xen/gntdev: mark userspace PTEs as special on x86 PV guests

In an x86 PV guest, get_user_pages_fast() on a userspace address range containing foreign mappings does not work correctly because the M2P lookup of the MFN from a userspace PTE may return the wrong page. Force get_user_pages_fast() to fail on such addresses by marking the PTEs as special. If Xen has XENFEAT_gnttab_map_avail_bits (available since at least 4.0), we can do so efficiently in the grant map hypercall. Otherwise, it needs to be done afterwards. This is both inefficient and racy (the mapping is visible to the task before we fixup the PTEs), but will be fine for well-behaved applications that do not use the mapping until after the mmap() system call returns. Guests with XENFEAT_auto_translated_physmap (ARM and x86 HVM or PVH) do not need this since get_user_pages() has always worked correctly for them. Signed-off-by: David Vrabel <david.vrabel@citrix.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
author: David Vrabel <david.vrabel@citrix.com> 2014-12-18 09:56:54 -0500
committer: David Vrabel <david.vrabel@citrix.com> 2015-01-28 09:04:21 -0500
commit: 923b2919e2c318ee1c360a2119a14889fd0fcce4 (patch)
tree: 4d6ac4f7dd3e939c5a3d54a2527f746667307698
parent: c43cf3ea838541ea9f066f4f1aa7b197cba6276e (diff)
3 files changed, 47 insertions, 0 deletions
diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
index bccc54a80559..20c65771017d 100644
--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -244,6 +244,14 @@ static int find_grant_ptes(pte_t *pte, pgtable_t token,
        BUG_ON(pgnr >= map->count);
        pte_maddr = arbitrary_virt_to_machine(pte).maddr;
+        /*
+         * Set the PTE as special to force get_user_pages_fast() fall
+         * back to the slow path.  If this is not supported as part of
+         * the grant map, it will be done afterwards.
+         */
+        if (xen_feature(XENFEAT_gnttab_map_avail_bits))
+                flags |= (1 << _GNTMAP_guest_avail0);
        gnttab_set_map_op(&map->map_ops[pgnr], pte_maddr, flags,
                          map->grants[pgnr].ref,
                          map->grants[pgnr].domid);
@@ -252,6 +260,15 @@ static int find_grant_ptes(pte_t *pte, pgtable_t token,
        return 0;
 }
+#ifdef CONFIG_X86
+static int set_grant_ptes_as_special(pte_t *pte, pgtable_t token,
+                                     unsigned long addr, void *data)
+{
+        set_pte_at(current->mm, addr, pte, pte_mkspecial(*pte));
+        return 0;
+}
+#endif
 static int map_grant_pages(struct grant_map *map)
 {
        int i, err = 0;
@@ -840,6 +857,23 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
                        if (err)
                                goto out_put_map;
                }
+        } else {
+#ifdef CONFIG_X86
+                /*
+                 * If the PTEs were not made special by the grant map
+                 * hypercall, do so here.
+                 *
+                 * This is racy since the mapping is already visible
+                 * to userspace but userspace should be well-behaved
+                 * enough to not touch it until the mmap() call
+                 * returns.
+                 */
+                if (!xen_feature(XENFEAT_gnttab_map_avail_bits)) {
+                        apply_to_page_range(vma->vm_mm, vma->vm_start,
+                                            vma->vm_end - vma->vm_start,
+                                            set_grant_ptes_as_special, NULL);
+                }
+#endif
        }
        return 0;
diff --git a/include/xen/interface/features.h b/include/xen/interface/features.h
index 131a6ccdba25..6ad3d110bb81 100644
--- a/include/xen/interface/features.h
+++ b/include/xen/interface/features.h
@@ -41,6 +41,12 @@
 /* x86: Does this Xen host support the MMU_PT_UPDATE_PRESERVE_AD hypercall? */
 #define XENFEAT_mmu_pt_update_preserve_ad  5
+/*
+ * If set, GNTTABOP_map_grant_ref honors flags to be placed into guest kernel
+ * available pte bits.
+ */
+#define XENFEAT_gnttab_map_avail_bits      7
 /* x86: Does this Xen host support the HVM callback vector type? */
 #define XENFEAT_hvm_callback_vector        8
diff --git a/include/xen/interface/grant_table.h b/include/xen/interface/grant_table.h
index bcce56439d64..56806bc90c2f 100644
--- a/include/xen/interface/grant_table.h
+++ b/include/xen/interface/grant_table.h
@@ -526,6 +526,13 @@ DEFINE_GUEST_HANDLE_STRUCT(gnttab_cache_flush);
 #define GNTMAP_contains_pte     (1<<_GNTMAP_contains_pte)
 /*
+ * Bits to be placed in guest kernel available PTE bits (architecture
+ * dependent; only supported when XENFEAT_gnttab_map_avail_bits is set).
+ */
+#define _GNTMAP_guest_avail0    (16)
+#define GNTMAP_guest_avail_mask ((uint32_t)~0 << _GNTMAP_guest_avail0)
+/*
 * Values for error status returns. All errors are -ve.
 */
 #define GNTST_okay             (0)  /* Normal return.                        */
author	David Vrabel <david.vrabel@citrix.com>	2014-12-18 09:56:54 -0500
committer	David Vrabel <david.vrabel@citrix.com>	2015-01-28 09:04:21 -0500
commit	923b2919e2c318ee1c360a2119a14889fd0fcce4 (patch)
tree	4d6ac4f7dd3e939c5a3d54a2527f746667307698
parent	c43cf3ea838541ea9f066f4f1aa7b197cba6276e (diff)

diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c index bccc54a80559..20c65771017d 100644 --- a/drivers/xen/gntdev.c +++ b/drivers/xen/gntdev.c
@@ -244,6 +244,14 @@ static int find_grant_ptes(pte_t *pte, pgtable_t token,
244	BUG_ON(pgnr >= map->count);	244	BUG_ON(pgnr >= map->count);
245	pte_maddr = arbitrary_virt_to_machine(pte).maddr;	245	pte_maddr = arbitrary_virt_to_machine(pte).maddr;
246		246
		247	/*
		248	* Set the PTE as special to force get_user_pages_fast() fall
		249	* back to the slow path. If this is not supported as part of
		250	* the grant map, it will be done afterwards.
		251	*/
		252	if (xen_feature(XENFEAT_gnttab_map_avail_bits))
		253	flags \|= (1 << _GNTMAP_guest_avail0);
		254
247	gnttab_set_map_op(&map->map_ops[pgnr], pte_maddr, flags,	255	gnttab_set_map_op(&map->map_ops[pgnr], pte_maddr, flags,
248	map->grants[pgnr].ref,	256	map->grants[pgnr].ref,
249	map->grants[pgnr].domid);	257	map->grants[pgnr].domid);
@@ -252,6 +260,15 @@ static int find_grant_ptes(pte_t *pte, pgtable_t token,
252	return 0;	260	return 0;
253	}	261	}
254		262
		263	#ifdef CONFIG_X86
		264	static int set_grant_ptes_as_special(pte_t *pte, pgtable_t token,
		265	unsigned long addr, void *data)
		266	{
		267	set_pte_at(current->mm, addr, pte, pte_mkspecial(*pte));
		268	return 0;
		269	}
		270	#endif
		271
255	static int map_grant_pages(struct grant_map *map)	272	static int map_grant_pages(struct grant_map *map)
256	{	273	{
257	int i, err = 0;	274	int i, err = 0;
@@ -840,6 +857,23 @@ static int gntdev_mmap(struct file flip, struct vm_area_struct vma)
840	if (err)	857	if (err)
841	goto out_put_map;	858	goto out_put_map;
842	}	859	}
		860	} else {
		861	#ifdef CONFIG_X86
		862	/*
		863	* If the PTEs were not made special by the grant map
		864	* hypercall, do so here.
		865	*
		866	* This is racy since the mapping is already visible
		867	* to userspace but userspace should be well-behaved
		868	* enough to not touch it until the mmap() call
		869	* returns.
		870	*/
		871	if (!xen_feature(XENFEAT_gnttab_map_avail_bits)) {
		872	apply_to_page_range(vma->vm_mm, vma->vm_start,
		873	vma->vm_end - vma->vm_start,
		874	set_grant_ptes_as_special, NULL);
		875	}
		876	#endif
843	}	877	}
844		878
845	return 0;	879	return 0;


diff --git a/include/xen/interface/features.h b/include/xen/interface/features.h index 131a6ccdba25..6ad3d110bb81 100644 --- a/include/xen/interface/features.h +++ b/include/xen/interface/features.h
@@ -41,6 +41,12 @@
41	/* x86: Does this Xen host support the MMU_PT_UPDATE_PRESERVE_AD hypercall? */	41	/* x86: Does this Xen host support the MMU_PT_UPDATE_PRESERVE_AD hypercall? */
42	#define XENFEAT_mmu_pt_update_preserve_ad 5	42	#define XENFEAT_mmu_pt_update_preserve_ad 5
43		43
		44	/*
		45	* If set, GNTTABOP_map_grant_ref honors flags to be placed into guest kernel
		46	* available pte bits.
		47	*/
		48	#define XENFEAT_gnttab_map_avail_bits 7
		49
44	/* x86: Does this Xen host support the HVM callback vector type? */	50	/* x86: Does this Xen host support the HVM callback vector type? */
45	#define XENFEAT_hvm_callback_vector 8	51	#define XENFEAT_hvm_callback_vector 8
46		52


diff --git a/include/xen/interface/grant_table.h b/include/xen/interface/grant_table.h index bcce56439d64..56806bc90c2f 100644 --- a/include/xen/interface/grant_table.h +++ b/include/xen/interface/grant_table.h
@@ -526,6 +526,13 @@ DEFINE_GUEST_HANDLE_STRUCT(gnttab_cache_flush);
526	#define GNTMAP_contains_pte (1<<_GNTMAP_contains_pte)	526	#define GNTMAP_contains_pte (1<<_GNTMAP_contains_pte)
527		527
528	/*	528	/*
		529	* Bits to be placed in guest kernel available PTE bits (architecture
		530	* dependent; only supported when XENFEAT_gnttab_map_avail_bits is set).
		531	*/
		532	#define _GNTMAP_guest_avail0 (16)
		533	#define GNTMAP_guest_avail_mask ((uint32_t)~0 << _GNTMAP_guest_avail0)
		534
		535	/*
529	* Values for error status returns. All errors are -ve.	536	* Values for error status returns. All errors are -ve.
530	*/	537	*/
531	#define GNTST_okay (0) /* Normal return. */	538	#define GNTST_okay (0) /* Normal return. */