[v2,2/3] x86/mm: rename and tidy create_pae_xen_mappings()
diff mbox series

Message ID b20c85c7-2824-598c-d372-822f979fd97f@suse.com
State New
Headers show
Series
  • x86/mm: (remaining) XSA-299 / 309 / 310 follow-up
Related show

Commit Message

Jan Beulich Jan. 6, 2020, 3:35 p.m. UTC
After dad74b0f9e ("i386: fix handling of Xen entries in final L2 page
table") and the removal of 32-bit support the function doesn't modify
state anymore, and hence its name has been misleading. Change its name,
constify parameters and a local variable, and make it return bool.

Also drop the call to it from mod_l3_entry(): The function explicitly
disallows 32-bit domains to modify slot 3. This way we also won't
re-check slot 3 when a slot other than slot 3 changes. Doing so has
needlessly disallowed making some L2 table recursively link back to an
L2 used in some L3's 3rd slot, as we check for the type ref count to be
1. (Note that allowing dynamic changes of L3 entries in the way we do is
bogus anyway, as that's not how L3s behave in the native and EPT cases:
They get re-evaluated only upon CR3 reloads. NPT is different in this
regard.)

As a result of this we no longer need to play games to get at the start
of the L3 table.

Additionally move the single remaining call site, allowing to drop one
is_pv_32bit_domain() invocation and a _PAGE_PRESENT check (in the
function itself) as well as to exit the loop early (remaining entries
have all ben set to empty just ahead of this loop).

Further move a BUG_ON() such that in the common case its condition
wouldn't need evaluating.

Finally, since we're at it, move init_xen_pae_l2_slots() next to the
renamed function, as they really belong together (in fact
init_xen_pae_l2_slots() was [indirectly] broken out of this function).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
v2: Refine description. Drop an ASSERT(). Add a comment ahead of the
    function.
---
We could go further here and delete the function altogether: There are
no linear mappings in a PGT_pae_xen_l2 table anymore (this was on 32-bit
only). The corresponding conditional in mod_l3_entry() could then go
away as well (or, more precisely, would need to be replaced by correct
handling of 3rd slot updates). This would mean that a 32-bit guest
functioning on new Xen may fail to work on older (possibly 32-bit) Xen.

Comments

Andrew Cooper Jan. 6, 2020, 4:16 p.m. UTC | #1
On 06/01/2020 15:35, Jan Beulich wrote:
> After dad74b0f9e ("i386: fix handling of Xen entries in final L2 page
> table") and the removal of 32-bit support the function doesn't modify
> state anymore, and hence its name has been misleading. Change its name,
> constify parameters and a local variable, and make it return bool.
>
> Also drop the call to it from mod_l3_entry(): The function explicitly
> disallows 32-bit domains to modify slot 3. This way we also won't
> re-check slot 3 when a slot other than slot 3 changes. Doing so has
> needlessly disallowed making some L2 table recursively link back to an
> L2 used in some L3's 3rd slot, as we check for the type ref count to be
> 1. (Note that allowing dynamic changes of L3 entries in the way we do is
> bogus anyway, as that's not how L3s behave in the native and EPT cases:
> They get re-evaluated only upon CR3 reloads. NPT is different in this
> regard.)
>
> As a result of this we no longer need to play games to get at the start
> of the L3 table.
>
> Additionally move the single remaining call site, allowing to drop one
> is_pv_32bit_domain() invocation and a _PAGE_PRESENT check (in the
> function itself) as well as to exit the loop early (remaining entries
> have all ben set to empty just ahead of this loop).

been.

>
> Further move a BUG_ON() such that in the common case its condition
> wouldn't need evaluating.
>
> Finally, since we're at it, move init_xen_pae_l2_slots() next to the
> renamed function, as they really belong together (in fact
> init_xen_pae_l2_slots() was [indirectly] broken out of this function).
>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>

Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

Patch
diff mbox series

--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -1414,23 +1414,22 @@  static int promote_l1_table(struct page_
     return ret;
 }
 
-static int create_pae_xen_mappings(struct domain *d, l3_pgentry_t *pl3e)
+/*
+ * Note: The checks performed by this function are just to enforce a
+ * legacy restriction necessary on 32-bit hosts. There's not much point in
+ * relaxing (dropping) this though, as 32-bit guests would still need to
+ * conform to the original restrictions in order to be able to run on (old)
+ * 32-bit Xen.
+ */
+static bool pae_xen_mappings_check(const struct domain *d,
+                                   const l3_pgentry_t *pl3e)
 {
-    struct page_info *page;
-    l3_pgentry_t     l3e3;
-
-    if ( !is_pv_32bit_domain(d) )
-        return 1;
-
-    pl3e = (l3_pgentry_t *)((unsigned long)pl3e & PAGE_MASK);
-
-    /* 3rd L3 slot contains L2 with Xen-private mappings. It *must* exist. */
-    l3e3 = pl3e[3];
-    if ( !(l3e_get_flags(l3e3) & _PAGE_PRESENT) )
-    {
-        gdprintk(XENLOG_WARNING, "PAE L3 3rd slot is empty\n");
-        return 0;
-    }
+    /*
+     * 3rd L3 slot contains L2 with Xen-private mappings. It *must* exist,
+     * which our caller has already verified.
+     */
+    l3_pgentry_t l3e3 = pl3e[3];
+    const struct page_info *page = l3e_get_page(l3e3);
 
     /*
      * The Xen-private mappings include linear mappings. The L2 thus cannot
@@ -1441,17 +1440,24 @@  static int create_pae_xen_mappings(struc
      *     a. promote_l3_table() calls this function and this check will fail
      *     b. mod_l3_entry() disallows updates to slot 3 in an existing table
      */
-    page = l3e_get_page(l3e3);
     BUG_ON(page->u.inuse.type_info & PGT_pinned);
-    BUG_ON((page->u.inuse.type_info & PGT_count_mask) == 0);
     BUG_ON(!(page->u.inuse.type_info & PGT_pae_xen_l2));
     if ( (page->u.inuse.type_info & PGT_count_mask) != 1 )
     {
+        BUG_ON(!(page->u.inuse.type_info & PGT_count_mask));
         gdprintk(XENLOG_WARNING, "PAE L3 3rd slot is shared\n");
-        return 0;
+        return false;
     }
 
-    return 1;
+    return true;
+}
+
+void init_xen_pae_l2_slots(l2_pgentry_t *l2t, const struct domain *d)
+{
+    memcpy(&l2t[COMPAT_L2_PAGETABLE_FIRST_XEN_SLOT(d)],
+           &compat_idle_pg_table_l2[
+               l2_table_offset(HIRO_COMPAT_MPT_VIRT_START)],
+           COMPAT_L2_PAGETABLE_XEN_SLOTS(d) * sizeof(*l2t));
 }
 
 static int promote_l2_table(struct page_info *page, unsigned long type)
@@ -1592,6 +1598,16 @@  static int promote_l3_table(struct page_
                     l3e_get_mfn(l3e),
                     PGT_l2_page_table | PGT_pae_xen_l2, d,
                     partial_flags | PTF_preemptible | PTF_retain_ref_on_restart);
+
+            if ( !rc )
+            {
+                if ( pae_xen_mappings_check(d, pl3e) )
+                {
+                    pl3e[i] = adjust_guest_l3e(l3e, d);
+                    break;
+                }
+                rc = -EINVAL;
+            }
         }
         else if ( !(l3e_get_flags(l3e) & _PAGE_PRESENT) )
         {
@@ -1621,8 +1637,6 @@  static int promote_l3_table(struct page_
         pl3e[i] = adjust_guest_l3e(l3e, d);
     }
 
-    if ( !rc && !create_pae_xen_mappings(d, pl3e) )
-        rc = -EINVAL;
     if ( rc < 0 && rc != -ERESTART && rc != -EINTR )
     {
         gdprintk(XENLOG_WARNING,
@@ -1663,14 +1677,6 @@  static int promote_l3_table(struct page_
     unmap_domain_page(pl3e);
     return rc;
 }
-
-void init_xen_pae_l2_slots(l2_pgentry_t *l2t, const struct domain *d)
-{
-    memcpy(&l2t[COMPAT_L2_PAGETABLE_FIRST_XEN_SLOT(d)],
-           &compat_idle_pg_table_l2[
-               l2_table_offset(HIRO_COMPAT_MPT_VIRT_START)],
-           COMPAT_L2_PAGETABLE_XEN_SLOTS(d) * sizeof(*l2t));
-}
 #endif /* CONFIG_PV */
 
 /*
@@ -2347,10 +2353,6 @@  static int mod_l3_entry(l3_pgentry_t *pl
         return -EFAULT;
     }
 
-    if ( likely(rc == 0) )
-        if ( !create_pae_xen_mappings(d, pl3e) )
-            BUG();
-
     put_page_from_l3e(ol3e, mfn, PTF_defer);
     return rc;
 }