[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] XSA-255 and Arm

To: George Dunlap <george.dunlap@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, "George.Dunlap@xxxxxxxxxxxxx" <George.Dunlap@xxxxxxxxxxxxx>, "andrew.cooper3@xxxxxxxxxx" <andrew.cooper3@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, "wl@xxxxxxx" <wl@xxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Julien Grall <julien@xxxxxxx>
Date: Wed, 11 Dec 2019 16:49:45 +0000
Delivery-date: Wed, 11 Dec 2019 16:50:08 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi,

On 10/12/2019 10:42, George Dunlap wrote:

On 12/9/19 1:13 PM, Julien Grall wrote:

Hi all,

I was looking at the Grant Table code over the week-end and noticed
thart XSA-255 [1] introduced some unintended consequences on Arm.

Since the XSA, gnttab_map_frame() will remove the previous mapping (if
any) because mapping to the new GFN.

As on Arm we don't have an M2P, the GFN is stored per frame in the
grant-table code. This will never get cleared during unmapping (e.g.
XENMEM_remove_from_physmap) and therefore we may end up to remove a
mapping from someone different (Arm does not check the MFN is the
correct one before removing mapping).


Sorry Julien,  I don't know enough about the ARM grant mapping code to
know what this is about.  Can you point me to the relevant files /
functions / structures, and maybe sketch out a problematic behavior?

If you look at the implementation of gnttab_map_frame()(common/grant_table.c), it will use gnttab_get_frame_gfn(...) to knowwhether the grant-table frame was already mapped in the Guest P2M.

If it is already mapped, then we will try to remove the current mappingbefore doing the new one.

On Arm, gnttab_get_frame_gfn() are using an internal array because to wedon't have an internal array because we don't have an M2P. There is asister function to set the frame (see gnttab_set_frame_gfn()). However,this is only called when mapping the frame and not when the unmap isdone XENMEM_remove_from_physmap.

From my understanding, the current code (i.e remove the old mapping) istrying to workaround the fact we don't take reference when doing amapping in the page-tables.

At the default of not handling reference for all the mappings, we couldhandle grant frame in a similar way to foreign mapping. This wouldremove the restriction on the number of mappings and we could update theinternal array at the same time.

The only concern with this appraoch is we would have to walk through thearray to find the GFN.


Cheers,

--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Prev by Date: Re: [Xen-devel] [PATCH v3 1/2] x86/mm: factor out the code for shattering an l3 PTE
Next by Date: [Xen-devel] [PATCH-for-4.13] build: fix tools/configure in case only python3 exists
Previous by thread: Re: [Xen-devel] XSA-255 and Arm
Next by thread: [Xen-devel] [xen-unstable-smoke test] 144639: tolerable all pass - PUSHED
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.