From nobody Sat May 4 09:11:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org ARC-Seal: i=1; a=rsa-sha256; t=1612884524; cv=none; d=zohomail.com; s=zohoarc; b=VRxQ7SW9Y8aEzeob/9heCjJ/W+R/hk8xoggA8vzm2etJGQmHj04lkRYPu1EFoUp8KhfcAcv2V/TT6h4ok/UHg3AJ9MTsI30i4S5jdTbsW0DCoT0caSirYvJrGhlSZ7UwUBsmDBy+gs5ve9pTaS/y3wIuL9klWPm8m4pSocUBv5w= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1612884524; h=Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:To; bh=DDJbcY16/y5U53JjUe4ikLZjvgyi9SSn2g/0HtB+Inw=; b=PhskjETGc6zDdlUcVEmmitVah3IlLQpoklRMU4dLJTSNgmhewjHeIC4+S+HFrh4NxLKTGCxhFRux9NPuav+FRkBMdILTvL0lfDaQCnLUB1pxPbYu8fD6uVieIZKtzA6Zla1jqDMsOcavPFmK7iJGBuIUkjbpBGgMmJ8+IvGH7hY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 161288452390666.68941986780294; Tue, 9 Feb 2021 07:28:43 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.83286.154593 (Exim 4.92) (envelope-from ) id 1l9UwH-00078m-Bk; Tue, 09 Feb 2021 15:28:29 +0000 Received: by outflank-mailman (output) from mailman id 83286.154593; Tue, 09 Feb 2021 15:28:29 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l9UwH-00078W-35; Tue, 09 Feb 2021 15:28:29 +0000 Received: by outflank-mailman (input) for mailman id 83286; Tue, 09 Feb 2021 15:28:27 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l9UwF-00077w-Jx for xen-devel@lists.xenproject.org; Tue, 09 Feb 2021 15:28:27 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l9UwD-0000tq-Tk; Tue, 09 Feb 2021 15:28:25 +0000 Received: from 54-240-197-235.amazon.com ([54.240.197.235] helo=ufe34d9ed68d054.ant.amazon.com) by xenbits.xenproject.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1l9UwD-0007gX-KT; Tue, 09 Feb 2021 15:28:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=DDJbcY16/y5U53JjUe4ikLZjvgyi9SSn2g/0HtB+Inw=; b=S16UaSjNKVbDDvcp6CNg1HvSo X7fraRQzjcyIYmP2WyNFGLKbE2zl4DOolZXI5pIj3RWPD9NlBG7W1ydCmBdFI0Pd59350wgA+cpOA /V3rbONk4wgXhCjfDEFh7tXjHSVIyvBSUmkzYmAp0jhr7MkTC/F3Yvl4oHre/DyCaoTK8=; From: Julien Grall To: xen-devel@lists.xenproject.org Cc: hongyxia@amazon.co.uk, iwj@xenproject.org, Julien Grall , Jan Beulich , Andrew Cooper , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Wei Liu Subject: [for-4.15][PATCH v2 1/5] xen/x86: p2m: Don't map the special pages in the IOMMU page-tables Date: Tue, 9 Feb 2021 15:28:12 +0000 Message-Id: <20210209152816.15792-2-julien@xen.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210209152816.15792-1-julien@xen.org> References: <20210209152816.15792-1-julien@xen.org> X-ZohoMail-DKIM: pass (identity @xen.org) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Julien Grall Currently, the IOMMU page-tables will be populated early in the domain creation if the hardware is able to virtualize the local APIC. However, the IOMMU page tables will not be freed during early failure and will result to a leak. An assigned device should not need to DMA into the vLAPIC page, so we can avoid to map the page in the IOMMU page-tables. This statement is also true for any special pages (the vLAPIC page is one of them). So to take the opportunity to prevent the mapping for all of them. Note that: - This is matching the existing behavior with PV guest - This doesn't change the behavior when the P2M is shared with the IOMMU. IOW, the special pages will still be accessibled by the device. Suggested-by: Jan Beulich Signed-off-by: Julien Grall Reviewed-by: Paul Durrant --- Changes in v2: - New patch --- xen/include/asm-x86/p2m.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h index 7d63f5787e62..1802545969b3 100644 --- a/xen/include/asm-x86/p2m.h +++ b/xen/include/asm-x86/p2m.h @@ -919,6 +919,10 @@ static inline unsigned int p2m_get_iommu_flags(p2m_typ= e_t p2mt, mfn_t mfn) { unsigned int flags; =20 + /* Don't map special pages in the IOMMU page-tables. */ + if ( mfn_valid(mfn) && is_special_page(mfn_to_page(mfn)) ) + return 0; + switch( p2mt ) { case p2m_ram_rw: --=20 2.17.1 From nobody Sat May 4 09:11:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org ARC-Seal: i=1; a=rsa-sha256; t=1612884524; cv=none; d=zohomail.com; s=zohoarc; b=dXYgX0TIenOSE6FFZsM1H6J55MPFhfFlOziUw7Iv9VYUfX++hND9f2zDBlkOYMztgirMibW/Valz/fhmcHWgCykbH02ij30PpJKYv4moQ+FfXkmLJWy+QFxBS0tuSuTFsyvw+2VsJilxZBtwvnjJRptumbI2nMjqYSE3UG0qOkQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1612884524; h=Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:To; bh=eQ35EFoowuVBzEra1/WxradtagWIfRx9v97DQCn3iWk=; b=CSY/eKJabcoBNPf64my3v9OuUU4r0xvcILkaubMWaC+ykIZ3msZ9l9144Jyt+3EsUj6UPj5gL8Ced1D5lSUjQOu8UsOZdtMC3DyjDDN6Ayvku2xOiH//c9wtBIAhFCldVH7H7x5+DGKq/a72gJ/f+MvfrWp9D0C4c+rDJfh9MJA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1612884523656311.5559646591622; Tue, 9 Feb 2021 07:28:43 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.83287.154599 (Exim 4.92) (envelope-from ) id 1l9UwH-00079W-Jy; Tue, 09 Feb 2021 15:28:29 +0000 Received: by outflank-mailman (output) from mailman id 83287.154599; Tue, 09 Feb 2021 15:28:29 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l9UwH-00079F-BH; Tue, 09 Feb 2021 15:28:29 +0000 Received: by outflank-mailman (input) for mailman id 83287; Tue, 09 Feb 2021 15:28:28 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l9UwG-000782-A2 for xen-devel@lists.xenproject.org; Tue, 09 Feb 2021 15:28:28 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l9UwF-0000tx-0v; Tue, 09 Feb 2021 15:28:27 +0000 Received: from 54-240-197-235.amazon.com ([54.240.197.235] helo=ufe34d9ed68d054.ant.amazon.com) by xenbits.xenproject.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1l9UwE-0007gX-OF; Tue, 09 Feb 2021 15:28:26 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=eQ35EFoowuVBzEra1/WxradtagWIfRx9v97DQCn3iWk=; b=OuY2hFpKMrvSysnl6fveqTD+K UPI1TUVam8Z+5kdBgHnR+ofBqXwNJqiU5jyLcj66pWGqrmRA22nhV/8NKFJJVGsiLGhAGY2B8R5xg yfSWe8ystK1ZdQAx6Kg8q3GACzaaYP8Cy+4nkdfPyDc7pbUYQKGEkMY5UruU2L6727Pwc=; From: Julien Grall To: xen-devel@lists.xenproject.org Cc: hongyxia@amazon.co.uk, iwj@xenproject.org, Julien Grall , Jan Beulich , Paul Durrant Subject: [for-4.15][PATCH v2 2/5] xen/iommu: Check if the IOMMU was initialized before tearing down Date: Tue, 9 Feb 2021 15:28:13 +0000 Message-Id: <20210209152816.15792-3-julien@xen.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210209152816.15792-1-julien@xen.org> References: <20210209152816.15792-1-julien@xen.org> X-ZohoMail-DKIM: pass (identity @xen.org) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Julien Grall is_iommu_enabled() will return true even if the IOMMU has not been initialized (e.g. the ops are not set). In the case of an early failure in arch_domain_init(), the function iommu_destroy_domain() will be called even if the IOMMU is not initialized. This will result to dereference the ops which will be NULL and an host crash. Fix the issue by checking that ops has been set before accessing it. Fixes: 71e617a6b8f6 ("use is_iommu_enabled() where appropriate...") Signed-off-by: Julien Grall Reviewed-by: Paul Durrant --- Changes in v2: - Move the check in iommu_teardown() so we don't rely on arch_iommu_domain_init() to clean-up its allocation on failure. - Fix typo in the commit message --- xen/drivers/passthrough/iommu.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/xen/drivers/passthrough/iommu.c b/xen/drivers/passthrough/iomm= u.c index 2358b6eb09f4..879d238bcd31 100644 --- a/xen/drivers/passthrough/iommu.c +++ b/xen/drivers/passthrough/iommu.c @@ -221,6 +221,13 @@ static void iommu_teardown(struct domain *d) { struct domain_iommu *hd =3D dom_iommu(d); =20 + /* + * During early domain creation failure, we may reach here with the + * ops not yet initialized. + */ + if ( !hd->platform_ops ) + return; + iommu_vcall(hd->platform_ops, teardown, d); } =20 --=20 2.17.1 From nobody Sat May 4 09:11:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org ARC-Seal: i=1; a=rsa-sha256; t=1612884524; cv=none; d=zohomail.com; s=zohoarc; b=DFbm5LFQ738/55K4JAEilQvgye505qTe0H/DXliYfdmw9oj6v7QwSK9aEij7Cj6FUV2HjwCf4z29b6vBbpobDqsYh/BjZNVxiFN65T9F372XGiMODdkf0+4A4j4Vp/BsTPkrpkeJvf/88O4mdR6SmYBohBol6Jv8R5m7Z5R+p6I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1612884524; h=Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:To; bh=Abq0PPrn9pqn8Kzw0uPNv4HuJCaFMRZ3qng4/qj2vjw=; b=YGhN19/CSik9C2qYG4O5IOX0HU8LHiw/fSw1LztA9EF1Cs4y65pVwvclf9uIqcnY+1v2ylQQuWMpHWhoQhY80WZPuUgw/cDgrhuX4+dP2fiqMKg2AALRXsUm7pzocNElDtxVaZrzlcfY7+geBxotmD2vTHXNa/iQLOtgL7rpIG4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1612884524485416.36029408072454; Tue, 9 Feb 2021 07:28:44 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.83288.154623 (Exim 4.92) (envelope-from ) id 1l9UwI-0007D3-TD; Tue, 09 Feb 2021 15:28:30 +0000 Received: by outflank-mailman (output) from mailman id 83288.154623; Tue, 09 Feb 2021 15:28:30 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l9UwI-0007Cs-Oz; Tue, 09 Feb 2021 15:28:30 +0000 Received: by outflank-mailman (input) for mailman id 83288; Tue, 09 Feb 2021 15:28:29 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l9UwG-00078G-UV for xen-devel@lists.xenproject.org; Tue, 09 Feb 2021 15:28:28 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l9UwG-0000u7-4T; Tue, 09 Feb 2021 15:28:28 +0000 Received: from 54-240-197-235.amazon.com ([54.240.197.235] helo=ufe34d9ed68d054.ant.amazon.com) by xenbits.xenproject.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1l9UwF-0007gX-S3; Tue, 09 Feb 2021 15:28:28 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=Abq0PPrn9pqn8Kzw0uPNv4HuJCaFMRZ3qng4/qj2vjw=; b=55TSYWVkX0xe7FrDVESrW/6UE wGYnGSpzg5Qa+uVM5TPcDzoPUoP6QyOgp9vgW6Bshv81L+xdL8+69NptC7B67BfIXHVGZiSNOL1RA EwItmCZkQc/HmjFAqTOI3cIyuryUcWT65XgCp10viS6zdWAN9m+UZrVWqi9e/M1gQUgfs=; From: Julien Grall To: xen-devel@lists.xenproject.org Cc: hongyxia@amazon.co.uk, iwj@xenproject.org, Julien Grall , Jan Beulich , Paul Durrant Subject: [for-4.15][PATCH v2 3/5] xen/iommu: iommu_map: Don't crash the domain if it is dying Date: Tue, 9 Feb 2021 15:28:14 +0000 Message-Id: <20210209152816.15792-4-julien@xen.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210209152816.15792-1-julien@xen.org> References: <20210209152816.15792-1-julien@xen.org> X-ZohoMail-DKIM: pass (identity @xen.org) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Julien Grall It is a bit pointless to crash a domain that is already dying. This will become more an annoyance with a follow-up change where page-table allocation will be forbidden when the domain is dying. Security wise, there is no change as the devices would still have access to the IOMMU page-tables even if the domain has crashed until Xen start to relinquish the resources. For x86, we rely on dom_iommu(d)->arch.mapping.lock to ensure d->is_dying is correctly observed (a follow-up patch will held it in the relinquish path). For Arm, there is still a small race possible. But there is so far no failure specific to a domain dying. Signed-off-by: Julien Grall --- This was spotted when trying to destroy IOREQ servers while the domain is dying. The code will try to add the entry back in the P2M and therefore update the P2M (see arch_ioreq_server_disable() -> hvm_add_ioreq_gfn()). It should be possible to skip the mappin in hvm_add_ioreq_gfn(), however I didn't try a patch yet because checking d->is_dying can be racy (I can't find a proper lock). Changes in v2: - Patch added --- xen/drivers/passthrough/iommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/drivers/passthrough/iommu.c b/xen/drivers/passthrough/iomm= u.c index 879d238bcd31..75419f20f76d 100644 --- a/xen/drivers/passthrough/iommu.c +++ b/xen/drivers/passthrough/iommu.c @@ -272,7 +272,7 @@ int iommu_map(struct domain *d, dfn_t dfn, mfn_t mfn, flush_flags) ) continue; =20 - if ( !is_hardware_domain(d) ) + if ( !is_hardware_domain(d) && !d->is_dying ) domain_crash(d); =20 break; --=20 2.17.1 From nobody Sat May 4 09:11:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org ARC-Seal: i=1; a=rsa-sha256; t=1612884526; cv=none; d=zohomail.com; s=zohoarc; b=hXj418pCmrQQAhn9RtLmuSUdK6W20afwWXNkS/D2AeKwCC3YSPvfXSTH0KIVO4TdIUg3ZxuvPY46PZa2bar22XDFCHKAW5adLai6CCnAnHDixZCmOe2PcGWa0RmNHu8nihoD6eTMAMrb4T8i8eV8WbzOSIeTwt8KOYp8o+mZ/8s= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1612884526; h=Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:To; bh=LJMsVj+8JqORqU40yjLdihq8PI5kGbY5vaa1vtJvoyo=; b=IcPgN9LTMariVFh8KIPxz4hRlMjIW0EAGMWeAi6U08G/iWPA+aJgLQ4IIemhbEPhhzgGu0IaKXPfVy9K+RP8qIn+dFiGm4Jyx419rA2frV59XEv7e8/GPrWkAEycj0uUJJUsIV50WLjvnehRPnlfwSzhw+ruG6eB+eG3vPRV78Y= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 16128845263251022.3052797790757; Tue, 9 Feb 2021 07:28:46 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.83289.154635 (Exim 4.92) (envelope-from ) id 1l9UwK-0007Ft-Ap; Tue, 09 Feb 2021 15:28:32 +0000 Received: by outflank-mailman (output) from mailman id 83289.154635; Tue, 09 Feb 2021 15:28:32 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l9UwK-0007FY-3C; Tue, 09 Feb 2021 15:28:32 +0000 Received: by outflank-mailman (input) for mailman id 83289; Tue, 09 Feb 2021 15:28:30 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l9UwI-0007BU-39 for xen-devel@lists.xenproject.org; Tue, 09 Feb 2021 15:28:30 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l9UwH-0000uI-88; Tue, 09 Feb 2021 15:28:29 +0000 Received: from 54-240-197-235.amazon.com ([54.240.197.235] helo=ufe34d9ed68d054.ant.amazon.com) by xenbits.xenproject.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1l9UwG-0007gX-Vo; Tue, 09 Feb 2021 15:28:29 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=LJMsVj+8JqORqU40yjLdihq8PI5kGbY5vaa1vtJvoyo=; b=1HwMrxON3gHEeOkxPa3M1UOf+ PxJapha9kW1ZcdNlaab938I9SyajXZKb4wtLsi9UMdJvbYCsxZdlgkybphOLDLdLX8XJQB6ivNgvb PmT/kg9fLGCMKgIrqQjeML6vRPUaY/9cT6kxiR0SO9aj9RI9tJwQUR9UlabxCjRO/tMvI=; From: Julien Grall To: xen-devel@lists.xenproject.org Cc: hongyxia@amazon.co.uk, iwj@xenproject.org, Julien Grall , Jan Beulich , Paul Durrant Subject: [for-4.15][PATCH v2 4/5] xen/iommu: x86: Don't leak the IOMMU page-tables Date: Tue, 9 Feb 2021 15:28:15 +0000 Message-Id: <20210209152816.15792-5-julien@xen.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210209152816.15792-1-julien@xen.org> References: <20210209152816.15792-1-julien@xen.org> X-ZohoMail-DKIM: pass (identity @xen.org) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Julien Grall The new IOMMU page-tables allocator will release the pages when relinquish the domain resources. However, this is not sufficient when the domain is dying because nothing prevents page-table to be allocated. iommu_alloc_pgtable() is now checking if the domain is dying before adding the page in the list. We are relying on &hd->arch.pgtables.lock to synchronize d->is_dying. Take the opportunity to check in arch_iommu_domain_destroy() that all that page tables have been freed. Signed-off-by: Julien Grall Reviewed-by: Paul Durrant --- There is one more bug that will be solved in the next patch as I felt they each needed a long explanation. Changes in v2: - Rework the approach - Move the patch earlier in the series --- xen/drivers/passthrough/x86/iommu.c | 36 ++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/xen/drivers/passthrough/x86/iommu.c b/xen/drivers/passthrough/= x86/iommu.c index cea1032b3d02..82d770107a47 100644 --- a/xen/drivers/passthrough/x86/iommu.c +++ b/xen/drivers/passthrough/x86/iommu.c @@ -149,6 +149,13 @@ int arch_iommu_domain_init(struct domain *d) =20 void arch_iommu_domain_destroy(struct domain *d) { + /* + * There should be not page-tables left allocated by the time the + * domain is destroyed. Note that arch_iommu_domain_destroy() is + * called unconditionally, so pgtables may be unitialized. + */ + ASSERT(dom_iommu(d)->platform_ops =3D=3D NULL || + page_list_empty(&dom_iommu(d)->arch.pgtables.list)); } =20 static bool __hwdom_init hwdom_iommu_map(const struct domain *d, @@ -267,6 +274,12 @@ int iommu_free_pgtables(struct domain *d) struct page_info *pg; unsigned int done =3D 0; =20 + if ( !is_iommu_enabled(d) ) + return 0; + + /* After this barrier no new page allocations can occur. */ + spin_barrier(&hd->arch.pgtables.lock); + while ( (pg =3D page_list_remove_head(&hd->arch.pgtables.list)) ) { free_domheap_page(pg); @@ -284,6 +297,7 @@ struct page_info *iommu_alloc_pgtable(struct domain *d) unsigned int memflags =3D 0; struct page_info *pg; void *p; + bool alive =3D false; =20 #ifdef CONFIG_NUMA if ( hd->node !=3D NUMA_NO_NODE ) @@ -303,9 +317,29 @@ struct page_info *iommu_alloc_pgtable(struct domain *d) unmap_domain_page(p); =20 spin_lock(&hd->arch.pgtables.lock); - page_list_add(pg, &hd->arch.pgtables.list); + /* + * The IOMMU page-tables are freed when relinquishing the domain, but + * nothing prevent allocation to happen afterwards. There is no valid + * reasons to continue to update the IOMMU page-tables while the + * domain is dying. + * + * So prevent page-table allocation when the domain is dying. + * + * We relying on &hd->arch.pgtables.lock to synchronize d->is_dying. + */ + if ( likely(!d->is_dying) ) + { + alive =3D true; + page_list_add(pg, &hd->arch.pgtables.list); + } spin_unlock(&hd->arch.pgtables.lock); =20 + if ( unlikely(!alive) ) + { + free_domheap_page(pg); + pg =3D NULL; + } + return pg; } =20 --=20 2.17.1 From nobody Sat May 4 09:11:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org ARC-Seal: i=1; a=rsa-sha256; t=1612884527; cv=none; d=zohomail.com; s=zohoarc; b=SriNe0vai7qNm4k1JkVCuEAFrxr6OYQtKqb/5FlmXyZhkaAqo1PEWyuElgzd+dpCZFT61+pZc60PWLQoHGODw1mz/S6rARCAA7SWiF5RDTVH9ZzSzAJxlFy0x0Wjl+MSXiRGK8I4lPyN3AgTYAKzOOax0W4n/fYu6HDJWBlFyPw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1612884527; h=Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:To; bh=1kLAf1Z7iULhueFYJ6h0q4KfgHh7gIb0TxMqFFD/Zl4=; b=h7FCO38V0f/N5plo2FuG015UznfD1ciNAHB2cKzGMUf+JGzZitwYsb3Fkh4aPf2fdC1qcWyv8fhrJn5KizWHsAWZIBBXBCkczOHEQkW3AFKUUMwNe2j0Az/iRYQxrQDAgZ9qtQ+58nGOxc+YdwPVdmcVI1dM+kRoBAVcqnYL36o= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1612884527220962.9059018909867; Tue, 9 Feb 2021 07:28:47 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.83290.154647 (Exim 4.92) (envelope-from ) id 1l9UwL-0007Jh-Tx; Tue, 09 Feb 2021 15:28:33 +0000 Received: by outflank-mailman (output) from mailman id 83290.154647; Tue, 09 Feb 2021 15:28:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l9UwL-0007JU-PH; Tue, 09 Feb 2021 15:28:33 +0000 Received: by outflank-mailman (input) for mailman id 83290; Tue, 09 Feb 2021 15:28:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l9UwK-0007FU-1d for xen-devel@lists.xenproject.org; Tue, 09 Feb 2021 15:28:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l9UwI-0000uQ-J7; Tue, 09 Feb 2021 15:28:30 +0000 Received: from 54-240-197-235.amazon.com ([54.240.197.235] helo=ufe34d9ed68d054.ant.amazon.com) by xenbits.xenproject.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1l9UwI-0007gX-AV; Tue, 09 Feb 2021 15:28:30 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=1kLAf1Z7iULhueFYJ6h0q4KfgHh7gIb0TxMqFFD/Zl4=; b=A+Vz9/vfVRcaVb3gpeijZuu+g YHkRCdz2sHg/6KjLX5VVkb8B3LEuQjVPC+v3tBgZVZ3XyyQl/igp/YvPRBsWkDHMMCPZ1DxUzuvgr q8KdTpr+3wQEbywObS4H0iOpglMtfdTBFwz5wVmKvS5QGJtAP89w/aTsuMUTpFGPa0mTY=; From: Julien Grall To: xen-devel@lists.xenproject.org Cc: hongyxia@amazon.co.uk, iwj@xenproject.org, Julien Grall , Jan Beulich , Andrew Cooper , Kevin Tian , Paul Durrant Subject: [for-4.15][PATCH v2 5/5] xen/iommu: x86: Clear the root page-table before freeing the page-tables Date: Tue, 9 Feb 2021 15:28:16 +0000 Message-Id: <20210209152816.15792-6-julien@xen.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210209152816.15792-1-julien@xen.org> References: <20210209152816.15792-1-julien@xen.org> X-ZohoMail-DKIM: pass (identity @xen.org) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Julien Grall The new per-domain IOMMU page-table allocator will now free the page-tables when domain's resources are relinquished. However, the root page-table (i.e. hd->arch.pg_maddr) will not be cleared. Xen may access the IOMMU page-tables afterwards at least in the case of PV domain: (XEN) Xen call trace: (XEN) [] R iommu.c#addr_to_dma_page_maddr+0x12e/0x1d8 (XEN) [] F iommu.c#intel_iommu_unmap_page+0x5d/0xf8 (XEN) [] F iommu_unmap+0x9c/0x129 (XEN) [] F iommu_legacy_unmap+0x26/0x63 (XEN) [] F mm.c#cleanup_page_mappings+0x139/0x144 (XEN) [] F put_page+0x4b/0xb3 (XEN) [] F put_page_from_l1e+0x136/0x13b (XEN) [] F devalidate_page+0x256/0x8dc (XEN) [] F mm.c#_put_page_type+0x236/0x47e (XEN) [] F mm.c#put_pt_page+0x6f/0x80 (XEN) [] F mm.c#put_page_from_l2e+0x8a/0xcf (XEN) [] F devalidate_page+0x3a3/0x8dc (XEN) [] F mm.c#_put_page_type+0x236/0x47e (XEN) [] F mm.c#put_pt_page+0x6f/0x80 (XEN) [] F mm.c#put_page_from_l3e+0x8a/0xcf (XEN) [] F devalidate_page+0x56c/0x8dc (XEN) [] F mm.c#_put_page_type+0x236/0x47e (XEN) [] F mm.c#put_pt_page+0x6f/0x80 (XEN) [] F mm.c#put_page_from_l4e+0x69/0x6d (XEN) [] F devalidate_page+0x6a0/0x8dc (XEN) [] F mm.c#_put_page_type+0x236/0x47e (XEN) [] F put_page_type_preemptible+0x13/0x15 (XEN) [] F domain.c#relinquish_memory+0x1ff/0x4e9 (XEN) [] F domain_relinquish_resources+0x2b6/0x36a (XEN) [] F domain_kill+0xb8/0x141 (XEN) [] F do_domctl+0xb6f/0x18e5 (XEN) [] F pv_hypercall+0x2f0/0x55f (XEN) [] F lstar_enter+0x112/0x120 This will result to a use after-free and possibly an host crash or memory corruption. Freeing the page-tables further down in domain_relinquish_resources() would not work because pages may not be released until later if another domain hold a reference on them. Once all the PCI devices have been de-assigned, it is actually pointless to access modify the IOMMU page-tables. So we can simply clear the root page-table address. Fixes: 3eef6d07d722 ("x86/iommu: convert VT-d code to use new page table al= locator") Signed-off-by: Julien Grall Reviewed-by: Paul Durrant --- Changes in v2: - Introduce clear_root_pgtable() - Move the patch later in the series --- xen/drivers/passthrough/amd/pci_amd_iommu.c | 12 +++++++++++- xen/drivers/passthrough/vtd/iommu.c | 12 +++++++++++- xen/drivers/passthrough/x86/iommu.c | 6 ++++++ xen/include/xen/iommu.h | 1 + 4 files changed, 29 insertions(+), 2 deletions(-) diff --git a/xen/drivers/passthrough/amd/pci_amd_iommu.c b/xen/drivers/pass= through/amd/pci_amd_iommu.c index 42b5a5a9bec4..81add0ba26b4 100644 --- a/xen/drivers/passthrough/amd/pci_amd_iommu.c +++ b/xen/drivers/passthrough/amd/pci_amd_iommu.c @@ -381,9 +381,18 @@ static int amd_iommu_assign_device(struct domain *d, u= 8 devfn, return reassign_device(pdev->domain, d, devfn, pdev); } =20 +static void iommu_clear_root_pgtable(struct domain *d) +{ + struct domain_iommu *hd =3D dom_iommu(d); + + spin_lock(&hd->arch.mapping_lock); + hd->arch.amd.root_table =3D NULL; + spin_unlock(&hd->arch.mapping_lock); +} + static void amd_iommu_domain_destroy(struct domain *d) { - dom_iommu(d)->arch.amd.root_table =3D NULL; + ASSERT(!dom_iommu(d)->arch.amd.root_table); } =20 static int amd_iommu_add_device(u8 devfn, struct pci_dev *pdev) @@ -565,6 +574,7 @@ static const struct iommu_ops __initconstrel _iommu_ops= =3D { .remove_device =3D amd_iommu_remove_device, .assign_device =3D amd_iommu_assign_device, .teardown =3D amd_iommu_domain_destroy, + .clear_root_pgtable =3D iommu_clear_root_pgtable, .map_page =3D amd_iommu_map_page, .unmap_page =3D amd_iommu_unmap_page, .iotlb_flush =3D amd_iommu_flush_iotlb_pages, diff --git a/xen/drivers/passthrough/vtd/iommu.c b/xen/drivers/passthrough/= vtd/iommu.c index d136fe36883b..e1871f6c2bc1 100644 --- a/xen/drivers/passthrough/vtd/iommu.c +++ b/xen/drivers/passthrough/vtd/iommu.c @@ -1726,6 +1726,15 @@ out: return ret; } =20 +static void iommu_clear_root_pgtable(struct domain *d) +{ + struct domain_iommu *hd =3D dom_iommu(d); + + spin_lock(&hd->arch.mapping_lock); + hd->arch.vtd.pgd_maddr =3D 0; + spin_unlock(&hd->arch.mapping_lock); +} + static void iommu_domain_teardown(struct domain *d) { struct domain_iommu *hd =3D dom_iommu(d); @@ -1740,7 +1749,7 @@ static void iommu_domain_teardown(struct domain *d) xfree(mrmrr); } =20 - hd->arch.vtd.pgd_maddr =3D 0; + ASSERT(!hd->arch.vtd.pgd_maddr); } =20 static int __must_check intel_iommu_map_page(struct domain *d, dfn_t dfn, @@ -2719,6 +2728,7 @@ static struct iommu_ops __initdata vtd_ops =3D { .remove_device =3D intel_iommu_remove_device, .assign_device =3D intel_iommu_assign_device, .teardown =3D iommu_domain_teardown, + .clear_root_pgtable =3D iommu_clear_root_pgtable, .map_page =3D intel_iommu_map_page, .unmap_page =3D intel_iommu_unmap_page, .lookup_page =3D intel_iommu_lookup_page, diff --git a/xen/drivers/passthrough/x86/iommu.c b/xen/drivers/passthrough/= x86/iommu.c index 82d770107a47..d3cdec6ee83f 100644 --- a/xen/drivers/passthrough/x86/iommu.c +++ b/xen/drivers/passthrough/x86/iommu.c @@ -280,6 +280,12 @@ int iommu_free_pgtables(struct domain *d) /* After this barrier no new page allocations can occur. */ spin_barrier(&hd->arch.pgtables.lock); =20 + /* + * Pages will be moved to the free list in a bit. So we want to + * clear the root page-table to avoid any potential use after-free. + */ + hd->platform_ops->clear_root_pgtable(d); + while ( (pg =3D page_list_remove_head(&hd->arch.pgtables.list)) ) { free_domheap_page(pg); diff --git a/xen/include/xen/iommu.h b/xen/include/xen/iommu.h index 863a68fe1622..d59ed7cbad43 100644 --- a/xen/include/xen/iommu.h +++ b/xen/include/xen/iommu.h @@ -272,6 +272,7 @@ struct iommu_ops { =20 int (*adjust_irq_affinities)(void); void (*sync_cache)(const void *addr, unsigned int size); + void (*clear_root_pgtable)(struct domain *d); #endif /* CONFIG_X86 */ =20 int __must_check (*suspend)(void); --=20 2.17.1