[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 02/17] x86: split __{get,put}_user() into "guest" and "unsafe" variants

To: Roger Pau Monné <roger.pau@xxxxxxxxxx>
From: Jan Beulich <jbeulich@xxxxxxxx>
Date: Fri, 5 Feb 2021 17:26:33 +0100
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Tim Deegan <tim@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>
Delivery-date: Fri, 05 Feb 2021 16:26:40 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 05.02.2021 17:18, Roger Pau Monné wrote:
> On Fri, Feb 05, 2021 at 05:13:22PM +0100, Jan Beulich wrote:
>> On 05.02.2021 16:43, Roger Pau Monné wrote:
>>> On Thu, Jan 14, 2021 at 04:04:11PM +0100, Jan Beulich wrote:
>>>> The "guest" variants are intended to work with (potentially) fully guest
>>>> controlled addresses, while the "unsafe" variants are not.
>>>
>>> Just to clarify, both work against user addresses, but guest variants
>>> need to be more careful because the guest provided address can also be
>>> modified?
>>>
>>> I'm trying to understand the difference between "fully guest
>>> controlled" and "guest controlled".
>>
>> Not exactly, not. "unsafe" means access to anything which may
>> fault, guest controlled or not. do_invalid_op()'s reading of
>> the insn stream is a good example - the faulting insn there
>> isn't guest controlled at all, but we still want to be careful
>> when trying to read these bytes, as we don't want to fully
>> trust %rip there.
> 
> Would it make sense to threat everything as 'guest' accesses for the
> sake of not having this difference?

That's what we've been doing until now. It is the purpose of
this change to allow the two to behave differently.

> I think having two accessors it's likely to cause confusion and could
> possibly lead to the wrong one being used in unexpected contexts. Does
> it add a too big performance penalty to always use the most
> restrictive one?

The problem is the most restrictive one is going to be too
restrictive - we wouldn't be able to access Xen space anymore
e.g. from the place pointed at above as example. This is
because for guest accesses (but not for "unsafe" ones) we're
going to divert them into non-canonical space (and hence make
speculation impossible, as such an access would fault) if it
would touch Xen space.

Jan

Follow-Ups:
- Re: [PATCH 02/17] x86: split __{get,put}_user() into "guest" and "unsafe" variants
  - From: Roger Pau Monné

References:
- Re: [PATCH 02/17] x86: split __{get,put}_user() into "guest" and "unsafe" variants
  - From: Roger Pau Monné
- Re: [PATCH 02/17] x86: split __{get,put}_user() into "guest" and "unsafe" variants
  - From: Jan Beulich
- Re: [PATCH 02/17] x86: split __{get,put}_user() into "guest" and "unsafe" variants
  - From: Roger Pau Monné

Prev by Date: Re: [PATCH 02/17] x86: split __{get,put}_user() into "guest" and "unsafe" variants
Next by Date: [xen-4.12-testing test] 159017: regressions - FAIL
Previous by thread: Re: [PATCH 02/17] x86: split __{get,put}_user() into "guest" and "unsafe" variants
Next by thread: Re: [PATCH 02/17] x86: split __{get,put}_user() into "guest" and "unsafe" variants
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.