From nobody Sat Apr 20 13:16:14 2024
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=none (zohomail.com: 192.237.175.120 is neither permitted nor denied by
 domain of lists.xenproject.org)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=fail(p=none dis=none)  header.from=citrix.com
ARC-Seal: i=1; a=rsa-sha256; t=1574448779; cv=none;
	d=zohomail.com; s=zohoarc;
	b=AvvKcb6zxq0LW8o2lrCwZ+SRsHxyTcmtvaRx5o4J3JSd/Hv7jnBDje9PoeDug9cLeozmJLV6VV1q1eXTOMCrPyYZnti9uGz05MFLbYVIDviju1HYwdwMv+CMxP56LOuBPxsU7D/5bzzL2uFVbK5WMsNzMguY2ZGS2qigycnS2TM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1574448779;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=i88Z8QZqSIp/gx7TiGAaLcVrW/lQnIykkU411IROMlw=;
	b=Wrpn4Vydl2Wt1Kd6yrp3wxB0/s1m2OBv8kPQP1uzPOgbzKHi6/yuhb692A9LO+gyAf4KqOwYEEEucyag61jcrxRe76C+P6VkbM4YfWlYEMDuTE1btWc3EL1LeIbg16esVl11+LPayO2N7f3SmqjZXwTgDq/kJh0zBTSwn5ZsrRw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=none (zohomail.com: 192.237.175.120 is neither permitted nor denied by
 domain of lists.xenproject.org)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=fail header.from=<george.dunlap@citrix.com> (p=none dis=none)
 header.from=<george.dunlap@citrix.com>
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 1574448779133198.835445881174;
 Fri, 22 Nov 2019 10:52:59 -0800 (PST)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.89)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1iYE2M-00085d-I6; Fri, 22 Nov 2019 18:52:10 +0000
Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]
 helo=us1-amaz-eas2.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from
 <SRS0=VjPq=ZO=citrix.com=george.dunlap@srs-us1.protection.inumbo.net>)
 id 1iYE2L-00085Y-Ja
 for xen-devel@lists.xenproject.org; Fri, 22 Nov 2019 18:52:09 +0000
Received: from esa4.hc3370-68.iphmx.com (unknown [216.71.155.144])
 by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS
 id 2e9f3bb9-0d59-11ea-a361-12813bfff9fa;
 Fri, 22 Nov 2019 18:52:08 +0000 (UTC)
X-Inumbo-ID: 2e9f3bb9-0d59-11ea-a361-12813bfff9fa
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
 d=citrix.com; s=securemail; t=1574448728;
 h=from:to:cc:subject:date:message-id:mime-version:
 content-transfer-encoding;
 bh=pUDsR/oxPnfzeLTLtiSBFXew6WNcQgsSOaLr09Z4Xd4=;
 b=F34BJwRMdNbIh9t7zHqvPo8WoeYNECbWV76AqX4neidjhCFKX2VlYRGp
 P6axWMQKZ7nCEp5XX0P4cw7VlbWDkHreGDKpX+jumRBY0sW6f2uLw9O8G
 Qoe5tNfK+tJ6wjbtxTv9IYtBDcXQ59icyzeyuLPnsYQ4iB2jdm3Aoo5FY 8=;
Authentication-Results: esa4.hc3370-68.iphmx.com;
 dkim=none (message not signed) header.i=none;
 spf=None smtp.pra=george.dunlap@citrix.com;
 spf=Pass smtp.mailfrom=George.Dunlap@citrix.com;
 spf=None smtp.helo=postmaster@mail.citrix.com
Received-SPF: none (zohomail.com: 192.237.175.120 is neither permitted nor
 denied by domain of lists.xenproject.org) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Received-SPF: None (esa4.hc3370-68.iphmx.com: no sender
 authenticity information available from domain of
 george.dunlap@citrix.com) identity=pra;
 client-ip=162.221.158.21; receiver=esa4.hc3370-68.iphmx.com;
 envelope-from="George.Dunlap@citrix.com";
 x-sender="george.dunlap@citrix.com";
 x-conformance=sidf_compatible
Received-SPF: Pass (esa4.hc3370-68.iphmx.com: domain of
 George.Dunlap@citrix.com designates 162.221.158.21 as
 permitted sender) identity=mailfrom;
 client-ip=162.221.158.21; receiver=esa4.hc3370-68.iphmx.com;
 envelope-from="George.Dunlap@citrix.com";
 x-sender="George.Dunlap@citrix.com";
 x-conformance=sidf_compatible; x-record-type="v=spf1";
 x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133
 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4
 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88
 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83
 ip4:168.245.78.127 ~all"
Received-SPF: None (esa4.hc3370-68.iphmx.com: no sender
 authenticity information available from domain of
 postmaster@mail.citrix.com) identity=helo;
 client-ip=162.221.158.21; receiver=esa4.hc3370-68.iphmx.com;
 envelope-from="George.Dunlap@citrix.com";
 x-sender="postmaster@mail.citrix.com";
 x-conformance=sidf_compatible
IronPort-SDR: 
 QYzoLxQPbAYAx/sAWWKHlBZIv+ODZH5cD6BU5Gb7OuAahSLRwLwNqigpzXv7pHNgskZWTV2QUP
 tdFV3U6IUxirNpVitjlYSvfsgqdEjZU9g9ifw57/PQn43Hf0WoTeOosf1XCEqohBwO3+S7cb3o
 mz3JO8UXD7EBWE0G3Ps2mK4sDO8xqzmICSSm7mDu9eqIwlEedorRAe+AfIFuTJgDXThneKcBog
 Qg100/K3EkcT1dg1U9KCC6pr0GRQ2vLGyxM9cSjLPO9N6SBtKG2/qTPtd5116cSIVOMLrTwd9+
 jTU=
X-SBRS: 2.7
X-MesageID: 9273091
X-Ironport-Server: esa4.hc3370-68.iphmx.com
X-Remote-IP: 162.221.158.21
X-Policy: $RELAYED
X-IronPort-AV: E=Sophos;i="5.69,230,1571716800";
   d="scan'208";a="9273091"
From: George Dunlap <george.dunlap@citrix.com>
To: <xen-devel@lists.xenproject.org>
Date: Fri, 22 Nov 2019 18:52:02 +0000
Message-ID: <20191122185202.1375312-1-george.dunlap@citrix.com>
X-Mailer: git-send-email 2.24.0
MIME-Version: 1.0
Subject: [Xen-devel] [PATCH] x86/mm: Adjust linear uses / entries when a
 page loses validation
X-BeenThere: xen-devel@lists.xenproject.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Cc: Juergen Gross <jgross@suse.com>,
 Andrew Cooper <andrew.cooper3@citrix.com>,
 George Dunlap <george.dunlap@citrix.com>, Jan Beulich <jbeulich@suse.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Errors-To: xen-devel-bounces@lists.xenproject.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)

"Linear pagetables" is a technique which involves either pointing a
pagetable at itself, or to another pagetable the same or higher level.
Xen has limited support for linear pagetables: A page may either point
to itself, or point to another page of the same level (i.e., L2 to L2,
L3 to L3, and so on).

XSA-240 introduced an additional restriction that limited the "depth"
of such chains by allowing pages to either *point to* other pages of
the same level, or *be pointed to* by other pages of the same level,
but not both.  To implement this, we keep track of the number of
outstanding times a page points to or is pointed to another page
table, to prevent both from happening at the same time.

Additionally, XSA-299 introduced a mode whereby if a page was known to
have been only partially validated, _put_page_type() would be called
with PTF_partial_set, indicating that if the page had been
de-validated by someone else, the type count should be left alone.

Unfortunately, this change did not account for the required accounting
for linear page table uses and entries; in the case that a previously
partially-devalidated pagetable was fully-devalidated by someone else,
the linear_pt_counts are not updated.

This could happen in one of two places:

1. In the case a partially-devalidated page was re-validated by
someone else

2. During domain tear-down, when pages are force-invalidated while
leaving the type count intact.

The second could be ignored, since at that point the pages can no
longer be abused; but the first requires handling.  Note however that
this would not be a security issue: having the counts be too high is
overly strict (i.e., will prevent a page from being used in a way
which is perfectly safe), but shouldn't cause any other issues.

Fix this by adjusting the linear counts when a page loses validation,
regardless of whether the de-validation completed or was only partial.

Signed-off-by: George Dunlap <george.dunlap@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
Release exception justification: This is a fix for a bug.

CC: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Jan Beulich <jbeulich@suse.com>
CC: Juergen Gross <jgross@suse.com>
---
 xen/arch/x86/mm.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index bd8182f40f..7d4dd80a85 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -2780,14 +2780,17 @@ static int _put_final_page_type(struct page_info *p=
age, unsigned long type,
 {
     int rc =3D free_page_type(page, type, preemptible);
=20
+    if ( ptpg && PGT_type_equal(type, ptpg->u.inuse.type_info) &&
+         (type & PGT_validated) && rc !=3D -EINTR )
+    {
+        /* Any time we begin de-validation of a page, adjust linear counts=
 */
+        dec_linear_uses(page);
+        dec_linear_entries(ptpg);
+    }
+
     /* No need for atomic update of type_info here: noone else updates it.=
 */
     if ( rc =3D=3D 0 )
     {
-        if ( ptpg && PGT_type_equal(type, ptpg->u.inuse.type_info) )
-        {
-            dec_linear_uses(page);
-            dec_linear_entries(ptpg);
-        }
         ASSERT(!page->linear_pt_count || page_get_owner(page)->is_dying);
         set_tlbflush_timestamp(page);
         smp_wmb();
--=20
2.24.0


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel