1. Patchew
  2. Xen
  3. [PATCH v3 00/28] Disable domctl-op via CONFIG_MGMT_HYPERCALLS
  4. View patch

[PATCH v3 01/28] xen/xsm: remove redundant xsm_iomem_mapping()

Penny Zheng posted 28 patches 2 weeks, 3 days ago
Only 27 patches received!
[PATCH v3 01/28] xen/xsm: remove redundant xsm_iomem_mapping()
Posted by Penny Zheng 2 weeks, 3 days ago 
Function xsm_iomem_mapping() seems redundant, and in flask policy, it just
directly calls xsm_iomem_permission().
Remove it and use xsm_iomem_permission() instead, with the benefit of a
cf_check disappearing too.

Suggested-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Penny Zheng <Penny.Zheng@amd.com>
---
v2 -> v3:
- new commit
---
 xen/common/domctl.c       | 2 +-
 xen/drivers/vpci/header.c | 2 +-
 xen/include/xsm/dummy.h   | 7 -------
 xen/include/xsm/xsm.h     | 8 --------
 xen/xsm/dummy.c           | 1 -
 xen/xsm/flask/hooks.c     | 6 ------
 6 files changed, 2 insertions(+), 24 deletions(-)

diff --git a/xen/common/domctl.c b/xen/common/domctl.c
index 954d790226..71ebeff494 100644
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -701,7 +701,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
              !iomem_access_permitted(d, mfn, mfn_end) )
             break;
 
-        ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add);
+        ret = xsm_iomem_permission(XSM_HOOK, d, mfn, mfn_end, add);
         if ( ret )
             break;
 
diff --git a/xen/drivers/vpci/header.c b/xen/drivers/vpci/header.c
index 469f497744..1ff6c63f4d 100644
--- a/xen/drivers/vpci/header.c
+++ b/xen/drivers/vpci/header.c
@@ -67,7 +67,7 @@ static int cf_check map_range(
             return -EPERM;
         }
 
-        rc = xsm_iomem_mapping(XSM_HOOK, map->d, map_mfn, m_end, map->map);
+        rc = xsm_iomem_permission(XSM_HOOK, map->d, map_mfn, m_end, map->map);
         if ( rc )
         {
             printk(XENLOG_G_WARNING
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 12792c3a43..5e29165763 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -570,13 +570,6 @@ static XSM_INLINE int cf_check xsm_iomem_permission(
     return xsm_default_action(action, current->domain, d);
 }
 
-static XSM_INLINE int cf_check xsm_iomem_mapping(
-    XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
-{
-    XSM_ASSERT_ACTION(XSM_HOOK);
-    return xsm_default_action(action, current->domain, d);
-}
-
 static XSM_INLINE int cf_check xsm_pci_config_permission(
     XSM_DEFAULT_ARG struct domain *d, uint32_t machine_bdf, uint16_t start,
     uint16_t end, uint8_t access)
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 9a23d2827c..34caad2f7e 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -116,8 +116,6 @@ struct xsm_ops {
     int (*irq_permission)(struct domain *d, int pirq, uint8_t allow);
     int (*iomem_permission)(struct domain *d, uint64_t s, uint64_t e,
                             uint8_t allow);
-    int (*iomem_mapping)(struct domain *d, uint64_t s, uint64_t e,
-                         uint8_t allow);
     int (*pci_config_permission)(struct domain *d, uint32_t machine_bdf,
                                  uint16_t start, uint16_t end, uint8_t access);
 
@@ -517,12 +515,6 @@ static inline int xsm_iomem_permission(
     return alternative_call(xsm_ops.iomem_permission, d, s, e, allow);
 }
 
-static inline int xsm_iomem_mapping(
-    xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
-{
-    return alternative_call(xsm_ops.iomem_mapping, d, s, e, allow);
-}
-
 static inline int xsm_pci_config_permission(
     xsm_default_t def, struct domain *d, uint32_t machine_bdf, uint16_t start,
     uint16_t end, uint8_t access)
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index 8b7e01b506..86daca3e89 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -75,7 +75,6 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops = {
     .unbind_pt_irq                 = xsm_unbind_pt_irq,
     .irq_permission                = xsm_irq_permission,
     .iomem_permission              = xsm_iomem_permission,
-    .iomem_mapping                 = xsm_iomem_mapping,
     .pci_config_permission         = xsm_pci_config_permission,
     .get_vnumainfo                 = xsm_get_vnumainfo,
 
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index b0308e1b26..e98920dd52 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -1167,11 +1167,6 @@ static int cf_check flask_iomem_permission(
     return security_iterate_iomem_sids(start, end, _iomem_has_perm, &data);
 }
 
-static int cf_check flask_iomem_mapping(struct domain *d, uint64_t start, uint64_t end, uint8_t access)
-{
-    return flask_iomem_permission(d, start, end, access);
-}
-
 static int cf_check flask_pci_config_permission(
     struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end,
     uint8_t access)
@@ -1945,7 +1940,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = {
     .unbind_pt_irq = flask_unbind_pt_irq,
     .irq_permission = flask_irq_permission,
     .iomem_permission = flask_iomem_permission,
-    .iomem_mapping = flask_iomem_mapping,
     .pci_config_permission = flask_pci_config_permission,
 
     .resource_plug_core = flask_resource_plug_core,
-- 
2.34.1
Re: [PATCH v3 01/28] xen/xsm: remove redundant xsm_iomem_mapping()
Posted by Jan Beulich 2 weeks, 3 days ago 
On 13.10.2025 12:15, Penny Zheng wrote:
> Function xsm_iomem_mapping() seems redundant, and in flask policy, it just
> directly calls xsm_iomem_permission().
> Remove it and use xsm_iomem_permission() instead, with the benefit of a
> cf_check disappearing too.
> 
> Suggested-by: Jan Beulich <jbeulich@suse.com>
> Signed-off-by: Penny Zheng <Penny.Zheng@amd.com>

No, this is definitely not what I had suggested. What I did suggest was
to get rid of just ...

> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -1167,11 +1167,6 @@ static int cf_check flask_iomem_permission(
>      return security_iterate_iomem_sids(start, end, _iomem_has_perm, &data);
>  }
>  
> -static int cf_check flask_iomem_mapping(struct domain *d, uint64_t start, uint64_t end, uint8_t access)
> -{
> -    return flask_iomem_permission(d, start, end, access);
> -}

... the extra call layer here, by using ...

> @@ -1945,7 +1940,6 @@ static const struct xsm_ops __initconst_cf_clobber flask_ops = {
>      .unbind_pt_irq = flask_unbind_pt_irq,
>      .irq_permission = flask_irq_permission,
>      .iomem_permission = flask_iomem_permission,
> -    .iomem_mapping = flask_iomem_mapping,

... flask_iomem_permission() a 2nd time here (and perhaps with a suitable
comment).

That said, if Daniel was okay with the wider folding, so be it.

Jan

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.