xen/57b7447b-dont-permit-guest-to-populate-PoD-pages-for-itself.patch

# Commit 2a99aa99fc84a45f505f84802af56b006d14c52e
# Date 2016-08-19 18:40:11 +0100
# Author Andrew Cooper <andrew.cooper3@citrix.com>
# Committer Andrew Cooper <andrew.cooper3@citrix.com>
xen/physmap: Do not permit a guest to populate PoD pages for itself

PoD is supposed to be entirely transparent to guest, but this interface has
been left exposed for a long time.

The use of PoD requires careful co-ordination by the toolstack with the
XENMEM_{get,set}_pod_target hypercalls, and xenstore ballooning target.  The
best a guest can do without toolstack cooperation crash.

Furthermore, there are combinations of features (e.g. c/s c63868ff "libxl:
disallow PCI device assignment for HVM guest when PoD is enabled") which a
toolstack might wish to explicitly prohibit (in this case, because the two
simply don't function in combination).  In such cases, the guest mustn't be
able to subvert the configuration chosen by the toolstack.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -140,14 +140,14 @@ static void populate_physmap(struct memo
     struct page_info *page;
     unsigned int i, j;
     xen_pfn_t gpfn, mfn;
-    struct domain *d = a->domain;
+    struct domain *d = a->domain, *curr_d = current->domain;
 
     if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done,
                                      a->nr_extents-1) )
         return;
 
     if ( a->extent_order > (a->memflags & MEMF_populate_on_demand ? MAX_ORDER :
-                            max_order(current->domain)) )
+                            max_order(curr_d)) )
         return;
 
     for ( i = a->nr_done; i < a->nr_extents; i++ )
@@ -163,6 +163,10 @@ static void populate_physmap(struct memo
 
         if ( a->memflags & MEMF_populate_on_demand )
         {
+            /* Disallow populating PoD pages on oneself. */
+            if ( d == curr_d )
+                goto out;
+
             if ( guest_physmap_mark_populate_on_demand(d, gpfn,
                                                        a->extent_order) < 0 )
                 goto out;
- bsc#992224 - [HPS Bug] During boot of Xen Hypervisor, Failed to get contiguous memory for DMA from Xen 57ac6316-don-t-restrict-DMA-heap-to-node-0.patch - bsc#978755 - xen uefi systems fail to boot - bsc#983697 - SLES12 SP2 Xen UEFI mode cannot boot 57b71fc5-x86-EFI-don-t-apply-relocations-to-l-2-3-_bootmap.patch - Upstream patch from Jan 57b7447b-dont-permit-guest-to-populate-PoD-pages-for-itself.patch - spec: to stay compatible with the in-tree qemu-xen binary, use /usr/bin/qemu-system-i386 instead of /usr/bin/qemu-system-x86_64 bsc#986164 OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=447 2016-08-23 18:38:35 +02:00			`# Commit 2a99aa99fc84a45f505f84802af56b006d14c52e`
			`# Date 2016-08-19 18:40:11 +0100`
			`# Author Andrew Cooper <andrew.cooper3@citrix.com>`
			`# Committer Andrew Cooper <andrew.cooper3@citrix.com>`
			`xen/physmap: Do not permit a guest to populate PoD pages for itself`

			`PoD is supposed to be entirely transparent to guest, but this interface has`
			`been left exposed for a long time.`

			`The use of PoD requires careful co-ordination by the toolstack with the`
			`XENMEM_{get,set}_pod_target hypercalls, and xenstore ballooning target. The`
			`best a guest can do without toolstack cooperation crash.`

			`Furthermore, there are combinations of features (e.g. c/s c63868ff "libxl:`
			`disallow PCI device assignment for HVM guest when PoD is enabled") which a`
			`toolstack might wish to explicitly prohibit (in this case, because the two`
			`simply don't function in combination). In such cases, the guest mustn't be`
			`able to subvert the configuration chosen by the toolstack.`

			`Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>`
			`Acked-by: Jan Beulich <jbeulich@suse.com>`

			`--- a/xen/common/memory.c`
			`+++ b/xen/common/memory.c`
			`@@ -140,14 +140,14 @@ static void populate_physmap(struct memo`
			`struct page_info *page;`
			`unsigned int i, j;`
			`xen_pfn_t gpfn, mfn;`
			`- struct domain *d = a->domain;`
			`+ struct domain d = a->domain, curr_d = current->domain;`

			`if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done,`
			`a->nr_extents-1) )`
			`return;`

			`if ( a->extent_order > (a->memflags & MEMF_populate_on_demand ? MAX_ORDER :`
			`- max_order(current->domain)) )`
			`+ max_order(curr_d)) )`
			`return;`

			`for ( i = a->nr_done; i < a->nr_extents; i++ )`
			`@@ -163,6 +163,10 @@ static void populate_physmap(struct memo`

			`if ( a->memflags & MEMF_populate_on_demand )`
			`{`
			`+ /* Disallow populating PoD pages on oneself. */`
			`+ if ( d == curr_d )`
			`+ goto out;`
			`+`
			`if ( guest_physmap_mark_populate_on_demand(d, gpfn,`
			`a->extent_order) < 0 )`
			`goto out;`