It's at least odd to check counters which aren't going to be
incremented, resulting in failure just because prior operations may
have left an entry in an unusual state. And it's also not helpful to
use open-coded literal numbers in these checks.
Calculate the increment values first and derive from them the mask to
use in the checks.
Also move the pin count checks ahead of the calculation of the status
(and for copy also sha2) pointers: They're not needed in the failure
cases, and this way the compiler may also have an easier time keeping
the variables at least transiently in registers for the subsequent uses.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
v2: Replace pre-existing comment. Introduce GNTPIN_incr2oflow_mask().
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -322,23 +322,38 @@ shared_entry_header(struct grant_table *
/* Active grant entry - used for shadowing GTF_permit_access grants. */
struct active_grant_entry {
- uint32_t pin; /* Reference count information: */
+/*
+ * 4x byte-wide reference counts, for {host,device}{read,write} mappings,
+ * implemented as a single 32-bit (presumably to optimise checking for any
+ * reference).
+ */
+ uint32_t pin;
+ /* Width of the individual counter fields. */
+#define GNTPIN_cntr_width 8
+#define GNTPIN_cntr_mask ((1U << GNTPIN_cntr_width) - 1)
/* Count of writable host-CPU mappings. */
#define GNTPIN_hstw_shift 0
#define GNTPIN_hstw_inc (1U << GNTPIN_hstw_shift)
-#define GNTPIN_hstw_mask (0xFFU << GNTPIN_hstw_shift)
+#define GNTPIN_hstw_mask (GNTPIN_cntr_mask << GNTPIN_hstw_shift)
/* Count of read-only host-CPU mappings. */
-#define GNTPIN_hstr_shift 8
+#define GNTPIN_hstr_shift (GNTPIN_hstw_shift + GNTPIN_cntr_width)
#define GNTPIN_hstr_inc (1U << GNTPIN_hstr_shift)
-#define GNTPIN_hstr_mask (0xFFU << GNTPIN_hstr_shift)
+#define GNTPIN_hstr_mask (GNTPIN_cntr_mask << GNTPIN_hstr_shift)
/* Count of writable device-bus mappings. */
-#define GNTPIN_devw_shift 16
+#define GNTPIN_devw_shift (GNTPIN_hstr_shift + GNTPIN_cntr_width)
#define GNTPIN_devw_inc (1U << GNTPIN_devw_shift)
-#define GNTPIN_devw_mask (0xFFU << GNTPIN_devw_shift)
+#define GNTPIN_devw_mask (GNTPIN_cntr_mask << GNTPIN_devw_shift)
/* Count of read-only device-bus mappings. */
-#define GNTPIN_devr_shift 24
+#define GNTPIN_devr_shift (GNTPIN_devw_shift + GNTPIN_cntr_width)
#define GNTPIN_devr_inc (1U << GNTPIN_devr_shift)
-#define GNTPIN_devr_mask (0xFFU << GNTPIN_devr_shift)
+#define GNTPIN_devr_mask (GNTPIN_cntr_mask << GNTPIN_devr_shift)
+
+/* Convert a combination of GNTPIN_*_inc to an overflow checking mask. */
+#define GNTPIN_incr2oflow_mask(x) ({ \
+ ASSERT(!((x) & ~(GNTPIN_hstw_inc | GNTPIN_hstr_inc | \
+ GNTPIN_devw_inc | GNTPIN_devr_inc))); \
+ (x) << (GNTPIN_cntr_width - 1); \
+})
domid_t domid; /* Domain being granted access. */
unsigned int start:15; /* For sub-page grants, the start offset
@@ -988,7 +1003,8 @@ map_grant_ref(
mfn_t mfn;
struct page_info *pg = NULL;
int rc = GNTST_okay;
- unsigned int cache_flags, clear_flags = 0, refcnt = 0, typecnt = 0;
+ unsigned int cache_flags, clear_flags = 0, refcnt = 0, typecnt = 0,
+ pin_incr = 0;
bool host_map_created = false;
struct active_grant_entry *act = NULL;
struct grant_mapping *mt;
@@ -998,7 +1014,14 @@ map_grant_ref(
ld = current->domain;
- if ( unlikely((op->flags & (GNTMAP_device_map|GNTMAP_host_map)) == 0) )
+ if ( op->flags & GNTMAP_device_map )
+ pin_incr += (op->flags & GNTMAP_readonly) ? GNTPIN_devr_inc
+ : GNTPIN_devw_inc;
+ if ( op->flags & GNTMAP_host_map )
+ pin_incr += (op->flags & GNTMAP_readonly) ? GNTPIN_hstr_inc
+ : GNTPIN_hstw_inc;
+
+ if ( unlikely(!pin_incr) )
{
gdprintk(XENLOG_INFO, "Bad flags in grant map op: %x\n", op->flags);
op->status = GNTST_bad_gntref;
@@ -1052,19 +1075,19 @@ map_grant_ref(
shah = shared_entry_header(rgt, ref);
act = active_entry_acquire(rgt, ref);
- /* Make sure we do not access memory speculatively */
- status = evaluate_nospec(rgt->gt_version == 1) ? &shah->flags
- : &status_entry(rgt, ref);
-
/* If already pinned, check the active domid and avoid refcnt overflow. */
if ( act->pin &&
((act->domid != ld->domain_id) ||
- (act->pin & 0x80808080U) != 0 ||
+ (act->pin & GNTPIN_incr2oflow_mask(pin_incr)) ||
(act->is_sub_page)) )
PIN_FAIL(act_release_out, GNTST_general_error,
"Bad domain (%d != %d), or risk of counter overflow %08x, or subpage %d\n",
act->domid, ld->domain_id, act->pin, act->is_sub_page);
+ /* Make sure we do not access memory speculatively */
+ status = evaluate_nospec(rgt->gt_version == 1) ? &shah->flags
+ : &status_entry(rgt, ref);
+
if ( !act->pin ||
(!(op->flags & GNTMAP_readonly) &&
!(act->pin & (GNTPIN_hstw_mask|GNTPIN_devw_mask))) )
@@ -1095,12 +1118,7 @@ map_grant_ref(
}
}
- if ( op->flags & GNTMAP_device_map )
- act->pin += (op->flags & GNTMAP_readonly) ?
- GNTPIN_devr_inc : GNTPIN_devw_inc;
- if ( op->flags & GNTMAP_host_map )
- act->pin += (op->flags & GNTMAP_readonly) ?
- GNTPIN_hstr_inc : GNTPIN_hstw_inc;
+ act->pin += pin_incr;
mfn = act->mfn;
@@ -1275,13 +1293,7 @@ map_grant_ref(
grant_read_lock(rgt);
act = active_entry_acquire(rgt, op->ref);
-
- if ( op->flags & GNTMAP_device_map )
- act->pin -= (op->flags & GNTMAP_readonly) ?
- GNTPIN_devr_inc : GNTPIN_devw_inc;
- if ( op->flags & GNTMAP_host_map )
- act->pin -= (op->flags & GNTMAP_readonly) ?
- GNTPIN_hstr_inc : GNTPIN_hstw_inc;
+ act->pin -= pin_incr;
unlock_out_clear:
if ( !(op->flags & GNTMAP_readonly) &&
@@ -2516,6 +2528,7 @@ acquire_grant_for_copy(
uint16_t trans_length;
bool is_sub_page;
s16 rc = GNTST_okay;
+ unsigned int pin_incr = readonly ? GNTPIN_hstr_inc : GNTPIN_hstw_inc;
unsigned int clear_flags = 0;
*page = NULL;
@@ -2530,6 +2543,14 @@ acquire_grant_for_copy(
shah = shared_entry_header(rgt, gref);
act = active_entry_acquire(rgt, gref);
+ /* If already pinned, check the active domid and avoid refcnt overflow. */
+ if ( act->pin &&
+ ((act->domid != ldom) ||
+ (act->pin & GNTPIN_incr2oflow_mask(pin_incr))) )
+ PIN_FAIL(unlock_out, GNTST_general_error,
+ "Bad domain (%d != %d), or risk of counter overflow %08x\n",
+ act->domid, ldom, act->pin);
+
if ( evaluate_nospec(rgt->gt_version == 1) )
{
sha2 = NULL;
@@ -2541,12 +2562,6 @@ acquire_grant_for_copy(
status = &status_entry(rgt, gref);
}
- /* If already pinned, check the active domid and avoid refcnt overflow. */
- if ( act->pin && ((act->domid != ldom) || (act->pin & 0x80808080U) != 0) )
- PIN_FAIL(unlock_out, GNTST_general_error,
- "Bad domain (%d != %d), or risk of counter overflow %08x\n",
- act->domid, ldom, act->pin);
-
old_pin = act->pin;
if ( sha2 && (shah->flags & GTF_type_mask) == GTF_transitive )
{
@@ -2728,7 +2743,7 @@ acquire_grant_for_copy(
}
}
- act->pin += readonly ? GNTPIN_hstr_inc : GNTPIN_hstw_inc;
+ act->pin += pin_incr;
*page_off = act->start;
*length = act->length;
On 15/01/2021 15:14, Jan Beulich wrote: > It's at least odd to check counters which aren't going to be > incremented, resulting in failure just because prior operations may > have left an entry in an unusual state. I wouldn't say it's an unusual state. It can happen legally when you map the same gref 128 times Why a guest would do this in normal operation is a different question. Perhaps "prior operations may have reached the refcount limit" ? > And it's also not helpful to > use open-coded literal numbers in these checks. > > Calculate the increment values first and derive from them the mask to > use in the checks. > > Also move the pin count checks ahead of the calculation of the status > (and for copy also sha2) pointers: They're not needed in the failure > cases, and this way the compiler may also have an easier time keeping > the variables at least transiently in registers for the subsequent uses. > > Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
On 15.01.2021 16:38, Andrew Cooper wrote: > On 15/01/2021 15:14, Jan Beulich wrote: >> It's at least odd to check counters which aren't going to be >> incremented, resulting in failure just because prior operations may >> have left an entry in an unusual state. > > I wouldn't say it's an unusual state. It can happen legally when you > map the same gref 128 times > > Why a guest would do this in normal operation is a different question. Hence the "unusual". > Perhaps "prior operations may have reached the refcount limit" ? Fine with me. >> And it's also not helpful to >> use open-coded literal numbers in these checks. >> >> Calculate the increment values first and derive from them the mask to >> use in the checks. >> >> Also move the pin count checks ahead of the calculation of the status >> (and for copy also sha2) pointers: They're not needed in the failure >> cases, and this way the compiler may also have an easier time keeping >> the variables at least transiently in registers for the subsequent uses. >> >> Signed-off-by: Jan Beulich <jbeulich@suse.com> > > Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Thanks. Jan
© 2016 - 2026 Red Hat, Inc.