From patchwork Tue Jan 19 12:27:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 12029763 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0EFE8C433DB for ; Tue, 19 Jan 2021 12:28:50 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 987DF22D2A for ; Tue, 19 Jan 2021 12:28:49 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 987DF22D2A Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=citrix.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from list by lists.xenproject.org with outflank-mailman.70331.126173 (Exim 4.92) (envelope-from ) id 1l1q7V-0002WY-0N; Tue, 19 Jan 2021 12:28:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 70331.126173; Tue, 19 Jan 2021 12:28:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l1q7U-0002WR-Ti; Tue, 19 Jan 2021 12:28:24 +0000 Received: by outflank-mailman (input) for mailman id 70331; Tue, 19 Jan 2021 12:28:23 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l1q7T-0002WL-Ix for xen-devel@lists.xenproject.org; Tue, 19 Jan 2021 12:28:23 +0000 Received: from esa4.hc3370-68.iphmx.com (unknown [216.71.155.144]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id d95d99a9-6f72-4b9c-badc-f41b5e1c254d; Tue, 19 Jan 2021 12:28:21 +0000 (UTC) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: d95d99a9-6f72-4b9c-badc-f41b5e1c254d DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1611059301; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=c0A7OMN1EfokLuqRtenZsFJGjhevkL56GYxhObEj+/U=; b=fCkMmH6jUpI5j8BV3tCfRlPY+pM6TtkyQCtEXLw12k0OH616wBAGiiHD 2OdUAo1w9Pja0I/MvZ0wysSUs3v5aUlsrqGGAmVkbAqGLM63P50tOPZ4p aeCXSziCCUi8SpujfhDh+3oOtYWPTP7CQSIqc00NgBqrONog77g7NN4c0 I=; Authentication-Results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none IronPort-SDR: 1HPtCO1GEU4D62pzfndjMtQCpbrp6N96kVZLarahPxFqzuKH1C99onb0hebOlXdkFwecILr8d7 NvRf6klTGWcRk9KColt6gVpkU3jIUgWry+6zt8tJdhYezaOXRap2ZLa9eHAsl6PHugHNswbV8d 7ygyRfsBH5VEbqMNEwnjUfIIJMNElkf2dH7O8Y/jPSosDQKitYWddNafSG9Itv0wMGUfbjFl8m BkAnMUIKmlKfPz/YxqU7t5r3C9hImsua/pURoErgMMt0U1add9vg6UfeXMuN4eamMsXHOUzErW +wY= X-SBRS: 5.1 X-MesageID: 36660351 X-Ironport-Server: esa4.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.79,358,1602561600"; d="scan'208";a="36660351" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Wei Liu , Paul Durrant , Tamas K Lengyel Subject: [PATCH v2] x86/mm: Short circuit damage from "fishy" ref/typecount failure Date: Tue, 19 Jan 2021 12:27:56 +0000 Message-ID: <20210119122756.27772-1-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20210119094122.23713-1-andrew.cooper3@citrix.com> References: <20210119094122.23713-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 This code has been copied in 3 places, but it is problematic. All cases will hit a BUG() later in domain teardown, when a the missing type/count reference is underflowed. Don't complicated the logic by leaving a totally unqualified domain crash, and a timebomb which will be triggered by the toolstack at a slightly later, and seemingly unrelated, point. Signed-off-by: Andrew Cooper --- CC: Jan Beulich CC: Roger Pau Monné CC: Wei Liu CC: Paul Durrant CC: Tamas K Lengyel v2: * Reword the commit message. * Switch BUG() to BUG_ON() to further reduce code volume. --- xen/arch/x86/hvm/ioreq.c | 11 ++--------- xen/arch/x86/hvm/vmx/vmx.c | 11 ++--------- xen/arch/x86/mm/mem_paging.c | 17 ++++------------- 3 files changed, 8 insertions(+), 31 deletions(-) diff --git a/xen/arch/x86/hvm/ioreq.c b/xen/arch/x86/hvm/ioreq.c index 1cc27df87f..0c38cfa151 100644 --- a/xen/arch/x86/hvm/ioreq.c +++ b/xen/arch/x86/hvm/ioreq.c @@ -366,15 +366,8 @@ static int hvm_alloc_ioreq_mfn(struct hvm_ioreq_server *s, bool buf) if ( !page ) return -ENOMEM; - if ( !get_page_and_type(page, s->target, PGT_writable_page) ) - { - /* - * The domain can't possibly know about this page yet, so failure - * here is a clear indication of something fishy going on. - */ - domain_crash(s->emulator); - return -ENODATA; - } + /* Domain can't know about this page yet - something fishy going on. */ + BUG_ON(!get_page_and_type(page, s->target, PGT_writable_page)); iorp->va = __map_domain_page_global(page); if ( !iorp->va ) diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c index 2d4475ee3d..8e438cb781 100644 --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -3042,15 +3042,8 @@ static int vmx_alloc_vlapic_mapping(struct domain *d) if ( !pg ) return -ENOMEM; - if ( !get_page_and_type(pg, d, PGT_writable_page) ) - { - /* - * The domain can't possibly know about this page yet, so failure - * here is a clear indication of something fishy going on. - */ - domain_crash(d); - return -ENODATA; - } + /* Domain can't know about this page yet - something fishy going on. */ + BUG_ON(!get_page_and_type(page, s->target, PGT_writable_page)); mfn = page_to_mfn(pg); clear_domain_page(mfn); diff --git a/xen/arch/x86/mm/mem_paging.c b/xen/arch/x86/mm/mem_paging.c index 01281f786e..6e90019e76 100644 --- a/xen/arch/x86/mm/mem_paging.c +++ b/xen/arch/x86/mm/mem_paging.c @@ -379,19 +379,10 @@ static int prepare(struct domain *d, gfn_t gfn, page = alloc_domheap_page(d, 0); if ( unlikely(page == NULL) ) goto out; - if ( unlikely(!get_page(page, d)) ) - { - /* - * The domain can't possibly know about this page yet, so failure - * here is a clear indication of something fishy going on. - */ - gprintk(XENLOG_ERR, - "%pd: fresh page for GFN %"PRI_gfn" in unexpected state\n", - d, gfn_x(gfn)); - domain_crash(d); - page = NULL; - goto out; - } + + /* Domain can't know about this page yet - something fishy going on. */ + BUG_ON(!get_page(page, s->target)); + mfn = page_to_mfn(page); page_extant = 0;