WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-ia64-devel

Re: [Xen-ia64-devel] PATCH: cleanup of tlbflush

To: "Tian, Kevin" <kevin.tian@xxxxxxxxx>
Subject: Re: [Xen-ia64-devel] PATCH: cleanup of tlbflush
From: Isaku Yamahata <yamahata@xxxxxxxxxxxxx>
Date: Thu, 11 May 2006 12:06:56 +0900
Cc: Tristan Gingold <Tristan.Gingold@xxxxxxxx>, xen-ia64-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 10 May 2006 20:07:09 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <571ACEFD467F7749BC50E0A98C17CDD8094E7C01@pdsmsx403>
List-help: <mailto:xen-ia64-devel-request@lists.xensource.com?subject=help>
List-id: Discussion of the ia64 port of Xen <xen-ia64-devel.lists.xensource.com>
List-post: <mailto:xen-ia64-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-ia64-devel>, <mailto:xen-ia64-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-ia64-devel>, <mailto:xen-ia64-devel-request@lists.xensource.com?subject=unsubscribe>
References: <571ACEFD467F7749BC50E0A98C17CDD8094E7C01@pdsmsx403>
Sender: xen-ia64-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.4.2.1i
On Thu, May 11, 2006 at 10:39:52AM +0800, Tian, Kevin wrote:

> >It will get an undesirable result or xen destroys it as a result.
> >The issue here is that trusting dom0 when unmapping granted pages
> >may affect a whole system or xen itself potentially.
> 
> Xen itself will not be affected. The granted frame or mapping virtual 
> address always belong to domain, instead of xen itself.

Xen can be affected potentially.
It is possible for a domain to return pages to xen
by XENMEM_decrease_reservation.
Please consider followings
1. domain A grants dom0 to map a page.
2. dom0 maps the page, accesses it and unmaps it lying virtual address.
3. xen flushes it but the virtual address is wrong.
   Here dom0 might be able to access the page.
4. domain A returns the page to xen by XENMEM_decrease_reservation.
5. Xen reuses the page for its own purpose.
6. dom0 overwrites the page via the true virtual address.
   Xen's data are destroyed.

Presumably at 4./5. xen can defer freeing the page.


> Dom0 can't destroy data of xen. If yes, that's a bug.
>
> Dom0 can destroy data of any other domain. No way to prevent that 
> by Xen.
> 
> So dom0 needs to be well cooperative with Xen to ensure a safe environment.

agreed.

-- 
yamahata

_______________________________________________
Xen-ia64-devel mailing list
Xen-ia64-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-ia64-devel