| Message ID | 20190614175144.20046-4-julien.grall@arm.com |
|---|---|
| State | New |
| Headers | show |
| Series | xen/arm: Provide a generic function to update Xen PT | expand |
On Fri, 14 Jun 2019, Julien Grall wrote: > The code handling Xen PT update has quite a few restrictions on what it > can do. This is not a bad thing as it keeps the code simple. > > There are already a few checks scattered in current page table handling. > However they are not sufficient as they could still allow to > modify/remove entry with contiguous bit set. > > The checks are divided in two sets: > - per entry check: They are gathered in a new function that will > check whether an update is valid based on the flags passed and the > current value of an entry. > - global check: They are sanity check on xen_pt_update() parameters. > > Additionally to contiguous check, we also now check that the caller is > not trying to modify the memory attributes of an entry. > > Lastly, it was probably a bit over the top to forbid removing an > invalid mapping. This could just be ignored. The new behavior will be > helpful in future changes. > > Signed-off-by: Julien Grall <julien.grall@arm.com> > Reviewed-by: Andrii Anisov <andrii_anisov@epam.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> > --- > Changes in v3: > - Only allow modification on valid entry > > Changes in v2: > - Correctly detect the removal of a page > - Fix ASSERT on flags in the else case > - Add Andrii's reviewed-by > --- > xen/arch/arm/mm.c | 122 ++++++++++++++++++++++++++++++++++++++++++++++-------- > 1 file changed, 104 insertions(+), 18 deletions(-) > > diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c > index b13d9adf40..dcf041578b 100644 > --- a/xen/arch/arm/mm.c > +++ b/xen/arch/arm/mm.c > @@ -50,6 +50,19 @@ > #undef mfn_to_virt > #define mfn_to_virt(mfn) __mfn_to_virt(mfn_x(mfn)) > > +#ifdef NDEBUG > +static inline void > +__attribute__ ((__format__ (__printf__, 1, 2))) > +mm_printk(const char *fmt, ...) {} > +#else > +#define mm_printk(fmt, args...) \ > + do \ > + { \ > + dprintk(XENLOG_ERR, fmt, ## args); \ > + WARN(); \ > + } while (0); > +#endif > + > #define DEFINE_PAGE_TABLES(name, nr) \ > lpae_t __aligned(PAGE_SIZE) name[LPAE_ENTRIES * (nr)] > > @@ -941,12 +954,81 @@ enum xenmap_operation { > RESERVE > }; > > +/* Sanity check of the entry */ > +static bool xen_pt_check_entry(lpae_t entry, mfn_t mfn, unsigned int flags) > +{ > + /* Sanity check when modifying a page. */ > + if ( (flags & _PAGE_PRESENT) && mfn_eq(mfn, INVALID_MFN) ) > + { > + /* We don't allow modifying an invalid entry. */ > + if ( !lpae_is_valid(entry) ) > + { > + mm_printk("Modifying invalid entry is not allowed.\n"); > + return false; > + } > + > + /* We don't allow changing memory attributes. */ > + if ( entry.pt.ai != PAGE_AI_MASK(flags) ) > + { > + mm_printk("Modifying memory attributes is not allowed (0x%x -> 0x%x).\n", > + entry.pt.ai, PAGE_AI_MASK(flags)); > + return false; > + } > + > + /* We don't allow modifying entry with contiguous bit set. */ > + if ( entry.pt.contig ) > + { > + mm_printk("Modifying entry with contiguous bit set is not allowed.\n"); > + return false; > + } > + } > + /* Sanity check when inserting a page */ > + else if ( flags & _PAGE_PRESENT ) > + { > + /* We should be here with a valid MFN. */ > + ASSERT(!mfn_eq(mfn, INVALID_MFN)); > + > + /* We don't allow replacing any valid entry. */ > + if ( lpae_is_valid(entry) ) > + { > + mm_printk("Changing MFN for a valid entry is not allowed (%#"PRI_mfn" -> %#"PRI_mfn").\n", > + mfn_x(lpae_get_mfn(entry)), mfn_x(mfn)); > + return false; > + } > + } > + /* Sanity check when removing a page. */ > + else if ( (flags & (_PAGE_PRESENT|_PAGE_POPULATE)) == 0 ) > + { > + /* We should be here with an invalid MFN. */ > + ASSERT(mfn_eq(mfn, INVALID_MFN)); > + > + /* We don't allow removing page with contiguous bit set. */ > + if ( entry.pt.contig ) > + { > + mm_printk("Removing entry with contiguous bit set is not allowed.\n"); > + return false; > + } > + } > + /* Sanity check when populating the page-table. No check so far. */ > + else > + { > + ASSERT(flags & _PAGE_POPULATE); > + /* We should be here with an invalid MFN */ > + ASSERT(mfn_eq(mfn, INVALID_MFN)); > + } > + > + return true; > +} > + > static int xen_pt_update_entry(enum xenmap_operation op, unsigned long addr, > mfn_t mfn, unsigned int flags) > { > lpae_t pte, *entry; > lpae_t *third = NULL; > > + /* _PAGE_POPULATE and _PAGE_PRESENT should never be set together. */ > + ASSERT((flags & (_PAGE_POPULATE|_PAGE_PRESENT)) != (_PAGE_POPULATE|_PAGE_PRESENT)); > + > entry = &xen_second[second_linear_offset(addr)]; > if ( !lpae_is_valid(*entry) || !lpae_is_table(*entry, 2) ) > { > @@ -962,15 +1044,12 @@ static int xen_pt_update_entry(enum xenmap_operation op, unsigned long addr, > third = mfn_to_virt(lpae_get_mfn(*entry)); > entry = &third[third_table_offset(addr)]; > > + if ( !xen_pt_check_entry(*entry, mfn, flags) ) > + return -EINVAL; > + > switch ( op ) { > case INSERT: > case RESERVE: > - if ( lpae_is_valid(*entry) ) > - { > - printk("%s: trying to replace an existing mapping addr=%lx mfn=%"PRI_mfn"\n", > - __func__, addr, mfn_x(mfn)); > - return -EINVAL; > - } > if ( op == RESERVE ) > break; > pte = mfn_to_xen_entry(mfn, PAGE_AI_MASK(flags)); > @@ -982,12 +1061,6 @@ static int xen_pt_update_entry(enum xenmap_operation op, unsigned long addr, > break; > case MODIFY: > case REMOVE: > - if ( !lpae_is_valid(*entry) ) > - { > - printk("%s: trying to %s a non-existing mapping addr=%lx\n", > - __func__, op == REMOVE ? "remove" : "modify", addr); > - return -EINVAL; > - } > if ( op == REMOVE ) > pte.bits = 0; > else > @@ -995,12 +1068,6 @@ static int xen_pt_update_entry(enum xenmap_operation op, unsigned long addr, > pte = *entry; > pte.pt.ro = PAGE_RO_MASK(flags); > pte.pt.xn = PAGE_XN_MASK(flags); > - if ( !pte.pt.ro && !pte.pt.xn ) > - { > - printk("%s: Incorrect combination for addr=%lx\n", > - __func__, addr); > - return -EINVAL; > - } > } > write_pte(entry, pte); > break; > @@ -1022,6 +1089,25 @@ static int xen_pt_update(enum xenmap_operation op, > int rc = 0; > unsigned long addr = virt, addr_end = addr + nr_mfns * PAGE_SIZE; > > + /* > + * The hardware was configured to forbid mapping both writeable and > + * executable. > + * When modifying/creating mapping (i.e _PAGE_PRESENT is set), > + * prevent any update if this happen. > + */ > + if ( (flags & _PAGE_PRESENT) && !PAGE_RO_MASK(flags) && > + !PAGE_XN_MASK(flags) ) > + { > + mm_printk("Mappings should not be both Writeable and Executable.\n"); > + return -EINVAL; > + } > + > + if ( !IS_ALIGNED(virt, PAGE_SIZE) ) > + { > + mm_printk("The virtual address is not aligned to the page-size.\n"); > + return -EINVAL; > + } > + > spin_lock(&xen_pt_lock); > > for( ; addr < addr_end; addr += PAGE_SIZE ) > -- > 2.11.0 >
diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c index b13d9adf40..dcf041578b 100644 --- a/xen/arch/arm/mm.c +++ b/xen/arch/arm/mm.c @@ -50,6 +50,19 @@ #undef mfn_to_virt #define mfn_to_virt(mfn) __mfn_to_virt(mfn_x(mfn)) +#ifdef NDEBUG +static inline void +__attribute__ ((__format__ (__printf__, 1, 2))) +mm_printk(const char *fmt, ...) {} +#else +#define mm_printk(fmt, args...) \ + do \ + { \ + dprintk(XENLOG_ERR, fmt, ## args); \ + WARN(); \ + } while (0); +#endif + #define DEFINE_PAGE_TABLES(name, nr) \ lpae_t __aligned(PAGE_SIZE) name[LPAE_ENTRIES * (nr)] @@ -941,12 +954,81 @@ enum xenmap_operation { RESERVE }; +/* Sanity check of the entry */ +static bool xen_pt_check_entry(lpae_t entry, mfn_t mfn, unsigned int flags) +{ + /* Sanity check when modifying a page. */ + if ( (flags & _PAGE_PRESENT) && mfn_eq(mfn, INVALID_MFN) ) + { + /* We don't allow modifying an invalid entry. */ + if ( !lpae_is_valid(entry) ) + { + mm_printk("Modifying invalid entry is not allowed.\n"); + return false; + } + + /* We don't allow changing memory attributes. */ + if ( entry.pt.ai != PAGE_AI_MASK(flags) ) + { + mm_printk("Modifying memory attributes is not allowed (0x%x -> 0x%x).\n", + entry.pt.ai, PAGE_AI_MASK(flags)); + return false; + } + + /* We don't allow modifying entry with contiguous bit set. */ + if ( entry.pt.contig ) + { + mm_printk("Modifying entry with contiguous bit set is not allowed.\n"); + return false; + } + } + /* Sanity check when inserting a page */ + else if ( flags & _PAGE_PRESENT ) + { + /* We should be here with a valid MFN. */ + ASSERT(!mfn_eq(mfn, INVALID_MFN)); + + /* We don't allow replacing any valid entry. */ + if ( lpae_is_valid(entry) ) + { + mm_printk("Changing MFN for a valid entry is not allowed (%#"PRI_mfn" -> %#"PRI_mfn").\n", + mfn_x(lpae_get_mfn(entry)), mfn_x(mfn)); + return false; + } + } + /* Sanity check when removing a page. */ + else if ( (flags & (_PAGE_PRESENT|_PAGE_POPULATE)) == 0 ) + { + /* We should be here with an invalid MFN. */ + ASSERT(mfn_eq(mfn, INVALID_MFN)); + + /* We don't allow removing page with contiguous bit set. */ + if ( entry.pt.contig ) + { + mm_printk("Removing entry with contiguous bit set is not allowed.\n"); + return false; + } + } + /* Sanity check when populating the page-table. No check so far. */ + else + { + ASSERT(flags & _PAGE_POPULATE); + /* We should be here with an invalid MFN */ + ASSERT(mfn_eq(mfn, INVALID_MFN)); + } + + return true; +} + static int xen_pt_update_entry(enum xenmap_operation op, unsigned long addr, mfn_t mfn, unsigned int flags) { lpae_t pte, *entry; lpae_t *third = NULL; + /* _PAGE_POPULATE and _PAGE_PRESENT should never be set together. */ + ASSERT((flags & (_PAGE_POPULATE|_PAGE_PRESENT)) != (_PAGE_POPULATE|_PAGE_PRESENT)); + entry = &xen_second[second_linear_offset(addr)]; if ( !lpae_is_valid(*entry) || !lpae_is_table(*entry, 2) ) { @@ -962,15 +1044,12 @@ static int xen_pt_update_entry(enum xenmap_operation op, unsigned long addr, third = mfn_to_virt(lpae_get_mfn(*entry)); entry = &third[third_table_offset(addr)]; + if ( !xen_pt_check_entry(*entry, mfn, flags) ) + return -EINVAL; + switch ( op ) { case INSERT: case RESERVE: - if ( lpae_is_valid(*entry) ) - { - printk("%s: trying to replace an existing mapping addr=%lx mfn=%"PRI_mfn"\n", - __func__, addr, mfn_x(mfn)); - return -EINVAL; - } if ( op == RESERVE ) break; pte = mfn_to_xen_entry(mfn, PAGE_AI_MASK(flags)); @@ -982,12 +1061,6 @@ static int xen_pt_update_entry(enum xenmap_operation op, unsigned long addr, break; case MODIFY: case REMOVE: - if ( !lpae_is_valid(*entry) ) - { - printk("%s: trying to %s a non-existing mapping addr=%lx\n", - __func__, op == REMOVE ? "remove" : "modify", addr); - return -EINVAL; - } if ( op == REMOVE ) pte.bits = 0; else @@ -995,12 +1068,6 @@ static int xen_pt_update_entry(enum xenmap_operation op, unsigned long addr, pte = *entry; pte.pt.ro = PAGE_RO_MASK(flags); pte.pt.xn = PAGE_XN_MASK(flags); - if ( !pte.pt.ro && !pte.pt.xn ) - { - printk("%s: Incorrect combination for addr=%lx\n", - __func__, addr); - return -EINVAL; - } } write_pte(entry, pte); break; @@ -1022,6 +1089,25 @@ static int xen_pt_update(enum xenmap_operation op, int rc = 0; unsigned long addr = virt, addr_end = addr + nr_mfns * PAGE_SIZE; + /* + * The hardware was configured to forbid mapping both writeable and + * executable. + * When modifying/creating mapping (i.e _PAGE_PRESENT is set), + * prevent any update if this happen. + */ + if ( (flags & _PAGE_PRESENT) && !PAGE_RO_MASK(flags) && + !PAGE_XN_MASK(flags) ) + { + mm_printk("Mappings should not be both Writeable and Executable.\n"); + return -EINVAL; + } + + if ( !IS_ALIGNED(virt, PAGE_SIZE) ) + { + mm_printk("The virtual address is not aligned to the page-size.\n"); + return -EINVAL; + } + spin_lock(&xen_pt_lock); for( ; addr < addr_end; addr += PAGE_SIZE )
The code handling Xen PT update has quite a few restrictions on what it can do. This is not a bad thing as it keeps the code simple. There are already a few checks scattered in current page table handling. However they are not sufficient as they could still allow to modify/remove entry with contiguous bit set. The checks are divided in two sets: - per entry check: They are gathered in a new function that will check whether an update is valid based on the flags passed and the current value of an entry. - global check: They are sanity check on xen_pt_update() parameters. Additionally to contiguous check, we also now check that the caller is not trying to modify the memory attributes of an entry. Lastly, it was probably a bit over the top to forbid removing an invalid mapping. This could just be ignored. The new behavior will be helpful in future changes. Signed-off-by: Julien Grall <julien.grall@arm.com> Reviewed-by: Andrii Anisov <andrii_anisov@epam.com> --- Changes in v3: - Only allow modification on valid entry Changes in v2: - Correctly detect the removal of a page - Fix ASSERT on flags in the else case - Add Andrii's reviewed-by --- xen/arch/arm/mm.c | 122 ++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 104 insertions(+), 18 deletions(-)