Xen project Mailing List

Re: [RFC PATCH] xen/memory: Introduce a hypercall to provide unallocated space

To: Oleksandr Tyshchenko <olekstysh@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>

Date: Thu, 5 Aug 2021 11:03:04 -0400

Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1628175799; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=Rsk366i1/xGNnPbYCVhwAj8pmFJseHf8LPkQj8h0qFo=; b=a4QhvV7Kz2Xv2PWKzyt7JsXjY6i4iUahM2dZ9NRcoPDLWuPd+Mk4Qla4TciL7pMmfvdSJSQUkPGNYY9dBQGepWOC4x/MGN5KFjEY1yw5e7mv4LS1+ZKF7MOeIgXRLauMeNBqpim+9hmCT4sYdOeGFCG5zbGDBhpJXe2rs38/1w4=

Arc-seal: i=1; a=rsa-sha256; t=1628175799; cv=none; d=zohomail.com; s=zohoarc; b=S/3c/cnMV0vzIaDaKe9GXro6wq75YJGH3CI2SjeQSAAdv6zAZxofk5XquHAa/u9AMc7hrQanTcvDG5A0+rOWZkld+RJWdJMopR1hlpGI7AmqMYtzYDJ6qTgkDtbhSAxqpX6+Nw+w8MlGXu5Sk12xAUSw4AAIh9E7zInE47dObh8=

Cc: Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Wei Chen <Wei.Chen@xxxxxxx>

Delivery-date: Thu, 05 Aug 2021 15:03:36 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 7/28/21 12:18 PM, Oleksandr Tyshchenko wrote: > From: Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx> ... > diff --git a/xen/common/memory.c b/xen/common/memory.c > index e07bd9a..3f9b816 100644 > --- a/xen/common/memory.c > +++ b/xen/common/memory.c > @@ -1811,6 +1811,62 @@ long do_memory_op(unsigned long cmd, > XEN_GUEST_HANDLE_PARAM(void) arg) > start_extent); > break; > > + case XENMEM_get_unallocated_space: > + { > + struct xen_get_unallocated_space xgus; > + struct xen_unallocated_region *regions; > + > + if ( unlikely(start_extent) ) > + return -EINVAL; > + > + if ( copy_from_guest(&xgus, arg, 1) || > + !guest_handle_okay(xgus.buffer, xgus.nr_regions) ) > + return -EFAULT; > + > + d = rcu_lock_domain_by_any_id(xgus.domid); > + if ( d == NULL ) > + return -ESRCH; > + > + rc = xsm_get_unallocated_space(XSM_HOOK, d); Not sure if you are aware but XSM_HOOK is a no-op check, meaning that you are allowing any domain to do this operation on any other domain. In most cases there is an XSM check at the beginning of the hypercall processing to do an initial clamp down but I am pretty sure there is no prior XSM check on this path. Based on my understanding of how this is intended, which may be incorrect, but I think you would actually want XSM_TARGET. > + if ( rc ) > + { > + rcu_unlock_domain(d); > + return rc; > + } > + > + if ( !xgus.nr_regions || xgus.nr_regions > > XEN_MAX_UNALLOCATED_REGIONS ) > + { > + rcu_unlock_domain(d); > + return -EINVAL; > + } > + > + regions = xzalloc_array(struct xen_unallocated_region, > xgus.nr_regions); > + if ( !regions ) > + { > + rcu_unlock_domain(d); > + return -ENOMEM; > + } > + > + rc = arch_get_unallocated_space(d, regions, &xgus.nr_regions); > + if ( rc ) > + goto unallocated_out; > + > + if ( __copy_to_guest(xgus.buffer, regions, xgus.nr_regions) ) > + { > + rc = -EFAULT; > + goto unallocated_out; > + } > + > + if ( __copy_to_guest(arg, &xgus, 1) ) > + rc = -EFAULT; > + > +unallocated_out: > + rcu_unlock_domain(d); > + xfree(regions); > + > + break; > + } > + > default: > rc = arch_memory_op(cmd, arg); > break; ... > diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h > index 363c6d7..2761fbd 100644 > --- a/xen/include/xsm/dummy.h > +++ b/xen/include/xsm/dummy.h > @@ -772,3 +772,9 @@ static XSM_INLINE int > xsm_domain_resource_map(XSM_DEFAULT_ARG struct domain *d) > XSM_ASSERT_ACTION(XSM_DM_PRIV); > return xsm_default_action(action, current->domain, d); > } > + > +static XSM_INLINE int xsm_get_unallocated_space(XSM_DEFAULT_ARG struct > domain *d) > +{ > + XSM_ASSERT_ACTION(XSM_HOOK); For completeness, if you switch to XSM_TARGET at the call site, you will want to change it here as well. > + return xsm_default_action(action, current->domain, d); > +} V/r, Daniel P. Smith

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.