From nobody Mon Dec 1 23:34:58 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=none dis=none) header.from=invisiblethingslab.com ARC-Seal: i=1; a=rsa-sha256; t=1764138264; cv=none; d=zohomail.com; s=zohoarc; b=M3OJnBB4CWHt71EyjFiMkx75FcB6jNhhZLKM4CCGAYlyNEsbUo9cnk8A2nEc3jIuoPm4wbtU7fjkoksOMxMDY2R1UxPmzkBSQPdSIvuUCwfDdpwpzJbiE//ejP3ZfobzcpxxPhNJvz52sFPKLUri1OfDJtLZ9MTPMA0bVRBMbdI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1764138264; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=HzENRNpZeVZyP1ozp+W25qbg8+VXU0nDKXi9w3bcSzY=; b=Q4CoJrnCuDivAkGl7phLLvwwWEFh9k0Ko6LWVJ4v4ehAV6m+Q/DH+SfVmLhXHiEtercYOh/Jrm2PDx6kaia+kcR+i1A2hrZl+F2cadQJtZGCh+7EiEsq1GEYJyP5IZTgn8bDNo5JPw/5HCJ8y3rzD2kZn0ADzqMxf3Qpme0JRSc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1764138264249350.7217084945339; Tue, 25 Nov 2025 22:24:24 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.1172258.1497345 (Exim 4.92) (envelope-from ) id 1vO8wg-0003jM-3X; Wed, 26 Nov 2025 06:24:06 +0000 Received: by outflank-mailman (output) from mailman id 1172258.1497345; Wed, 26 Nov 2025 06:24:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1vO8wf-0003jF-W9; Wed, 26 Nov 2025 06:24:05 +0000 Received: by outflank-mailman (input) for mailman id 1172258; Wed, 26 Nov 2025 06:24:05 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1vO8wf-0003j9-0x for xen-devel@lists.xenproject.org; Wed, 26 Nov 2025 06:24:05 +0000 Received: from fhigh-a5-smtp.messagingengine.com (fhigh-a5-smtp.messagingengine.com [103.168.172.156]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 7f0b1bc3-ca90-11f0-980a-7dc792cee155; Wed, 26 Nov 2025 07:24:01 +0100 (CET) Received: from phl-compute-02.internal (phl-compute-02.internal [10.202.2.42]) by mailfhigh.phl.internal (Postfix) with ESMTP id E11801400266; Wed, 26 Nov 2025 01:23:59 -0500 (EST) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-02.internal (MEProxy); Wed, 26 Nov 2025 01:23:59 -0500 Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 26 Nov 2025 01:23:58 -0500 (EST) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 7f0b1bc3-ca90-11f0-980a-7dc792cee155 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:message-id :mime-version:reply-to:subject:subject:to:to; s=fm3; t= 1764138239; x=1764224639; bh=HzENRNpZeVZyP1ozp+W25qbg8+VXU0nDKXi 9w3bcSzY=; b=dvP9Rd++NONj1z5Qq1Xsj2zM7Sjef4qj4M88PXSlTgG/ZUi110C n0p+gjFhoMtnxlyAucRSSG/fg/0YvWqbc+cOQPwkSJPde2jmVTxfXC08h+Kkcyas UPBhD4p7HVt/PwFxN9lRDuUUKGgaqLRIF+LukGUpbopKIoW4qqwujPHue0R2yLQo ZVL0yDf1fneWtKrFwvo9YZWY/DZvbDEU2oSxduqJ5jp82cudKabB5pyG7Q53o4zS LJiPeqARK6de/iKNr93c1cV2MIjtOHPuRjySEvsG/bFfv3La4krjhogx99wP1cj0 BlTNMgNbkdXO73CG4BCzkZsSbgtx9qsijNA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1764138239; x=1764224639; bh=HzENRNpZeVZyP1ozp+W25qbg8+VXU0nDKXi 9w3bcSzY=; b=LnRbYT805AgH5LORe4wEh9m84Q6KUUCm5GdytFuwbQF+dHNqLeD X8jvPf2QNAKi0xCB0fMQ/pgbqAd5TZINy0ZbfRKX0pQ0dHYhYw8ui6ngQ5J5Zqt0 /IhC5ECTtCINwjUnTh1lth/hKTJIEM0IZbZAa76CItTFOS7ettdO93hCZG+qPBW6 hM8X5rIb2HtfYJFFq8XSfItde2YXi46IQRtgvuTbDo9EeZdf2tjNXkPxEXi04L04 PPnELqdgVBTBktshcS5hDErc5YqSOiKTGtBKrhA4caJ2HcINN/zbjyYXQ7bqnnXH Rt5QfTp83LFCrcdhOVxMVFLimOlNqvYeRtw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddvgeefiedvucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhephffvvefufffkofgggfestdekredtredttdenucfhrhhomhepgggrlhcurfgrtghk vghtthcuoehvrghlsehinhhvihhsihgslhgvthhhihhnghhslhgrsgdrtghomheqnecugg ftrfgrthhtvghrnheptdelgfefhedtvddtvdekheejveehkefhheevvedvjeevjeffhfej geevhffghffgnecuffhomhgrihhnpehkvghrnhgvlhdrohhrghenucevlhhushhtvghruf hiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehvrghlsehinhhvihhsihgslhgv thhhihhnghhslhgrsgdrtghomhdpnhgspghrtghpthhtohepiedpmhhouggvpehsmhhtph houhhtpdhrtghpthhtohepjhhgrhhoshhssehsuhhsvgdrtghomhdprhgtphhtthhopehs shhtrggsvghllhhinhhisehkvghrnhgvlhdrohhrghdprhgtphhtthhopeholhgvkhhsrg hnughrpghthihshhgthhgvnhhkohesvghprghmrdgtohhmpdhrtghpthhtohepvhgrlhes ihhnvhhishhisghlvghthhhinhhgshhlrggsrdgtohhmpdhrtghpthhtohepgigvnhdqug gvvhgvlheslhhishhtshdrgigvnhhprhhojhgvtghtrdhorhhgpdhrtghpthhtoheplhhi nhhugidqkhgvrhhnvghlsehvghgvrhdrkhgvrhhnvghlrdhorhhg X-ME-Proxy: Feedback-ID: i001e48d0:Fastmail From: Val Packett To: Juergen Gross , Stefano Stabellini , Oleksandr Tyshchenko Cc: Val Packett , xen-devel@lists.xenproject.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH v2] xen: privcmd: fix ioeventfd crash under PV domain Date: Wed, 26 Nov 2025 02:54:57 -0300 Message-ID: <20251126062124.117425-1-val@invisiblethingslab.com> X-Mailer: git-send-email 2.51.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @invisiblethingslab.com) X-ZM-MESSAGEID: 1764138264649019200 Content-Type: text/plain; charset="utf-8" Starting a virtio backend in a PV domain would panic the kernel in alloc_ioreq, trying to dereference vma->vm_private_data as a pages pointer when in reality it stayed as PRIV_VMA_LOCKED. Avoid crashing by handling the PRIV_VMA_LOCKED case in alloc_ioreq. PV support requires mapping the virtio ioreq page explicitly into the kernel's page tables, so do it on-demand when PRIV_VMA_LOCKED is seen. Signed-off-by: Val Packett --- Changes from RFC v1[1]: * An actually working patch now, not just a request for help :) All I needed to know was that PV actually doesn't emulate a common physical address space *at all*, the pfn mapped by xen_remap_domain_mfn_a= rray was *only* available in the userspace process and the *only* way to have kernel access to the same memory was to perfore the same call but for the kernel's mm. * Everything happens lazily / on-demand, inside of the ioeventfd code, addressing concerns about extra work performed for non-ioeventfd usage from the review. (kmalloc specifically is gone entirely..) I'm leaving this as RFC mostly because of the "fake" vm_area_struct that's = used as a workaround for xen_remap_domain_mfn_array (or rather, its underlying xen_remap_pfn) accepting a vm_area_struct only to take its vm_mm (and also = check flags with a BUG assertion). It was written for userspace processes since t= hat was the only use case anyone could ever imagine.. until ioeventfd came alon= g. So it would probably be better to change xen_remap_pfn to take the mm? Mayb= e? I wanted to ask for advice first before trying to refactor other code. Thanks, ~val [1]: https://lore.kernel.org/all/20251015195713.6500-1-val@invisiblethingsl= ab.com/ --- drivers/xen/privcmd.c | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c index f52a457b302d..a3ad10f149ec 100644 --- a/drivers/xen/privcmd.c +++ b/drivers/xen/privcmd.c @@ -818,6 +818,8 @@ static long privcmd_ioctl_mmap_resource(struct file *fi= le, DOMID_SELF : kdata.dom; int num, *errs =3D (int *)pfns; =20 + vma->vm_pgoff =3D pfns[0]; /* store the acquired pfn for ioeventfd acces= s */ + BUILD_BUG_ON(sizeof(*errs) > sizeof(*pfns)); num =3D xen_remap_domain_mfn_array(vma, kdata.addr & PAGE_MASK, @@ -1248,10 +1250,38 @@ struct privcmd_kernel_ioreq *alloc_ioreq(struct pri= vcmd_ioeventfd *ioeventfd) goto error_kfree; } =20 - pages =3D vma->vm_private_data; - kioreq->ioreq =3D (struct ioreq *)(page_to_virt(pages[0])); mmap_write_unlock(mm); =20 + /* In a PV domain, we must manually map the pages into the kernel */ + if (vma->vm_private_data =3D=3D PRIV_VMA_LOCKED) { + /* This should never ever happen outside of PV */ + if (WARN_ON_ONCE(!xen_pv_domain())) { + ret =3D -EINVAL; + goto error_kfree; + } + + /* xen_remap_domain_mfn_array only really needs the mm */ + struct vm_area_struct kern_vma =3D { + .vm_flags =3D VM_PFNMAP | VM_IO, + .vm_mm =3D &init_mm, + }; + xen_pfn_t pfn =3D vma->vm_pgoff; + int num, err; + + /* Don't provide NULL as the errors array as that results in pfn increme= nt */ + num =3D xen_remap_domain_mfn_array(&kern_vma, (unsigned long)pfn_to_kadd= r(pfn), + &pfn, 1, &err, PAGE_KERNEL, ioeventfd->dom); + if (num < 0) { + ret =3D num; + goto error_kfree; + } + + kioreq->ioreq =3D (struct ioreq *)(pfn_to_kaddr(pfn)); + } else { + pages =3D vma->vm_private_data; + kioreq->ioreq =3D (struct ioreq *)(page_to_virt(pages[0])); + } + ports =3D memdup_array_user(u64_to_user_ptr(ioeventfd->ports), kioreq->vcpus, sizeof(*ports)); if (IS_ERR(ports)) { --=20 2.51.0