Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:12.2
xen
24327-After_preparing_a_page_for_page-in_allow_...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 24327-After_preparing_a_page_for_page-in_allow_immediate_fill-in_of_the_page_contents.patch of Package xen
changeset: 24327:8529bca7a3f0 parent: 24322:6bac46816504 user: Andres Lagar-Cavilla <andres@lagarcavilla.org> date: Thu Dec 01 18:14:24 2011 +0000 files: xen/arch/x86/mm/mem_event.c xen/arch/x86/mm/mem_paging.c xen/arch/x86/mm/p2m.c xen/include/asm-x86/p2m.h xen/include/public/domctl.h description: After preparing a page for page-in, allow immediate fill-in of the page contents p2m_mem_paging_prep ensures that an mfn is backing the paged-out gfn, and transitions to the next state in the paging state machine for that page. Foreign mappings of the gfn will now succeed. This is the key idea, as it allows the pager to now map the gfn and fill in its contents. Unfortunately, it also allows any other foreign mapper to map the gfn and read its contents. This is particularly dangerous when the populate is launched by a foreign mapper in the first place, which will be actively retrying the map operation and might race with the pager. Qemu-dm being a prime example. Fix the race by allowing a buffer to be optionally passed in the prep operation, and having the hypervisor memcpy from that buffer into the newly prepped page before promoting the gfn type. Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org> Acked-by: Tim Deegan <tim@xen.org> Committed-by: Tim Deegan <tim@xen.org> --- xen/arch/x86/mm/mem_event.c | 2 +- xen/arch/x86/mm/mem_paging.c | 2 +- xen/arch/x86/mm/p2m.c | 32 ++++++++++++++++++++++++++++++-- xen/include/asm-x86/p2m.h | 2 +- xen/include/public/domctl.h | 8 ++++++-- 5 files changed, 39 insertions(+), 7 deletions(-) --- a/xen/arch/x86/mm/mem_event.c +++ b/xen/arch/x86/mm/mem_event.c @@ -45,7 +45,7 @@ static int mem_event_enable(struct domai struct domain *dom_mem_event = current->domain; struct vcpu *v = current; unsigned long ring_addr = mec->ring_addr; - unsigned long shared_addr = mec->shared_addr; + unsigned long shared_addr = mec->u.shared_addr; l1_pgentry_t l1e; unsigned long gfn; p2m_type_t p2mt; --- a/xen/arch/x86/mm/mem_paging.c +++ b/xen/arch/x86/mm/mem_paging.c @@ -50,7 +50,7 @@ int mem_paging_domctl(struct domain *d, case XEN_DOMCTL_MEM_EVENT_OP_PAGING_PREP: { unsigned long gfn = mec->gfn; - rc = p2m_mem_paging_prep(p2m, gfn); + rc = p2m_mem_paging_prep(p2m, gfn, mec->u.buffer); } break; --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -3093,13 +3093,20 @@ void p2m_mem_paging_populate(struct p2m_ * mfn if populate was called for gfn which was nominated but not evicted. In * this case only the p2mt needs to be forwarded. */ -int p2m_mem_paging_prep(struct p2m_domain *p2m, unsigned long gfn) +int p2m_mem_paging_prep(struct p2m_domain *p2m, unsigned long gfn, uint64_t buffer) { struct page_info *page; p2m_type_t p2mt; p2m_access_t a; mfn_t mfn; - int ret; + int ret, page_extant = 1; + const void *user_ptr = (const void *) buffer; + + if ( user_ptr ) + /* Sanity check the buffer and bail out early if trouble */ + if ( (buffer & (PAGE_SIZE - 1)) || + (!access_ok(user_ptr, PAGE_SIZE)) ) + return -EINVAL; p2m_lock(p2m); @@ -3119,6 +3126,28 @@ int p2m_mem_paging_prep(struct p2m_domai if ( unlikely(page == NULL) ) goto out; mfn = page_to_mfn(page); + page_extant = 0; + } + + /* If we were given a buffer, now is the time to use it */ + if ( !page_extant && user_ptr ) + { + void *guest_map; + int rc; + + ASSERT( mfn_valid(mfn) ); + guest_map = map_domain_page(mfn_x(mfn)); + rc = copy_from_user(guest_map, user_ptr, PAGE_SIZE); + unmap_domain_page(guest_map); + if ( rc ) + { + gdprintk(XENLOG_ERR, "Failed to load paging-in gfn %lx domain %u " + "bytes left %d\n", + gfn, p2m->domain->domain_id, rc); + ret = -EFAULT; + put_page(page); /* Don't leak pages */ + goto out; + } } /* Fix p2m mapping */ --- a/xen/include/asm-x86/p2m.h +++ b/xen/include/asm-x86/p2m.h @@ -524,7 +524,7 @@ void p2m_mem_paging_drop_page(struct p2m /* Start populating a paged out frame */ void p2m_mem_paging_populate(struct p2m_domain *p2m, unsigned long gfn); /* Prepare the p2m for paging a frame in */ -int p2m_mem_paging_prep(struct p2m_domain *p2m, unsigned long gfn); +int p2m_mem_paging_prep(struct p2m_domain *p2m, unsigned long gfn, uint64_t buffer); /* Resume normal operation (in case a domain was paused) */ void p2m_mem_paging_resume(struct p2m_domain *p2m); #else --- a/xen/include/public/domctl.h +++ b/xen/include/public/domctl.h @@ -741,8 +741,12 @@ struct xen_domctl_mem_event_op { uint32_t op; /* XEN_DOMCTL_MEM_EVENT_OP_*_* */ uint32_t mode; /* XEN_DOMCTL_MEM_EVENT_OP_* */ - /* OP_ENABLE */ - uint64_aligned_t shared_addr; /* IN: Virtual address of shared page */ + union { + /* OP_ENABLE IN: Virtual address of shared page */ + uint64_aligned_t shared_addr; + /* PAGING_PREP IN: buffer to immediately fill page in */ + uint64_aligned_t buffer; + } u; uint64_aligned_t ring_addr; /* IN: Virtual address of ring page */ /* Other OPs */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor