From: Julien Grall <julien.grall@arm.com>
To: Stefano Stabellini <sstabellini@kernel.org>
Cc: xen-devel@lists.xenproject.org
Subject: Re: [PATCH for-4.12 v2 05/17] xen/arm: p2m: Handle translation fault in get_page_from_gva
Date: Wed, 5 Dec 2018 10:03:05 +0000 [thread overview]
Message-ID: <a0f4fcfd-23bd-9601-8d4d-73929ce65bdb@arm.com> (raw)
In-Reply-To: <alpine.DEB.2.10.1812041556570.527@sstabellini-ThinkPad-X260>
On 04/12/2018 23:59, Stefano Stabellini wrote:
> On Tue, 4 Dec 2018, Julien Grall wrote:
>> A follow-up patch will re-purpose the valid bit of LPAE entries to
>> generate fault even on entry containing valid information.
>>
>> This means that when translating a guest VA to guest PA (e.g IPA) will
>> fail if the Stage-2 entries used have the valid bit unset. Because of
>> that, we need to fallback to walk the page-table in software to check
>> whether the fault was expected.
>>
>> This patch adds the software page-table walk on all the translation
>> fault. It would be possible in the future to avoid pointless walk when
>> the fault in PAR_EL1 is not a translation fault.
>>
>> Signed-off-by: Julien Grall <julien.grall@arm.com>
>>
>> ---
>>
>> There are a couple of TODO in the code. They are clean-up and performance
>> improvement (e.g when the fault cannot be handled) that could be delayed after
>> the series has been merged.
>>
>> Changes in v2:
>> - Check stage-2 permission during software lookup
>> - Fix typoes
>> ---
>> xen/arch/arm/p2m.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++------
>> 1 file changed, 59 insertions(+),should 7 deletions(-)
>>
>> diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
>> index 47b54c792e..39680eeb6e 100644
>> --- a/xen/arch/arm/p2m.c
>> +++ b/xen/arch/arm/p2m.c
>> @@ -6,6 +6,7 @@
>>
>> #include <asm/event.h>
>> #include <asm/flushtlb.h>
>> +#include <asm/guest_walk.h>
>> #include <asm/page.h>
>>
>> #define MAX_VMID_8_BIT (1UL << 8)
>> @@ -1430,6 +1431,8 @@ struct page_info *get_page_from_gva(struct vcpu *v, vaddr_t va,
>> struct page_info *page = NULL;
>> paddr_t maddr = 0;
>> uint64_t par;
>> + mfn_t mfn;
>> + p2m_type_t t;
>>
>> /*
>> * XXX: To support a different vCPU, we would need to load the
>> @@ -1446,8 +1449,29 @@ struct page_info *get_page_from_gva(struct vcpu *v, vaddr_t va,
>> par = gvirt_to_maddr(va, &maddr, flags);
>> p2m_read_unlock(p2m);
>>
>> + /*
>> + * gvirt_to_maddr may fail if the entry does not have the valid bit
>> + * set. Fallback to the second method:
>> + * 1) Translate the VA to IPA using software lookup -> Stage-1 page-table
>> + * may not be accessible because the stage-2 entries may have valid
>> + * bit unset.
>> + * 2) Software lookup of the MFN
>> + *
>> + * Note that when memaccess is enabled, we instead call directly
>> + * p2m_mem_access_check_and_get_page(...). Because the function is a
>> + * a variant of the methods described above, it will be able to
>> + * handle entries with valid bit unset.
>> + *
>> + * TODO: Integrate more nicely memaccess with the rest of the
>> + * function.
>> + * TODO: Use the fault error in PAR_EL1 to avoid pointless
>> + * translation.
>> + */
>> if ( par )
>> {
>> + paddr_t ipa;
>> + unsigned int s1_perms;
>> +
>> /*
>> * When memaccess is enabled, the translation GVA to MADDR may
>> * have failed because of a permission fault.
>> @@ -1455,20 +1479,48 @@ struct page_info *get_page_from_gva(struct vcpu *v, vaddr_t va,
>> if ( p2m->mem_access_enabled )
>> return p2m_mem_access_check_and_get_page(va, flags, v);
>>
>> - dprintk(XENLOG_G_DEBUG,
>> - "%pv: gvirt_to_maddr failed va=%#"PRIvaddr" flags=0x%lx par=%#"PRIx64"\n",
>> - v, va, flags, par);
>> - return NULL;
>> + /*
>> + * The software stage-1 table walk can still fail, e.g, if the
>> + * GVA is not mapped.
>> + */
>> + if ( !guest_walk_tables(v, va, &ipa, &s1_perms) )
>> + {
>> + dprintk(XENLOG_G_DEBUG,
>> + "%pv: Failed to walk page-table va %#"PRIvaddr"\n", v, va);
>> + return NULL;
>> + }
>> +
>> + mfn = p2m_lookup(d, gaddr_to_gfn(ipa), &t);
>> + if ( mfn_eq(INVALID_MFN, mfn) || !p2m_is_ram(t) )
>> + return NULL;
>> +
>> + /*
>> + * Check permission that are assumed by the caller. For instance
>> + * in case of guestcopy, the caller assumes that the translated
>> + * page can be accessed with the requested permissions. If this
>> + * is not the case, we should fail.
>> + *
>> + * Please note that we do not check for the GV2M_EXEC
>> + * permission. This is fine because the hardware-based translation
>> + * instruction does not test for execute permissions.
>> + */
>> + if ( (flags & GV2M_WRITE) && !(s1_perms & GV2M_WRITE) )
>> + return NULL;
>> +
>> + if ( (flags & GV2M_WRITE) && t != p2m_ram_rw )
>> + return NULL;
>
> The patch looks good enough now. One question: is it a requirement that
> the page we are trying to translate is of type p2m_ram_*? Could
> get_page_from_gva be genuinely called passing a page of a different
> kind, such as p2m_mmio_direct_* or p2m_map_foreign? Today, it is not the
> case, but I wonder if it is something we want to consider?
This function can only possibly work with p2m_ram_* because of the get_page(...)
below, indeed the page should belong to the domain.
Effectively this function will only be used for hypercall as you use a virtual
address. I question the value of allowing a guest to do a hypercall with the
data backed in any other memories than guest RAM. For the foreign mapping, this
could potentially end up with a leakage.
Cheers,
--
Julien Grall
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
next prev parent reply other threads:[~2018-12-05 10:03 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-04 20:26 [PATCH for-4.12 v2 00/17] xen/arm: Implement Set/Way operations Julien Grall
2018-12-04 20:26 ` [PATCH for-4.12 v2 01/17] xen/arm: Introduce helpers to clear/flags flags in HCR_EL2 Julien Grall
2018-12-04 20:26 ` [PATCH for-4.12 v2 02/17] xen/arm: traps: Move the implementation of GUEST_BUG_ON in traps.h Julien Grall
2018-12-04 20:26 ` [PATCH for-4.12 v2 03/17] xen/arm: p2m: Clean-up headers included and order them alphabetically Julien Grall
2018-12-04 23:47 ` Stefano Stabellini
2018-12-04 20:26 ` [PATCH for-4.12 v2 04/17] xen/arm: p2m: Introduce p2m_is_valid and use it Julien Grall
2018-12-04 23:50 ` Stefano Stabellini
2018-12-05 9:46 ` Julien Grall
2018-12-06 22:02 ` Stefano Stabellini
2018-12-07 10:14 ` Julien Grall
2018-12-04 20:26 ` [PATCH for-4.12 v2 05/17] xen/arm: p2m: Handle translation fault in get_page_from_gva Julien Grall
2018-12-04 23:59 ` Stefano Stabellini
2018-12-05 10:03 ` Julien Grall [this message]
2018-12-06 22:04 ` Stefano Stabellini
2018-12-07 10:16 ` Julien Grall
2018-12-07 16:56 ` Stefano Stabellini
2018-12-04 20:26 ` [PATCH for-4.12 v2 06/17] xen/arm: p2m: Introduce a function to resolve translation fault Julien Grall
2018-12-06 22:33 ` Stefano Stabellini
2018-12-04 20:26 ` [PATCH for-4.12 v2 07/17] xen/arm: vcpreg: Add wrappers to handle co-proc access trapped by HCR_EL2.TVM Julien Grall
2018-12-06 22:33 ` Stefano Stabellini
2018-12-04 20:26 ` [PATCH for-4.12 v2 08/17] xen/arm: vsysreg: Add wrapper to handle sysreg " Julien Grall
2018-12-04 20:26 ` [PATCH for-4.12 v2 09/17] xen/arm: Rework p2m_cache_flush to take a range [begin, end) Julien Grall
2018-12-04 20:26 ` [PATCH for-4.12 v2 10/17] xen/arm: p2m: Allow to flush cache on any RAM region Julien Grall
2018-12-04 20:26 ` [PATCH for-4.12 v2 11/17] xen/arm: p2m: Extend p2m_get_entry to return the value of bit[0] (valid bit) Julien Grall
2018-12-04 20:35 ` Razvan Cojocaru
2018-12-06 22:32 ` Stefano Stabellini
2018-12-07 10:17 ` Julien Grall
2018-12-04 20:26 ` [PATCH for-4.12 v2 12/17] xen/arm: traps: Rework leave_hypervisor_tail Julien Grall
2018-12-06 23:08 ` Stefano Stabellini
2018-12-04 20:26 ` [PATCH for-4.12 v2 13/17] xen/arm: p2m: Rework p2m_cache_flush_range Julien Grall
2018-12-06 23:53 ` Stefano Stabellini
2018-12-07 10:18 ` Julien Grall
2018-12-04 20:26 ` [PATCH for-4.12 v2 14/17] xen/arm: domctl: Use typesafe gfn in XEN_DOMCTL_cacheflush Julien Grall
2018-12-06 23:13 ` Stefano Stabellini
2018-12-04 20:26 ` [PATCH for-4.12 v2 15/17] xen/arm: p2m: Add support for preemption in p2m_cache_flush_range Julien Grall
2018-12-06 23:32 ` Stefano Stabellini
2018-12-07 11:15 ` Julien Grall
2018-12-07 22:11 ` Stefano Stabellini
2018-12-11 16:11 ` Julien Grall
2018-12-04 20:26 ` [PATCH for-4.12 v2 16/17] xen/arm: Implement Set/Way operations Julien Grall
2018-12-06 23:32 ` Stefano Stabellini
2018-12-07 13:22 ` Julien Grall
2018-12-07 21:29 ` Stefano Stabellini
2018-12-12 15:33 ` Julien Grall
2018-12-12 17:25 ` Stefano Stabellini
2018-12-12 17:49 ` Dario Faggioli
2018-12-04 20:26 ` [PATCH for-4.12 v2 17/17] xen/arm: Track page accessed between batch of " Julien Grall
2018-12-05 8:37 ` Jan Beulich
2018-12-07 13:24 ` Julien Grall
2018-12-06 12:21 ` Julien Grall
2018-12-07 21:52 ` Stefano Stabellini
2018-12-07 21:43 ` Stefano Stabellini
2018-12-11 16:22 ` Julien Grall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a0f4fcfd-23bd-9601-8d4d-73929ce65bdb@arm.com \
--to=julien.grall@arm.com \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).