From patchwork Fri Jul 19 12:25:45 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Durrant X-Patchwork-Id: 11050051 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B177A13BD for ; Fri, 19 Jul 2019 12:27:25 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A07A828765 for ; Fri, 19 Jul 2019 12:27:25 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 93F082878F; Fri, 19 Jul 2019 12:27:25 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id ECB3928765 for ; Fri, 19 Jul 2019 12:27:24 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1hoRxT-0004JG-RE; Fri, 19 Jul 2019 12:25:55 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1hoRxS-0004JB-RS for xen-devel@lists.xenproject.org; Fri, 19 Jul 2019 12:25:54 +0000 X-Inumbo-ID: 57b40386-aa20-11e9-ab87-ff401465dd97 Received: from esa5.hc3370-68.iphmx.com (unknown [216.71.155.168]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 57b40386-aa20-11e9-ab87-ff401465dd97; Fri, 19 Jul 2019 12:25:50 +0000 (UTC) Authentication-Results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=paul.durrant@citrix.com; spf=Pass smtp.mailfrom=Paul.Durrant@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: None (esa5.hc3370-68.iphmx.com: no sender authenticity information available from domain of paul.durrant@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Paul.Durrant@citrix.com"; x-sender="paul.durrant@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa5.hc3370-68.iphmx.com: domain of Paul.Durrant@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Paul.Durrant@citrix.com"; x-sender="Paul.Durrant@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ~all" Received-SPF: None (esa5.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Paul.Durrant@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: FVxTQ9AyK60Prq9TDzRL13lb6Sw8JMDOs8R9Hqv5WRMEUMWGsswHoEuniIshUnyRlY4b16udRm QHbB2HnKENPwQKcfH1xEAdVTP5lWVf4WfC3S1T+YwK6G0BJ0r/+lqycEtpJlVqgsORQf56JrO2 6waIDONQPAhR9NX0XlcSdgUyM/IxblDlABV2IAinIY6SzuEtC7pb0IjmHFnAwj8WhVBUrfLYDA wVzo112E8QhppeYj9bM+LAkkd+iGT5rLAbANk2wWBwdEuSUulIvhju/xbygza97qrlm1f2OXm/ 5Hg= X-SBRS: 2.7 X-MesageID: 3254694 X-Ironport-Server: esa5.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.64,282,1559534400"; d="scan'208";a="3254694" From: Paul Durrant To: Date: Fri, 19 Jul 2019 13:25:45 +0100 Message-ID: <20190719122545.3486-1-paul.durrant@citrix.com> X-Mailer: git-send-email 2.20.1.2.gb21ebb671 MIME-Version: 1.0 Subject: [Xen-devel] [PATCH] include/public/memory.h: remove the XENMEM_rsrc_acq_caller_owned flag X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Stefano Stabellini , Wei Liu , Konrad Rzeszutek Wilk , George Dunlap , Andrew Cooper , Ian Jackson , Tim Deegan , Julien Grall , Paul Durrant , Jan Beulich Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP When commit 3f8f1228 "x86/mm: add HYPERVISOR_memory_op to acquire guest resources" introduced the concept of directly mapping some guest resources, it was envisaged that the memory for some resources associated with a guest may not actually be assigned to that guest, specifically the IOREQ server resource introduces in commit 6e387461 "x86/hvm/ioreq: add a new mappable resource type...". Such resources were dubbed "caller owned" and resulted in the owned resources" and acquiring them resulted in the XENMEM_rsrc_acq_caller_owned flag being passed back to the caller of the memory op. Unfortunately the implementation led to XSA-276, which was mitigated by commit f6b6ae78 "x86/hvm/ioreq: fix page referencing" and then a related memory accounting problem was worked around by commit e862e6ce "x86/hvm/ioreq: use ref-counted target-assigned shared pages". This latter commit removed the only instance of a "caller owned" resource, but the flag was left in header and checked in one place in the core code. This patch removes that now redundant check and removes the definition of XENMEM_rsrc_acq_caller_owned from the public header. Also, since this was the only flag defined for the XENMEM_acquire_resource memory op, it removes the 'flags' field of struct xen_mem_acquire_resource and replaces it with an equivalently sized 'pad' field. Signed-off-by: Paul Durrant Acked-by: Andrew Cooper --- Cc: Andrew Cooper Cc: George Dunlap Cc: Ian Jackson Cc: Jan Beulich Cc: Julien Grall Cc: Konrad Rzeszutek Wilk Cc: Stefano Stabellini Cc: Tim Deegan Cc: Wei Liu --- xen/arch/x86/mm.c | 3 +-- xen/common/compat/memory.c | 6 ------ xen/common/memory.c | 14 ++++---------- xen/include/asm-arm/mm.h | 2 +- xen/include/asm-x86/mm.h | 3 +-- xen/include/public/memory.h | 11 +---------- 6 files changed, 8 insertions(+), 31 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 334571d445..58f463259f 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -4521,8 +4521,7 @@ int xenmem_add_to_physmap_one( int arch_acquire_resource(struct domain *d, unsigned int type, unsigned int id, unsigned long frame, - unsigned int nr_frames, xen_pfn_t mfn_list[], - unsigned int *flags) + unsigned int nr_frames, xen_pfn_t mfn_list[]) { int rc; diff --git a/xen/common/compat/memory.c b/xen/common/compat/memory.c index 2eb79efa65..10a954f281 100644 --- a/xen/common/compat/memory.c +++ b/xen/common/compat/memory.c @@ -624,12 +624,6 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) compat) compat_frame_list, cmp.mar.nr_frames) ) return -EFAULT; - - if ( __copy_field_to_guest( - guest_handle_cast(compat, - compat_mem_acquire_resource_t), - &cmp.mar, flags) ) - return -EFAULT; } break; diff --git a/xen/common/memory.c b/xen/common/memory.c index 30d210fc08..44a7b1d3a8 100644 --- a/xen/common/memory.c +++ b/xen/common/memory.c @@ -1060,7 +1060,7 @@ static int acquire_resource( if ( copy_from_guest(&xmar, arg, 1) ) return -EFAULT; - if ( xmar.flags != 0 ) + if ( xmar.pad != 0 ) return -EINVAL; if ( guest_handle_is_null(xmar.frame_list) ) @@ -1096,7 +1096,7 @@ static int acquire_resource( default: rc = arch_acquire_resource(d, xmar.type, xmar.id, xmar.frame, - xmar.nr_frames, mfn_list, &xmar.flags); + xmar.nr_frames, mfn_list); break; } @@ -1116,11 +1116,9 @@ static int acquire_resource( /* * FIXME: Until foreign pages inserted into the P2M are properly * reference counted, it is unsafe to allow mapping of - * non-caller-owned resource pages unless the caller is - * the hardware domain. + * resource pages unless the caller is the hardware domain. */ - if ( !(xmar.flags & XENMEM_rsrc_acq_caller_owned) && - !is_hardware_domain(currd) ) + if ( !is_hardware_domain(currd) ) return -EACCES; if ( copy_from_guest(gfn_list, xmar.frame_list, xmar.nr_frames) ) @@ -1136,10 +1134,6 @@ static int acquire_resource( } } - if ( xmar.flags != 0 && - __copy_field_to_guest(arg, &xmar, flags) ) - rc = -EFAULT; - out: rcu_unlock_domain(d); diff --git a/xen/include/asm-arm/mm.h b/xen/include/asm-arm/mm.h index 3dbc8a6469..9b9fb7e346 100644 --- a/xen/include/asm-arm/mm.h +++ b/xen/include/asm-arm/mm.h @@ -356,7 +356,7 @@ void clear_and_clean_page(struct page_info *page); static inline int arch_acquire_resource(struct domain *d, unsigned int type, unsigned int id, unsigned long frame, unsigned int nr_frames, - xen_pfn_t mfn_list[], unsigned int *flags) + xen_pfn_t mfn_list[]) { return -EOPNOTSUPP; } diff --git a/xen/include/asm-x86/mm.h b/xen/include/asm-x86/mm.h index 6c14635270..cc6d733b27 100644 --- a/xen/include/asm-x86/mm.h +++ b/xen/include/asm-x86/mm.h @@ -634,7 +634,6 @@ static inline bool arch_mfn_in_directmap(unsigned long mfn) int arch_acquire_resource(struct domain *d, unsigned int type, unsigned int id, unsigned long frame, - unsigned int nr_frames, xen_pfn_t mfn_list[], - unsigned int *flags); + unsigned int nr_frames, xen_pfn_t mfn_list[]); #endif /* __ASM_X86_MM_H__ */ diff --git a/xen/include/public/memory.h b/xen/include/public/memory.h index 68ddadbea8..cfdda6e2a8 100644 --- a/xen/include/public/memory.h +++ b/xen/include/public/memory.h @@ -632,16 +632,7 @@ struct xen_mem_acquire_resource { * maximum value supported by the implementation on return. */ uint32_t nr_frames; - /* - * OUT - Must be zero on entry. On return this may contain a bitwise - * OR of the following values. - */ - uint32_t flags; - - /* The resource pages have been assigned to the calling domain */ -#define _XENMEM_rsrc_acq_caller_owned 0 -#define XENMEM_rsrc_acq_caller_owned (1u << _XENMEM_rsrc_acq_caller_owned) - + uint32_t pad; /* * IN - the index of the initial frame to be mapped. This parameter * is ignored if nr_frames is 0.