:46 ` Andrew Cooper [this message]
2020-07-30 20:00 ` Julien Grall
2020-07-31 14:31 ` Jan Beulich
2020-07-31 14:44 ` Jan Beulich
2020-07-31 14:53 ` Andrew Cooper
2020-07-28 11:37 ` [PATCH 5/5] tools/foreignmem: Support querying the size of a resource Andrew Cooper
2020-07-28 14:14 ` Andrew Cooper
2020-08-04 14:29 ` Wei Liu
2020-07-30 8:39 ` Paul Durrant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=474ff131-83d8-deff-4e3a-32392ea092b3@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=hubert.jasudowicz@cert.pl \
--cc=ian.jackson@citrix.com \
--cc=julien@xen.org \
--cc=konrad.wilk@oracle.com \
--cc=michal.leszczynski@cert.pl \
--cc=paul@xen.org \
--cc=sstabellini@kernel.org \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).