Xen devel - Dec 2011 - [PATCH 0 of 3] Resend: correctness race when paging-in

P2m_mem_paging_prep ensures that an mfn is backing the paged-out gfn, and
transitions to the next state in the paging state machine for this page. 
Foreign mappings of the gfn will now succeed. This is the key idea, as it 
allows the pager to now map the gfn and fill in its contents.

Unfortunately, it also allows any other foreign mapper to map the gfn and read
its contents. This is particularly dangerous when the populate is launched
by a foreign mapper in the first place, which will be actively retrying the
map operation and might race with the pager. Qemu-dm being a prime example.

Fix the race by allowing a buffer to be optionally passed in the prep
operation, and having the hypervisor memcpy from that buffer into the newly
prepped page before promoting the gfn type.

Second patch is a tools patch.

Resent after feedback: xenpaging patch attached, simplified with use of 
copy_from_guest. Left potntial short-cut to avoid pging_resume for further 
discussion.

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
 xen/arch/x86/mm/mem_event.c  |   2 +-
 xen/arch/x86/mm/mem_paging.c |   2 +-
 xen/arch/x86/mm/p2m.c        |  32 ++++++++++++++++++++++++++++++--
 xen/include/asm-x86/p2m.h    |   2 +-
 xen/include/public/domctl.h  |   8 ++++++--
 tools/libxc/xc_mem_event.c   |   4 ++--
 tools/libxc/xc_mem_paging.c  |  23 +++++++++++++++++++++++
 tools/libxc/xenctrl.h        |   2 ++
 tools/xenpaging/xenpaging.c  |  43 +++++++++++++++++++++----------------------
 9 files changed, 87 insertions(+), 31 deletions(-)

xen/arch/x86/mm/mem_event.c  |   2 +-
 xen/arch/x86/mm/mem_paging.c |   2 +-
 xen/arch/x86/mm/p2m.c        |  32 ++++++++++++++++++++++++++++++--
 xen/include/asm-x86/p2m.h    |   2 +-
 xen/include/public/domctl.h  |   8 ++++++--
 5 files changed, 39 insertions(+), 7 deletions(-)


p2m_mem_paging_prep ensures that an mfn is backing the paged-out gfn, and
transitions to the next state in the paging state machine for that page.
Foreign mappings of the gfn will now succeed. This is the key idea, as
it allows the pager to now map the gfn and fill in its contents.

Unfortunately, it also allows any other foreign mapper to map the gfn and read
its contents. This is particularly dangerous when the populate is launched
by a foreign mapper in the first place, which will be actively retrying the
map operation and might race with the pager. Qemu-dm being a prime example.

Fix the race by allowing a buffer to be optionally passed in the prep
operation, and having the hypervisor memcpy from that buffer into the newly
prepped page before promoting the gfn type.

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>

diff -r 2372d2bf76b5 -r 2981bd752d51 xen/arch/x86/mm/mem_event.c
--- a/xen/arch/x86/mm/mem_event.c
+++ b/xen/arch/x86/mm/mem_event.c
@@ -45,7 +45,7 @@ static int mem_event_enable(struct domai
     struct domain *dom_mem_event = current->domain;
     struct vcpu *v = current;
     unsigned long ring_addr = mec->ring_addr;
-    unsigned long shared_addr = mec->shared_addr;
+    unsigned long shared_addr = mec->u.shared_addr;
     l1_pgentry_t l1e;
     unsigned long shared_gfn = 0, ring_gfn = 0; /* gcc ... */
     p2m_type_t p2mt;
diff -r 2372d2bf76b5 -r 2981bd752d51 xen/arch/x86/mm/mem_paging.c
--- a/xen/arch/x86/mm/mem_paging.c
+++ b/xen/arch/x86/mm/mem_paging.c
@@ -47,7 +47,7 @@ int mem_paging_domctl(struct domain *d, 
     case XEN_DOMCTL_MEM_EVENT_OP_PAGING_PREP:
     {
         unsigned long gfn = mec->gfn;
-        return p2m_mem_paging_prep(d, gfn);
+        return p2m_mem_paging_prep(d, gfn, mec->u.buffer);
     }
     break;
 
diff -r 2372d2bf76b5 -r 2981bd752d51 xen/arch/x86/mm/p2m.c
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -983,14 +983,21 @@ void p2m_mem_paging_populate(struct doma
  * mfn if populate was called for  gfn which was nominated but not evicted. In
  * this case only the p2mt needs to be forwarded.
  */
-int p2m_mem_paging_prep(struct domain *d, unsigned long gfn)
+int p2m_mem_paging_prep(struct domain *d, unsigned long gfn, uint64_t buffer)
 {
     struct page_info *page;
     p2m_type_t p2mt;
     p2m_access_t a;
     mfn_t mfn;
     struct p2m_domain *p2m = p2m_get_hostp2m(d);
-    int ret;
+    int ret, page_extant = 1;
+    const void *user_ptr = (const void *) buffer;
+
+    if ( user_ptr )
+        /* Sanity check the buffer and bail out early if trouble */
+        if ( (buffer & (PAGE_SIZE - 1)) || 
+             (!access_ok(user_ptr, PAGE_SIZE)) )
+            return -EINVAL;
 
     p2m_lock(p2m);
 
@@ -1010,6 +1017,27 @@ int p2m_mem_paging_prep(struct domain *d
         if ( unlikely(page == NULL) )
             goto out;
         mfn = page_to_mfn(page);
+        page_extant = 0;
+    }
+
+    /* If we were given a buffer, now is the time to use it */
+    if ( !page_extant && user_ptr )
+    {
+        void *guest_map;
+        int rc;
+
+        ASSERT( mfn_valid(mfn) );
+        guest_map = map_domain_page(mfn_x(mfn));
+        rc = copy_from_user(guest_map, user_ptr, PAGE_SIZE);
+        unmap_domain_page(guest_map);
+        if ( rc )
+        {
+            gdprintk(XENLOG_ERR, "Failed to load paging-in gfn %lx domain
%u "
+                                 "bytes left %d\n", gfn,
d->domain_id, rc);
+            ret = -EFAULT;
+            put_page(page); /* Don''t leak pages */
+            goto out;            
+        }
     }
 
     /* Fix p2m mapping */
diff -r 2372d2bf76b5 -r 2981bd752d51 xen/include/asm-x86/p2m.h
--- a/xen/include/asm-x86/p2m.h
+++ b/xen/include/asm-x86/p2m.h
@@ -477,7 +477,7 @@ void p2m_mem_paging_drop_page(struct dom
 /* Start populating a paged out frame */
 void p2m_mem_paging_populate(struct domain *d, unsigned long gfn);
 /* Prepare the p2m for paging a frame in */
-int p2m_mem_paging_prep(struct domain *d, unsigned long gfn);
+int p2m_mem_paging_prep(struct domain *d, unsigned long gfn, uint64_t buffer);
 /* Resume normal operation (in case a domain was paused) */
 void p2m_mem_paging_resume(struct domain *d);
 #else
diff -r 2372d2bf76b5 -r 2981bd752d51 xen/include/public/domctl.h
--- a/xen/include/public/domctl.h
+++ b/xen/include/public/domctl.h
@@ -742,8 +742,12 @@ struct xen_domctl_mem_event_op {
     uint32_t       op;           /* XEN_DOMCTL_MEM_EVENT_OP_*_* */
     uint32_t       mode;         /* XEN_DOMCTL_MEM_EVENT_OP_* */
 
-    /* OP_ENABLE */
-    uint64_aligned_t shared_addr;  /* IN:  Virtual address of shared page */
+    union {
+        /* OP_ENABLE IN:  Virtual address of shared page */
+        uint64_aligned_t shared_addr;  
+        /* PAGING_PREP IN: buffer to immediately fill page in */
+        uint64_aligned_t buffer;
+    } u;
     uint64_aligned_t ring_addr;    /* IN:  Virtual address of ring page */
 
     /* Other OPs */

tools/libxc/xc_mem_event.c  |   4 ++--
 tools/libxc/xc_mem_paging.c |  23 +++++++++++++++++++++++
 tools/libxc/xenctrl.h       |   2 ++
 3 files changed, 27 insertions(+), 2 deletions(-)


Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>

diff -r 2981bd752d51 -r e71f880c0518 tools/libxc/xc_mem_event.c
--- a/tools/libxc/xc_mem_event.c
+++ b/tools/libxc/xc_mem_event.c
@@ -24,7 +24,7 @@
 #include "xc_private.h"
 
 int xc_mem_event_control(xc_interface *xch, domid_t domain_id, unsigned int op,
-                         unsigned int mode, void *shared_page,
+                         unsigned int mode, void *page,
                          void *ring_page, unsigned long gfn)
 {
     DECLARE_DOMCTL;
@@ -34,7 +34,7 @@ int xc_mem_event_control(xc_interface *x
     domctl.u.mem_event_op.op = op;
     domctl.u.mem_event_op.mode = mode;
 
-    domctl.u.mem_event_op.shared_addr = (unsigned long)shared_page;
+    domctl.u.mem_event_op.u.shared_addr = (unsigned long)page;
     domctl.u.mem_event_op.ring_addr = (unsigned long)ring_page;
 
     domctl.u.mem_event_op.gfn = gfn;
diff -r 2981bd752d51 -r e71f880c0518 tools/libxc/xc_mem_paging.c
--- a/tools/libxc/xc_mem_paging.c
+++ b/tools/libxc/xc_mem_paging.c
@@ -65,6 +65,29 @@ int xc_mem_paging_prep(xc_interface *xch
                                 NULL, NULL, gfn);
 }
 
+int xc_mem_paging_load(xc_interface *xch, domid_t domain_id, 
+                                unsigned long gfn, void *buffer)
+{
+    int rc;
+
+    if ( !buffer )
+        return -EINVAL;
+
+    if ( ((unsigned long) buffer) & (XC_PAGE_SIZE - 1) )
+        return -EINVAL;
+
+    if ( mlock(buffer, XC_PAGE_SIZE) )
+        return -errno;
+        
+    rc = xc_mem_event_control(xch, domain_id,
+                                XEN_DOMCTL_MEM_EVENT_OP_PAGING_PREP,
+                                XEN_DOMCTL_MEM_EVENT_OP_PAGING,
+                                buffer, NULL, gfn);
+
+    (void)munlock(buffer, XC_PAGE_SIZE);
+    return rc;
+}
+
 int xc_mem_paging_resume(xc_interface *xch, domid_t domain_id, unsigned long
gfn)
 {
     return xc_mem_event_control(xch, domain_id,
diff -r 2981bd752d51 -r e71f880c0518 tools/libxc/xenctrl.h
--- a/tools/libxc/xenctrl.h
+++ b/tools/libxc/xenctrl.h
@@ -1839,6 +1839,8 @@ int xc_mem_paging_nominate(xc_interface 
                            unsigned long gfn);
 int xc_mem_paging_evict(xc_interface *xch, domid_t domain_id, unsigned long
gfn);
 int xc_mem_paging_prep(xc_interface *xch, domid_t domain_id, unsigned long
gfn);
+int xc_mem_paging_load(xc_interface *xch, domid_t domain_id, 
+                        unsigned long gfn, void *buffer);
 int xc_mem_paging_resume(xc_interface *xch, domid_t domain_id,
                          unsigned long gfn);

tools/xenpaging/xenpaging.c |  43 +++++++++++++++++++++----------------------
 1 files changed, 21 insertions(+), 22 deletions(-)


interface.

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>

diff -r e71f880c0518 -r 90ded86b0a30 tools/xenpaging/xenpaging.c
--- a/tools/xenpaging/xenpaging.c
+++ b/tools/xenpaging/xenpaging.c
@@ -45,6 +45,7 @@ static char *dom_path;
 static char watch_token[16];
 static char *filename;
 static int interrupted;
+static void *paging_buffer = NULL;
 
 static void unlink_pagefile(void)
 {
@@ -438,6 +439,13 @@ static xenpaging_t *xenpaging_init(int a
         goto err;
     }
 
+    paging_buffer = init_page();
+    if ( !paging_buffer )
+    {
+        ERROR("Creating page aligned load buffer");
+        goto err;
+    }
+
     return paging;
 
  err:
@@ -649,10 +657,20 @@ static int xenpaging_populate_page(xenpa
     unsigned char oom = 0;
 
     DPRINTF("populate_page < gfn %"PRI_xen_pfn" pageslot
%d\n", gfn, i);
+
+    /* Read page */
+    ret = read_page(fd, paging_buffer, i);
+    if ( ret != 0 )
+    {
+        ERROR("Error reading page");
+        goto out;
+    }
+
     do
     {
         /* Tell Xen to allocate a page for the domain */
-        ret = xc_mem_paging_prep(xch, paging->mem_event.domain_id, gfn);
+        ret = xc_mem_paging_load(xch, paging->mem_event.domain_id, gfn,
+                                    paging_buffer);
         if ( ret != 0 )
         {
             if ( errno == ENOMEM )
@@ -662,33 +680,14 @@ static int xenpaging_populate_page(xenpa
                 sleep(1);
                 continue;
             }
-            PERROR("Error preparing %"PRI_xen_pfn" for
page-in", gfn);
-            goto out_map;
+            PERROR("Error loading %"PRI_xen_pfn" during
page-in", gfn);
+            goto out;
         }
     }
     while ( ret && !interrupted );
 
-    /* Map page */
-    ret = -EFAULT;
-    page = xc_map_foreign_pages(xch, paging->mem_event.domain_id,
-                                PROT_READ | PROT_WRITE, &gfn, 1);
-    if ( page == NULL )
-    {
-        PERROR("Error mapping page %"PRI_xen_pfn": page is
null", gfn);
-        goto out_map;
-    }
-
-    /* Read page */
-    ret = read_page(fd, page, i);
-    if ( ret != 0 )
-    {
-        PERROR("Error reading page %"PRI_xen_pfn"", gfn);
-        goto out;
-    }
 
  out:
-    munmap(page, PAGE_SIZE);
- out_map:
     return ret;
 }

Andres Lagar-Cavilla writes ("[PATCH 2 of 3] Tools: Libxc wrappers to
automatically fill in page oud page contents on
prepare"):
>  tools/libxc/xc_mem_event.c  |   4 ++--
>  tools/libxc/xc_mem_paging.c |  23 +++++++++++++++++++++++
>  tools/libxc/xenctrl.h       |   2 ++
>  3 files changed, 27 insertions(+), 2 deletions(-)
> 
> 
> Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

Andres Lagar-Cavilla writes ("[PATCH 3 of 3] Teach xenpaging to use the new
and non-racy xc_mem_paging_load"):
>  tools/xenpaging/xenpaging.c |  43
+++++++++++++++++++++----------------------
>  1 files changed, 21 insertions(+), 22 deletions(-)
> 
> interface.
This one should get an ack from Olaf, probably.

Also your commit message seems to have been mangled.

Thanks,
Ian.

At 12:21 -0500 on 01 Dec (1322742072), Andres Lagar-Cavilla
wrote:
>  xen/arch/x86/mm/mem_event.c  |   2 +-
>  xen/arch/x86/mm/mem_paging.c |   2 +-
>  xen/arch/x86/mm/p2m.c        |  32 ++++++++++++++++++++++++++++++--
>  xen/include/asm-x86/p2m.h    |   2 +-
>  xen/include/public/domctl.h  |   8 ++++++--
>  5 files changed, 39 insertions(+), 7 deletions(-)
> 
> 
> p2m_mem_paging_prep ensures that an mfn is backing the paged-out gfn, and
> transitions to the next state in the paging state machine for that page.
> Foreign mappings of the gfn will now succeed. This is the key idea, as
> it allows the pager to now map the gfn and fill in its contents.
> 
> Unfortunately, it also allows any other foreign mapper to map the gfn and
read
> its contents. This is particularly dangerous when the populate is launched
> by a foreign mapper in the first place, which will be actively retrying the
> map operation and might race with the pager. Qemu-dm being a prime example.
> 
> Fix the race by allowing a buffer to be optionally passed in the prep
> operation, and having the hypervisor memcpy from that buffer into the newly
> prepped page before promoting the gfn type.
> 
> Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Tim Deegan <tim@xen.org>

Once Olaf OKs the xenpaging change, this whole set can go in.

Tim.

On Thu, Dec 01, Andres Lagar-Cavilla wrote:
> Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
 
Acked-by: Olaf Hering <olaf@aepfle.de>
> diff -r e71f880c0518 -r 90ded86b0a30 tools/xenpaging/xenpaging.c
> --- a/tools/xenpaging/xenpaging.c
> +++ b/tools/xenpaging/xenpaging.c
> @@ -45,6 +45,7 @@ static char *dom_path;
>  static char watch_token[16];
>  static char *filename;
>  static int interrupted;
> +static void *paging_buffer = NULL;
Globals need no assignment.

Olaf

At 12:21 -0500 on 01 Dec (1322742071), Andres Lagar-Cavilla
wrote:
> P2m_mem_paging_prep ensures that an mfn is backing the paged-out gfn, and
> transitions to the next state in the paging state machine for this page. 
> Foreign mappings of the gfn will now succeed. This is the key idea, as it 
> allows the pager to now map the gfn and fill in its contents.
> 
> Unfortunately, it also allows any other foreign mapper to map the gfn and
read
> its contents. This is particularly dangerous when the populate is launched
> by a foreign mapper in the first place, which will be actively retrying the
> map operation and might race with the pager. Qemu-dm being a prime example.
> 
> Fix the race by allowing a buffer to be optionally passed in the prep
> operation, and having the hypervisor memcpy from that buffer into the newly
> prepped page before promoting the gfn type.
> 
> Second patch is a tools patch.
> 
> Resent after feedback: xenpaging patch attached, simplified with use of 
> copy_from_guest. Left potntial short-cut to avoid pging_resume for further 
> discussion.
> 
> Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Applied, thanks.

Tim.