From patchwork Thu Jan 27 14:53:14 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Beulich <JBeulich@suse.com>
X-Patchwork-Id: 12726883
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 1592FC433EF
	for <xen-devel@archiver.kernel.org>; Thu, 27 Jan 2022 14:53:37 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.261517.452905 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nD69J-0007Pz-Nh; Thu, 27 Jan 2022 14:53:21 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 261517.452905;
 Thu, 27 Jan 2022 14:53:21 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nD69J-0007Ps-Kq; Thu, 27 Jan 2022 14:53:21 +0000
Received: by outflank-mailman (input) for mailman id 261517;
 Thu, 27 Jan 2022 14:53:19 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92)
 (envelope-from
 <SRS0=V/tf=SL=suse.com=jbeulich@srs-se1.protection.inumbo.net>)
 id 1nD69H-0007Pl-O2
 for xen-devel@lists.xenproject.org; Thu, 27 Jan 2022 14:53:19 +0000
Received: from de-smtp-delivery-102.mimecast.com
 (de-smtp-delivery-102.mimecast.com [194.104.111.102])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id dd00e2ba-7f80-11ec-8eb8-a37418f5ba1a;
 Thu, 27 Jan 2022 15:53:18 +0100 (CET)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com
 (mail-vi1eur05lp2177.outbound.protection.outlook.com [104.47.17.177]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 de-mta-16-g4NHsuWsO-GdL_7x8tglEQ-1; Thu, 27 Jan 2022 15:53:16 +0100
Received: from VI1PR04MB5600.eurprd04.prod.outlook.com (2603:10a6:803:e7::16)
 by AM7PR04MB7191.eurprd04.prod.outlook.com (2603:10a6:20b:11c::15)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4930.17; Thu, 27 Jan
 2022 14:53:15 +0000
Received: from VI1PR04MB5600.eurprd04.prod.outlook.com
 ([fe80::a1a4:21a6:8390:b5d5]) by VI1PR04MB5600.eurprd04.prod.outlook.com
 ([fe80::a1a4:21a6:8390:b5d5%5]) with mapi id 15.20.4930.017; Thu, 27 Jan 2022
 14:53:15 +0000
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: dd00e2ba-7f80-11ec-8eb8-a37418f5ba1a
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com;
 s=mimecast20200619;
	t=1643295198;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=QXqEOApuhNTDDOQi+0lYzxh9XjWyCRDTmsHjLzOzlRQ=;
	b=WMSI0U155lKdxaBfWu9F1rVcGoiu3C+e3htPSk65+UecLk2c0pYMsmkSQvkHpvhY3BKzwr
	NcUmDM6ATCaGJUv9Ykl99W5lHFGIwxFoTkhVLdxBhb/GbCtS3IUaJspO3YUyT3ZQ7cAirO
	ZNU1a8BlR1+s/mJmlNRTzO+fVaz78HQ=
X-MC-Unique: g4NHsuWsO-GdL_7x8tglEQ-1
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=KlMd7QR8LotlPDEZtBvNkAoSmvfO0Hmt6s9M2XKuZOETYTkkKXKIchc5loDRiOduejHZLnNQWB/HjJdjKtiZbjHRt79rrEHvN9miMvUNAEUcLDikSFRG8GuFl1pkd4MXE/Mh81m+tACMGUBueQrsv2w3+f+40vzlyMkT9/NoIKDolasaB7rfwtuq7k86JCm+gRFhs9HMTVpji11/jm7TEd1tzUrcJB+YGoKzqAZcIDfs+qO17zZFPnsVEK0jgFFTvOvYdJD3/v7+JEM2OcE1r9EzDu6phiOBr7uXldjLGlUHVCrhm5axM3dPHNJut+QamQtJO5JJj5zly+s3t1EWqA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=QXqEOApuhNTDDOQi+0lYzxh9XjWyCRDTmsHjLzOzlRQ=;
 b=nJ2Tt5GZYKUxWb1udCTqOYyglaCa1M7/U7dPoML/hNUAPnZHLKqa7nDAX1XL2tPpAKd20QjTsWcBnyylrJaWwyh9K91zY7CITBsleuCaNLhrHvVdHc1uqoJyhOOmTVTZd3zeccAVe8fY0uRWchmdo2ui28V8wqY5nUdDD/rZ166st819s3Ez4C1Gf8diBj0f7OdZdC8T9pGrJgu2D881oD0l6o3wWVJdGCsrHdbsL908RpIdF6qTYOSaPaGqd1VQpwrLUoAv9kATDX6eR6fTnnvVFkKN3iRLPiKVr4y7mJ7n4KB54sWEbX8QqXqCGdSUt6sO1spEU1Q+iGqlJ5uBbw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
Authentication-Results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=suse.com;
Message-ID: <c2606525-5d1b-c410-d750-1372334c4c7b@suse.com>
Date: Thu, 27 Jan 2022 15:53:14 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.5.0
From: Jan Beulich <jbeulich@suse.com>
Subject: [PATCH v3] memory: XENMEM_add_to_physmap (almost) wrapping checks
To: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
 George Dunlap <george.dunlap@citrix.com>, Julien Grall <julien@xen.org>,
 Stefano Stabellini <sstabellini@kernel.org>, Wei Liu <wl@xen.org>
References: <9725c93e-c227-f29f-07a4-65e383bb7858@suse.com>
Content-Language: en-US
In-Reply-To: <9725c93e-c227-f29f-07a4-65e383bb7858@suse.com>
X-ClientProxiedBy: AM6P191CA0100.EURP191.PROD.OUTLOOK.COM
 (2603:10a6:209:8a::41) To VI1PR04MB5600.eurprd04.prod.outlook.com
 (2603:10a6:803:e7::16)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: faba302d-b965-41a4-03f4-08d9e1a4bf87
X-MS-TrafficTypeDiagnostic: AM7PR04MB7191:EE_
X-Microsoft-Antispam-PRVS: 
	<AM7PR04MB7191FB18ADB1089406905D4CB3219@AM7PR04MB7191.eurprd04.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:6108;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	PKFxfMyGaZHIDUODd5fDwzV3OSJpuz/zfubEYlSpK556cqyClbWXx7Y4nLNJ/gwFMXsLqck/VUZdrOENyETt6NTgTa7Q2yEqY6DUqsqTRPRcp4+RruoQq2z7eGyr4uwchgpw0fMsyCanfEI2LHd1KSTkBLKKGDT3RPBNXD/itomae71qo7qXLmn/St5yALrHOedKo63mQdbgsH3sswV2gdxePFxODxkeaqmsx2Ah5nBgWDKkth3HCkuRFVUMx70UQftbKc/CeFzpuZYpvMae6a4R1XtYZHuUyz/l4+pcR3RdvBAemEO7VsHF8G6jmS0PNAWudim89MuBOvwlvMNwPOqgP9T33yv30X3pIbaqYMFKw56KRVBA9dcb/JeDKPEhAQ7T4I98SoNnLb2xQDv1mV/vqzEtxOjNeBnA7lE8YJ3A+UrI47qVx1QiOl/idL0JB+DEttpqF9EGfDvLnjVbKbIe1gqrAriShvqzkWMi/8zdeDezAPU5Mmh3hc8dGZvvm0SkFLFwXVDnOwgVNIgFVOtFGI3PhmgXvC/znf2xxli/NFIb9XKMjjt05oUpKYBSWxRI5iLjK65QyUNFz5lFDFl0awUHQGGK6wKYxcYIUEjualSezuVYi2XgZ8X9TRzTrkRo/BYagmfLJBzLjgxrjUHEQLS6clOz03yg9cA31wO/+aUGlCaJdUnvE7EF/u6nXm3vDEfFzBfNnycTClrFgg3GlOXCAm/G0UN4eqnqhGDLmfx/RVT/Pxs3Q21xOQCM
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:VI1PR04MB5600.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(83380400001)(6486002)(6916009)(316002)(508600001)(2616005)(54906003)(36756003)(31686004)(186003)(26005)(8936002)(5660300002)(66946007)(66556008)(31696002)(4326008)(6506007)(8676002)(6512007)(66476007)(38100700002)(86362001)(2906002)(45980500001)(43740500002)(20210929001);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?dqekrmxBYB5VaO8/2oKF6r8PQDY2?=
	=?utf-8?q?eTp5X5JZADDA16MXCWe5rEtoqVH+6FRDknOT6qz0XrPt35xHDNk0AYxAt5/6PYr0/?=
	=?utf-8?q?fLfO8WJcdrogaOKIorb2+JxT1mOP8AvdRuBBRdNULHuJBbtAhC0k/XRDhMsGWCOuz?=
	=?utf-8?q?i6yqNXmnbdY9zy77eyUjxVdBK0LOyrIH4HUa4dy46xdaWVK6SsdlzSwabRCRU7NQb?=
	=?utf-8?q?XMdmaO1upRIrs0QB4EOa8N4C4qobJ5pcZxbY4FRqvW1o4urEwhBzEv4fzyl2olKFZ?=
	=?utf-8?q?hB5eXCa2EI5k/aV+mEpV0or1pJJ6W5TiQUuGbkqaSERJpJkIPftDdP0v5/sy9GDHF?=
	=?utf-8?q?NUBWj6OssyUs6jW2Jozo3QcAehJp+q78YegAlkcwwzdpgJy1Q1lA+/gYBhVY3pFBn?=
	=?utf-8?q?e/qALTdvef3dUoTabaq9ZkHURH55sTeI2NsyCIFUYJGUV2cBPkCpttEiEPWucjn2p?=
	=?utf-8?q?KG25l69Ui4G4D2p9EUWMUaWj3ZAmGVnFNHH7nPH1czyOePoAYIuKvafHkavDpkNOD?=
	=?utf-8?q?zS7bVOypfpFIiWo5NGpVBPKG7JC/sXn15vfnFqdu70KsE/3n1btBxkyyT9YSJeQsm?=
	=?utf-8?q?+PTI8aoLO/p5ywDAkJOLoAa4gikT/SH0gbsP5/7X8GWjhwYhkodoD70yLm4YoPo71?=
	=?utf-8?q?BCm2PMYuFI1LsoOVpagsq2Y2TedWa0vhykfOpuELVrGvInVo93fA+8jvUy8V5C6ZJ?=
	=?utf-8?q?25bvlRGbJFPimcIDqh4iF70D7sqqBmFrSInTI3m3aPagWK5CJD4CzGLLu6lW9rhPq?=
	=?utf-8?q?GWXYUpeauZYcHkgXi/uZqbOtpiagzZX11AdYsp8GW2Nr4qCHHTcW1ZYcqhD3qWT6y?=
	=?utf-8?q?5PDlRIkQ3LgpcHjtF6gcfLTFI92nBIc/xakN/p5xFnyxGK9oCgGqANtoz09ZwtELV?=
	=?utf-8?q?tzRaCg+wYgcs/tTf6ggK/dJx0XJliEDlrK0pZtQNbSJ0MibTeqUPoSIDf7iMgV/CG?=
	=?utf-8?q?Nt871frS3CQZOICIn/J+DeRdZjgfwU5iia7eJ2dex5Eu7W+T/vetTE/NU0hfwPcPW?=
	=?utf-8?q?73v8EEURljrPRQt+8TIhMMoCkS7HgCpO3GuVBObs/sHRW6fiRqBmwjM6tch0dbRNp?=
	=?utf-8?q?pNSp3shRgKbrhn3tylIbh6D6/mT/H0rzupD8ZT1oYB2L/ZwfMZ0rD5loPhuyjjSc4?=
	=?utf-8?q?QV9Tp6z4NjUCB4SK7UV/Z4sO5MPAlaf8sFFAV1yX6eTEwv6o3Qe/co9w7GhAdslg0?=
	=?utf-8?q?fbQyYIFzL05CT+UwBuIufdvD1IiCXgWlSq//tUk6PGG7RKaWP0T6/fk6C2gEKpdy7?=
	=?utf-8?q?4q7Zs0AgaF1jxcPFSythGATAd8o2Jj9dR92qIVKPOfO5ite7aHS6qyZ5qwbPx3S4v?=
	=?utf-8?q?C3tiz+9itbvNsEabclKAcqdtCxHrRgYey77n84qznjU3RQ3EwrAV9nPPkcFH90ioO?=
	=?utf-8?q?G/YGpEId8TOTaeCvcFVBnsDSY55XVAHBnnk7jGhynpg0YcUVe6gYxAcI+0PbrZLUA?=
	=?utf-8?q?hvuIr/B1LkKBJE11Me4D9N0Ntj9rEaOHlgBUkfsItNIBAyM+xglyKMqZssBBtwcbn?=
	=?utf-8?q?GTw4lOP7hOki/HIH9rMywj6wCeyJ26S6+LCVTmvijOYTMaWOopSBBrk=3D?=
X-OriginatorOrg: suse.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 faba302d-b965-41a4-03f4-08d9e1a4bf87
X-MS-Exchange-CrossTenant-AuthSource: VI1PR04MB5600.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jan 2022 14:53:15.5224
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 zXPnw8rmJRQV2xmnYrJAFJoEKGE5ytQWGVGDAlGXH4s1r1BEmZu7tKY+kgJnuTr6u55CYmsN72SPepqncbElKQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR04MB7191

Determining that behavior is correct (i.e. results in failure) for a
passed in GFN equaling INVALID_GFN is non-trivial. Make this quite a bit
more obvious by checking input in generic code - both for singular
requests to not match the value and for range ones to not pass / wrap
through it.

For Arm similarly make more obvious that no wrapping of MFNs passed
for XENMAPSPACE_dev_mmio and thus to map_dev_mmio_region() can occur:
Drop the "nr" parameter of the function to avoid future callers
appearing which might not themselves check for wrapping. Otherwise
the respective ASSERT() in rangeset_contains_range() could trigger.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Julien Grall <jgrall@amazon.com>
---
v3: Rename function to map_dev_mmio_page().
v2: Add comment to BUILD_BUG_ON(). Avoid transiently #define-ing _gfn()
    (by way of new prereq patch).

--- a/xen/arch/arm/mm.c
+++ b/xen/arch/arm/mm.c
@@ -1479,7 +1479,7 @@ int xenmem_add_to_physmap_one(
         break;
     }
     case XENMAPSPACE_dev_mmio:
-        rc = map_dev_mmio_region(d, gfn, 1, _mfn(idx));
+        rc = map_dev_mmio_page(d, gfn, _mfn(idx));
         return rc;
 
     default:
--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -1355,21 +1355,18 @@ int unmap_mmio_regions(struct domain *d,
     return p2m_remove_mapping(d, start_gfn, nr, mfn);
 }
 
-int map_dev_mmio_region(struct domain *d,
-                        gfn_t gfn,
-                        unsigned long nr,
-                        mfn_t mfn)
+int map_dev_mmio_page(struct domain *d, gfn_t gfn, mfn_t mfn)
 {
     int res;
 
-    if ( !(nr && iomem_access_permitted(d, mfn_x(mfn), mfn_x(mfn) + nr - 1)) )
+    if ( !iomem_access_permitted(d, mfn_x(mfn), mfn_x(mfn)) )
         return 0;
 
-    res = p2m_insert_mapping(d, gfn, nr, mfn, p2m_mmio_direct_c);
+    res = p2m_insert_mapping(d, gfn, 1, mfn, p2m_mmio_direct_c);
     if ( res < 0 )
     {
-        printk(XENLOG_G_ERR "Unable to map MFNs [%#"PRI_mfn" - %#"PRI_mfn" in Dom%d\n",
-               mfn_x(mfn), mfn_x(mfn) + nr - 1, d->domain_id);
+        printk(XENLOG_G_ERR "Unable to map MFN %#"PRI_mfn" in %pd\n",
+               mfn_x(mfn), d);
         return res;
     }
 
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -4157,7 +4157,10 @@ int gnttab_map_frame(struct domain *d, u
     bool status = false;
 
     if ( gfn_eq(gfn, INVALID_GFN) )
+    {
+        ASSERT_UNREACHABLE();
         return -EINVAL;
+    }
 
     grant_write_lock(gt);
 
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -832,6 +832,9 @@ int xenmem_add_to_physmap(struct domain
         return -EACCES;
     }
 
+    if ( gfn_eq(_gfn(xatp->gpfn), INVALID_GFN) )
+        return -EINVAL;
+
     if ( xatp->space == XENMAPSPACE_gmfn_foreign )
         extra.foreign_domid = DOMID_INVALID;
 
@@ -842,6 +845,18 @@ int xenmem_add_to_physmap(struct domain
     if ( xatp->size < start )
         return -EILSEQ;
 
+    if ( xatp->gpfn + xatp->size < xatp->gpfn ||
+         xatp->idx + xatp->size < xatp->idx )
+    {
+        /*
+         * Make sure INVALID_GFN is the highest representable value, i.e.
+         * guaranteeing that it won't fall in the middle of the
+         * [xatp->gpfn, xatp->gpfn + xatp->size) range checked above.
+         */
+        BUILD_BUG_ON(INVALID_GFN_RAW + 1);
+        return -EOVERFLOW;
+    }
+
     xatp->idx += start;
     xatp->gpfn += start;
     xatp->size -= start;
@@ -962,6 +977,9 @@ static int xenmem_add_to_physmap_batch(s
                                                extent, 1)) )
             return -EFAULT;
 
+        if ( gfn_eq(_gfn(gpfn), INVALID_GFN) )
+            return -EINVAL;
+
         rc = xenmem_add_to_physmap_one(d, xatpb->space, extra,
                                        idx, _gfn(gpfn));
 
--- a/xen/arch/arm/include/asm/p2m.h
+++ b/xen/arch/arm/include/asm/p2m.h
@@ -295,10 +295,7 @@ int unmap_regions_p2mt(struct domain *d,
                        unsigned long nr,
                        mfn_t mfn);
 
-int map_dev_mmio_region(struct domain *d,
-                        gfn_t gfn,
-                        unsigned long nr,
-                        mfn_t mfn);
+int map_dev_mmio_page(struct domain *d, gfn_t gfn, mfn_t mfn);
 
 int p2m_insert_mapping(struct domain *d, gfn_t start_gfn, unsigned long nr,
                        mfn_t mfn, p2m_type_t t);