From patchwork Fri Aug 19 14:12:55 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Cooper <andrew.cooper3@citrix.com>
X-Patchwork-Id: 9290395
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	EE1E6607FF for <patchwork-xen-devel@patchwork.kernel.org>;
	Fri, 19 Aug 2016 14:16:50 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E0C692945C
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Fri, 19 Aug 2016 14:16:50 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D560029460; Fri, 19 Aug 2016 14:16:50 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 7E8EA2945C
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Fri, 19 Aug 2016 14:16:49 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1bakYL-0006Su-1U; Fri, 19 Aug 2016 14:13:45 +0000
Received: from mail6.bemta6.messagelabs.com ([193.109.254.103])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <prvs=032cfa19e=Andrew.Cooper3@citrix.com>)
	id 1bakYJ-0006Sk-Vq
	for xen-devel@lists.xen.org; Fri, 19 Aug 2016 14:13:44 +0000
Received: from [85.158.143.35] by server-8.bemta-6.messagelabs.com id
	6F/27-05361-71417B75; Fri, 19 Aug 2016 14:13:43 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupjkeJIrShJLcpLzFFi42JxWrohUldMZHu
	4wdbzbBZLPi5mcWD0OLr7N1MAYxRrZl5SfkUCa8aTqY+ZCi7yVOx6d4u9gfEtZxcjJ4eEgL9E
	59qzzCA2m4C+xO4Xn5hAbBEBdYnTHRdZQWxmgRqJi71H2EFsYYEIidMrP4HVswioSsz9cw4oz
	sHBK+Ah0Te/FmKknMT54z/BSjgFPCW+/b4IZgsBlczrucYEYatJXOu/BDaSV0BQ4uTMJywQqy
	QkDr54wQwyUkKAW+Jvt/0ERr5ZSKpmIalawMi0ilG9OLWoLLVI10gvqSgzPaMkNzEzR9fQwEw
	vN7W4ODE9NScxqVgvOT93EyMwnBiAYAfjsr9OhxglOZiURHl/6W8LF+JLyk+pzEgszogvKs1J
	LT7EKMPBoSTBu1Boe7iQYFFqempFWmYOMLBh0hIcPEoivC8EgdK8xQWJucWZ6RCpU4yKUuK8s
	0D6BEASGaV5cG2waLrEKCslzMsIdIgQT0FqUW5mCar8K0ZxDkYlYd5VIFN4MvNK4Ka/AlrMBL
	SYl38LyOKSRISUVAOj1H8f/85Dmxg2Fcs8b1eP6Z/r+cRsE6Nq0Xz5szcWr2Ysy93Wk3/Zecr
	NRX8P6e9LtJ7wYKV/toD5j0mCxls1dt98OvfvQpPPZ/mmB7kWzvzW0L7vydOLO/4wM7cvmOC1
	Pjj/Zr9kpJHa7PCXJeerQjmXmMmvVuQ9xzlT3mvhgkr+pT73jxYkKLEUZyQaajEXFScCAIlc8
	FqhAgAA
X-Env-Sender: prvs=032cfa19e=Andrew.Cooper3@citrix.com
X-Msg-Ref: server-4.tower-21.messagelabs.com!1471616020!23170050!1
X-Originating-IP: [66.165.176.89]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 8.84; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 25705 invoked from network); 19 Aug 2016 14:13:41 -0000
Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89)
	by server-4.tower-21.messagelabs.com with RC4-SHA encrypted SMTP;
	19 Aug 2016 14:13:41 -0000
X-IronPort-AV: E=Sophos;i="5.28,544,1464652800"; d="scan'208";a="373338159"
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xen.org>
Date: Fri, 19 Aug 2016 15:12:55 +0100
Message-ID: <1471615975-9927-2-git-send-email-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1471615975-9927-1-git-send-email-andrew.cooper3@citrix.com>
References: <1471615975-9927-1-git-send-email-andrew.cooper3@citrix.com>
MIME-Version: 1.0
X-DLP: MIA1
Cc: George Dunlap <george.dunlap@eu.citrix.com>,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	Jan Beulich <JBeulich@suse.com>
Subject: [Xen-devel] [PATCH 2/2] xen/physmap: Do not permit a guest to
	populate PoD pages for itself
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

PoD is supposed to be entirely transparent to guest, but this interface has
been left exposed for a long time.

The use of PoD requires careful co-ordination by the toolstack with the
XENMEM_{get,set}_pod_target hypercalls, and xenstore ballooning target.  The
best a guest can do without toolstack cooperation crash.

Furthermore, there are combinations of features (e.g. c/s c63868ff "libxl:
disallow PCI device assignment for HVM guest when PoD is enabled") which a
toolstack might wish to explicitly prohibit (in this case, because the two
simply don't function in combination).  In such cases, the guest mustn't be
able to subvert the configuration chosen by the toolstack.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: George Dunlap <george.dunlap@eu.citrix.com>
---
 xen/common/memory.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/xen/common/memory.c b/xen/common/memory.c
index 1ead35c..ccb9207 100644
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -903,7 +903,16 @@ long do_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
 
         if ( op == XENMEM_populate_physmap
              && (reservation.mem_flags & XENMEMF_populate_on_demand) )
+        {
+            /* Disallow populating PoD pages on oneself. */
+            if ( d == curr_d )
+            {
+                rcu_unlock_domain(d);
+                return start_extent;
+            }
+
             args.memflags |= MEMF_populate_on_demand;
+        }
 
         if ( xsm_memory_adjust_reservation(XSM_TARGET, curr_d, d) )
         {