xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: Stefano Stabellini <sstabellini@kernel.org>
To: Julien Grall <julien.grall@arm.com>
Cc: xen-devel@lists.xenproject.org,
	Stefano Stabellini <sstabellini@kernel.org>,
	Andrii Anisov <Andrii_Anisov@epam.com>,
	Oleksandr_Tyshchenko@epam.com
Subject: Re: [Xen-devel] [PATCH MM-PART3 v2 11/12] xen/arm: mm: Don't open-code Xen PT update in {set, clear}_fixmap()
Date: Thu, 13 Jun 2019 11:51:21 -0700 (PDT)	[thread overview]
Message-ID: <alpine.DEB.2.21.1906131140290.13737@sstabellini-ThinkPad-T480s> (raw)
In-Reply-To: <a7874b6c-08b4-28a0-cb5f-ea7f7b23e2e7@arm.com>

On Thu, 13 Jun 2019, Julien Grall wrote:
> Hi Stefano,
> 
> On 6/12/19 11:33 PM, Stefano Stabellini wrote:
> > On Tue, 14 May 2019, Julien Grall wrote:
> > > {set, clear}_fixmap() are currently open-coding update to the Xen
> > > page-tables. This can be avoided by using the generic helpers
> > > map_pages_to_xen() and destroy_xen_mappings().
> > > 
> > > Both function are not meant to fail for fixmap, hence the BUG_ON()
> > > checking the return.
> > 
> > BUG_ON crashes the hypervisor even in non-DEBUG builds. Would an ASSERT
> > be a better choice?
> The ASSERT() would disappear in non-debug potentially leading to unknown
> consequence.
> 
> If we imagine that map_pages_to_xen() fails, then it likely means that mapping
> has not been done/removed.
> 
> As set_fixmap() does not return an error, this means that the user may try to
> access an invalid mapping and therefore crash the hypervisor.
> 
> As clear_fixmap() does not return an error, this means that subsequent
> set_fixmap() may fail because map_pages_to_xen() does not allow to replace
> valid mapping.
>
> Ideally we would want to propagate the error, however all the call to the
> functions happen during boot. So most likely the user will panic/BUG_ON as you
> this hint something has gone really wrong and we don't want to continue
> further.

I think the basic principle is that with BUG_ON is "easy" for a guest to
be able to trigger it, potentially causing a DOS. Without the BUG_ON,
the guest is unlikely to be able to trigger a crash. However, if all the
calls happen during boot in regards to operations that have nothing to
do with guests behavior, then it is fine.

I checked all the call sites and I agree that in this case they are all
done during boot only. So in this case it is OK to have the
panic/BUG_ON.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

  reply	other threads:[~2019-06-13 18:51 UTC|newest]

Thread overview: 64+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-14 12:31 [PATCH MM-PART3 v2 00/12] xen/arm: Provide a generic function to update Xen PT Julien Grall
2019-05-14 12:31 ` [Xen-devel] " Julien Grall
2019-05-14 12:31 ` [PATCH MM-PART3 v2 01/12] xen/arm: lpae: Add a macro to generate offsets from an address Julien Grall
2019-05-14 12:31   ` [Xen-devel] " Julien Grall
2019-06-11 18:21   ` Stefano Stabellini
2019-06-11 18:27     ` Julien Grall
2019-05-14 12:31 ` [PATCH MM-PART3 v2 02/12] xen/arm: mm: Rename create_xen_entries() to xen_pt_update() Julien Grall
2019-05-14 12:31   ` [Xen-devel] " Julien Grall
2019-06-11 18:23   ` Stefano Stabellini
2019-05-14 12:31 ` [PATCH MM-PART3 v2 03/12] xen/arm: mm: Move out of xen_pt_update() the logic to update an entry Julien Grall
2019-05-14 12:31   ` [Xen-devel] " Julien Grall
2019-06-11 18:29   ` Stefano Stabellini
2019-05-14 12:31 ` [PATCH MM-PART3 v2 04/12] xen/arm: mm: Only increment mfn when valid in xen_pt_update Julien Grall
2019-05-14 12:31   ` [Xen-devel] " Julien Grall
2019-06-11 18:37   ` Stefano Stabellini
2019-06-11 19:56     ` [Xen-devel] Checking INVALID_MFN in mfn_add (WAS: Re: [PATCH MM-PART3 v2 04/12] xen/arm: mm: Only increment mfn when valid in xen_pt_update) Julien Grall
2019-06-11 20:24       ` Andrew Cooper
2019-06-12 12:47         ` Julien Grall
2019-06-12 15:57           ` Stefano Stabellini
2019-06-12  7:53       ` Jan Beulich
2019-05-14 12:31 ` [PATCH MM-PART3 v2 05/12] xen/arm: mm: Introduce _PAGE_PRESENT and _PAGE_POPULATE Julien Grall
2019-05-14 12:31   ` [Xen-devel] " Julien Grall
2019-06-11 22:35   ` Stefano Stabellini
2019-06-12 13:00     ` Julien Grall
2019-05-14 12:31 ` [PATCH MM-PART3 v2 06/12] xen/arm: mm: Sanity check any update of Xen page tables Julien Grall
2019-05-14 12:31   ` [Xen-devel] " Julien Grall
2019-06-12  0:10   ` Stefano Stabellini
2019-06-12 14:48     ` Julien Grall
2019-06-12 15:54       ` Stefano Stabellini
2019-06-12 15:58         ` Julien Grall
2019-05-14 12:31 ` [PATCH MM-PART3 v2 07/12] xen/arm: mm: Rework xen_pt_update_entry to avoid use xenmap_operation Julien Grall
2019-05-14 12:31   ` [Xen-devel] " Julien Grall
2019-06-12 22:22   ` Stefano Stabellini
2019-05-14 12:31 ` [PATCH MM-PART3 v2 08/12] xen/arm: mm: Remove enum xenmap_operation Julien Grall
2019-05-14 12:31   ` [Xen-devel] " Julien Grall
2019-06-11 22:38   ` Stefano Stabellini
2019-05-14 12:31 ` [PATCH MM-PART3 v2 09/12] xen/arm: mm: Use {, un}map_domain_page() to map/unmap Xen page-tables Julien Grall
2019-05-14 12:31   ` [Xen-devel] " Julien Grall
2019-06-12 22:25   ` Stefano Stabellini
2019-06-13  8:07     ` Julien Grall
2019-06-13 17:55       ` Stefano Stabellini
2019-05-14 12:31 ` [PATCH MM-PART3 v2 10/12] xen/arm: mm: Rework Xen page-tables walk during update Julien Grall
2019-05-14 12:31   ` [Xen-devel] " Julien Grall
2019-06-12 22:52   ` Stefano Stabellini
2019-06-13  8:20     ` Julien Grall
2019-06-13 17:59       ` Stefano Stabellini
2019-06-13 21:32         ` Julien Grall
2019-06-13 22:57           ` Stefano Stabellini
2019-05-14 12:31 ` [PATCH MM-PART3 v2 11/12] xen/arm: mm: Don't open-code Xen PT update in {set, clear}_fixmap() Julien Grall
2019-05-14 12:31   ` [Xen-devel] " Julien Grall
2019-06-12 22:33   ` Stefano Stabellini
2019-06-13  8:31     ` Julien Grall
2019-06-13 18:51       ` Stefano Stabellini [this message]
2019-06-13 21:21         ` Julien Grall
2019-06-13 22:55           ` Stefano Stabellini
2019-05-14 12:31 ` [PATCH MM-PART3 v2 12/12] xen/arm: mm: Remove set_pte_flags_on_range() Julien Grall
2019-05-14 12:31   ` [Xen-devel] " Julien Grall
2019-06-12 22:41   ` Stefano Stabellini
2019-06-13  8:51     ` Julien Grall
2019-06-13 18:04       ` Stefano Stabellini
2019-06-13 21:22         ` Julien Grall
2019-05-29 17:23 ` [PATCH MM-PART3 v2 00/12] xen/arm: Provide a generic function to update Xen PT Julien Grall
2019-05-29 17:23   ` [Xen-devel] " Julien Grall
2019-06-10 10:08   ` Julien Grall

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.DEB.2.21.1906131140290.13737@sstabellini-ThinkPad-T480s \
    --to=sstabellini@kernel.org \
    --cc=Andrii_Anisov@epam.com \
    --cc=Oleksandr_Tyshchenko@epam.com \
    --cc=julien.grall@arm.com \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).