[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH v4] gnttab: don't expose host physical address without need

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Jan Beulich <jbeulich@xxxxxxxx>
Date: Thu, 5 Dec 2019 16:34:10 +0100
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Wei Liu <wl@xxxxxxx>, Konrad Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxx>
Delivery-date: Thu, 05 Dec 2019 15:33:57 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Translated domains shouldn't see host physical addresses. While the
address is also not supposed to be handed back even to non-translated
domains when GNTMAP_device_map is not set (as explicitly stated by a
comment in the public header), PV kernels (Linux at least) assume the
field to get populated nevertheless. (Similarly mapkind() should check
only GNTMAP_device_map.)

Along these lines split the paging mode related check near the top of
map_grant_ref() to handle the "external" and "translated" cases
separately (GNTMAP_device_map use getting tied to being non-translated
rather than non-external).

Still along these lines in the unmapping case there's no point checking
->dev_bus_addr when GNTMAP_device_map isn't set (and hence the field
isn't going to be consumed).

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
---
v4: Re-base over dropped patches.
v3: New.

--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -967,10 +967,16 @@ map_grant_ref(
     }
 
     if ( unlikely(paging_mode_external(ld) &&
-                  (op->flags & (GNTMAP_device_map|GNTMAP_application_map|
-                            GNTMAP_contains_pte))) )
+                  (op->flags & (GNTMAP_application_map|GNTMAP_contains_pte))) )
     {
-        gdprintk(XENLOG_INFO, "No device mapping in HVM domain\n");
+        gdprintk(XENLOG_INFO, "No app/pte mapping in HVM domain\n");
+        op->status = GNTST_general_error;
+        return;
+    }
+
+    if ( paging_mode_translate(ld) && unlikely(op->flags & GNTMAP_device_map) )
+    {
+        gdprintk(XENLOG_INFO, "No device mapping in translated domain\n");
         op->status = GNTST_general_error;
         return;
     }
@@ -1213,7 +1219,8 @@ map_grant_ref(
     if ( need_iommu )
         double_gt_unlock(lgt, rgt);
 
-    op->dev_bus_addr = mfn_to_maddr(mfn);
+    op->dev_bus_addr = paging_mode_translate(ld) ? op->host_addr
+                                                 : mfn_to_maddr(mfn);
     op->handle       = handle;
     op->status       = GNTST_okay;
 
@@ -1394,7 +1401,7 @@ unmap_common(
 
     op->mfn = act->mfn;
 
-    if ( op->dev_bus_addr &&
+    if ( op->dev_bus_addr && (flags & GNTMAP_device_map) &&
          unlikely(op->dev_bus_addr != mfn_to_maddr(act->mfn)) )
         PIN_FAIL(act_release_out, GNTST_general_error,
                  "Bus address doesn't match gntref (%"PRIx64" != 
%"PRIpaddr")\n",

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v4] gnttab: don't expose host physical address without need
  - From: Julien Grall
- Re: [Xen-devel] [PATCH v4] gnttab: don't expose host physical address without need
  - From: Andrew Cooper

Prev by Date: [Xen-devel] [PATCH] cmdline: treat hyphens and underscores the same
Next by Date: Re: [Xen-devel] [PATCH v2 12/22] golang/xenlight: re-factor Hwcap type implementation
Previous by thread: [Xen-devel] [PATCH] cmdline: treat hyphens and underscores the same
Next by thread: Re: [Xen-devel] [PATCH v4] gnttab: don't expose host physical address without need
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.