From: Dongwon Kim <dongwon.kim@intel.com>
To: linux-kernel@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org, xen-devel@lists.xenproject.org,
        mateuszx.potrola@intel.com, dongwon.kim@intel.com
Subject: [RFC PATCH 32/60] hyper_dmabuf: make all shared pages read-only
Date: Tue, 19 Dec 2017 11:29:48 -0800
Message-Id: <1513711816-2618-32-git-send-email-dongwon.kim@intel.com>
In-Reply-To: <1513711816-2618-1-git-send-email-dongwon.kim@intel.com>
References: <1513711816-2618-1-git-send-email-dongwon.kim@intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 2690
Lines: 77

All shared pages need to be read-only from importer's
point of view to prevent the buffer from being corrupted.

This patch may need to be reverted if we find a better
way to protect the original content in this sharing
model.

Signed-off-by: Dongwon Kim <dongwon.kim@intel.com>
---
 drivers/xen/hyper_dmabuf/xen/hyper_dmabuf_xen_shm.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/drivers/xen/hyper_dmabuf/xen/hyper_dmabuf_xen_shm.c b/drivers/xen/hyper_dmabuf/xen/hyper_dmabuf_xen_shm.c
index c6a2993..1416a69 100644
--- a/drivers/xen/hyper_dmabuf/xen/hyper_dmabuf_xen_shm.c
+++ b/drivers/xen/hyper_dmabuf/xen/hyper_dmabuf_xen_shm.c
@@ -104,24 +104,24 @@ int hyper_dmabuf_xen_share_pages(struct page **pages, int domid, int nents,
 
 	*refs_info = (void *)sh_pages_info;
 
-	/* share data pages in rw mode*/
+	/* share data pages in readonly mode for security */
 	for (i=0; i<nents; i++) {
 		lvl2_table[i] = gnttab_grant_foreign_access(domid,
 							    pfn_to_mfn(page_to_pfn(pages[i])),
-							    0);
+							    true /* read-only from remote domain */);
 	}
 
 	/* Share 2nd level addressing pages in readonly mode*/
 	for (i=0; i< n_lvl2_grefs; i++) {
 		lvl3_table[i] = gnttab_grant_foreign_access(domid,
 							    virt_to_mfn((unsigned long)lvl2_table+i*PAGE_SIZE ),
-							    1);
+							    true);
 	}
 
 	/* Share lvl3_table in readonly mode*/
 	lvl3_gref = gnttab_grant_foreign_access(domid,
 						virt_to_mfn((unsigned long)lvl3_table),
-						1);
+						true);
 
 
 	/* Store lvl3_table page to be freed later */
@@ -317,12 +317,12 @@ struct page ** hyper_dmabuf_xen_map_shared_pages(int lvl3_gref, int domid, int n
 		for (j = 0; j < REFS_PER_PAGE; j++) {
 			gnttab_set_map_op(&data_map_ops[k],
 					  (unsigned long)pfn_to_kaddr(page_to_pfn(data_pages[k])),
-					  GNTMAP_host_map,
+					  GNTMAP_host_map | GNTMAP_readonly,
 					  lvl2_table[j], domid);
 
 			gnttab_set_unmap_op(&data_unmap_ops[k],
 					    (unsigned long)pfn_to_kaddr(page_to_pfn(data_pages[k])),
-					    GNTMAP_host_map, -1);
+					    GNTMAP_host_map | GNTMAP_readonly, -1);
 			k++;
 		}
 	}
@@ -333,12 +333,12 @@ struct page ** hyper_dmabuf_xen_map_shared_pages(int lvl3_gref, int domid, int n
 	for (j = 0; j < nents_last; j++) {
 		gnttab_set_map_op(&data_map_ops[k],
 				  (unsigned long)pfn_to_kaddr(page_to_pfn(data_pages[k])),
-				  GNTMAP_host_map,
+				  GNTMAP_host_map | GNTMAP_readonly,
 				  lvl2_table[j], domid);
 
 		gnttab_set_unmap_op(&data_unmap_ops[k],
 				    (unsigned long)pfn_to_kaddr(page_to_pfn(data_pages[k])),
-				    GNTMAP_host_map, -1);
+				    GNTMAP_host_map | GNTMAP_readonly, -1);
 		k++;
 	}
 
-- 
2.7.4