Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1979637pxb; Fri, 5 Mar 2021 04:40:10 -0800 (PST) X-Google-Smtp-Source: ABdhPJyTlJGrxo+75ubb0gTBTIsIw4j/GsTpPx2UIhcFSIArJYoYu8YzxVFLuStdj+iUSDDrD+PH X-Received: by 2002:aa7:cd8c:: with SMTP id x12mr9102433edv.355.1614948010127; Fri, 05 Mar 2021 04:40:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614948010; cv=none; d=google.com; s=arc-20160816; b=tK1AFyrY00tHm3CBpgDajOLOnZ0A7GpevZNNNy9z+yLkYiz7QLgySWnCRXci77WELl dOLjs/3oRwy0xEB+gwollwuuMEzXoZ6iZoRKScmt9BiKoj6vx5j8KTcS+kuXKqn/Av6L 6obeZU/2gR8kikBjl7PcE/4WwfkWIdU6zeGQ4k1Gvhm/rH8kLT6X+uk9260xVPw+dFXo gUxDNEXeV+OtpEvIckV16bRs0iXKYDhwfI8vRCUMIpMjrK4omwah4KFR0BKBmyCCqBqF szB1/WqKSzr5HZJS5q2Pv41+Q+fjXT18vojUWbG3PMX3IMzeyXbXphGO88DwSUooluIJ DSTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=SMLYl2CTQK/v+cui0si8qZHaAFZ68b6KkKBTA5oW83c=; b=pyi9P4MG9NqTQNXNRD4U7z35bw9EJ/lsraVCkl4pSx2dSwUKbNX4WsZaoiB0YL4cUk hVaEZU1msFMInGhCgunWiz7rYQ9WznFo4of4soOEe4aho/g+74PwZBiGrAKJpplRIt0v c5de7Y3iCc7/BqXM2U72Z8/4t4IBvr2t1rzFe5P2XebCodx0vpdZHV9tL5oHvhJNP0OV jRI6WYPg5Eia+X5ngPo+OIXKShvIPIjh9pnBSOIZUs/BewbTYoUyE6ig6a/AD+M2v2bE mOtJAyKboz7rTNEuxEvspMs6i/MwR3qYwH5HR3kOW8X6uUEstxak5oLA7Tt7pJ2kr9uM 3XSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="S8ZxKv/X"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v1si1545806edb.592.2021.03.05.04.39.46; Fri, 05 Mar 2021 04:40:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="S8ZxKv/X"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232260AbhCEMix (ORCPT + 99 others); Fri, 5 Mar 2021 07:38:53 -0500 Received: from mail.kernel.org ([198.145.29.99]:51130 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232966AbhCEMiD (ORCPT ); Fri, 5 Mar 2021 07:38:03 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 349FE65012; Fri, 5 Mar 2021 12:38:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1614947882; bh=pPhuODF5YQXrCVSoGD7/MI0sdXCCdPa2t2QXebb4Pdg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=S8ZxKv/XNDpnL3OCgdCtQ0U9hXLPqxXCIeyeasJUePZSWD3fhO2BsoEuz4HAxCFvs PyWaDpiCR1vsV8HFlxJ6W6YWa+5GXl7jBc5Qh2S0YwTu8jdDJfDHXgmvY+f2u33naw Bl2L8r1kUk5lNjeIUcNiNrSCSXwTMCr2NRxaJbqc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jan Beulich , Juergen Gross Subject: [PATCH 4.19 46/52] Xen/gnttab: handle p2m update errors on a per-slot basis Date: Fri, 5 Mar 2021 13:22:17 +0100 Message-Id: <20210305120855.915240852@linuxfoundation.org> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210305120853.659441428@linuxfoundation.org> References: <20210305120853.659441428@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jan Beulich commit 8310b77b48c5558c140e7a57a702e7819e62f04e upstream. Bailing immediately from set_foreign_p2m_mapping() upon a p2m updating error leaves the full batch in an ambiguous state as far as the caller is concerned. Instead flags respective slots as bad, unmapping what was mapped there right away. HYPERVISOR_grant_table_op()'s return value and the individual unmap slots' status fields get used only for a one-time - there's not much we can do in case of a failure. Note that there's no GNTST_enomem or alike, so GNTST_general_error gets used. The map ops' handle fields get overwritten just to be on the safe side. This is part of XSA-367. Cc: Signed-off-by: Jan Beulich Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/96cccf5d-e756-5f53-b91a-ea269bfb9be0@suse.com Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman --- arch/arm/xen/p2m.c | 35 +++++++++++++++++++++++++++++++---- arch/x86/xen/p2m.c | 44 +++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 72 insertions(+), 7 deletions(-) --- a/arch/arm/xen/p2m.c +++ b/arch/arm/xen/p2m.c @@ -91,12 +91,39 @@ int set_foreign_p2m_mapping(struct gntta int i; for (i = 0; i < count; i++) { + struct gnttab_unmap_grant_ref unmap; + int rc; + if (map_ops[i].status) continue; - if (unlikely(!set_phys_to_machine(map_ops[i].host_addr >> XEN_PAGE_SHIFT, - map_ops[i].dev_bus_addr >> XEN_PAGE_SHIFT))) { - return -ENOMEM; - } + if (likely(set_phys_to_machine(map_ops[i].host_addr >> XEN_PAGE_SHIFT, + map_ops[i].dev_bus_addr >> XEN_PAGE_SHIFT))) + continue; + + /* + * Signal an error for this slot. This in turn requires + * immediate unmapping. + */ + map_ops[i].status = GNTST_general_error; + unmap.host_addr = map_ops[i].host_addr, + unmap.handle = map_ops[i].handle; + map_ops[i].handle = ~0; + if (map_ops[i].flags & GNTMAP_device_map) + unmap.dev_bus_addr = map_ops[i].dev_bus_addr; + else + unmap.dev_bus_addr = 0; + + /* + * Pre-populate the status field, to be recognizable in + * the log message below. + */ + unmap.status = 1; + + rc = HYPERVISOR_grant_table_op(GNTTABOP_unmap_grant_ref, + &unmap, 1); + if (rc || unmap.status != GNTST_okay) + pr_err_once("gnttab unmap failed: rc=%d st=%d\n", + rc, unmap.status); } return 0; --- a/arch/x86/xen/p2m.c +++ b/arch/x86/xen/p2m.c @@ -706,6 +706,8 @@ int set_foreign_p2m_mapping(struct gntta for (i = 0; i < count; i++) { unsigned long mfn, pfn; + struct gnttab_unmap_grant_ref unmap[2]; + int rc; /* Do not add to override if the map failed. */ if (map_ops[i].status != GNTST_okay || @@ -723,10 +725,46 @@ int set_foreign_p2m_mapping(struct gntta WARN(pfn_to_mfn(pfn) != INVALID_P2M_ENTRY, "page must be ballooned"); - if (unlikely(!set_phys_to_machine(pfn, FOREIGN_FRAME(mfn)))) { - ret = -ENOMEM; - goto out; + if (likely(set_phys_to_machine(pfn, FOREIGN_FRAME(mfn)))) + continue; + + /* + * Signal an error for this slot. This in turn requires + * immediate unmapping. + */ + map_ops[i].status = GNTST_general_error; + unmap[0].host_addr = map_ops[i].host_addr, + unmap[0].handle = map_ops[i].handle; + map_ops[i].handle = ~0; + if (map_ops[i].flags & GNTMAP_device_map) + unmap[0].dev_bus_addr = map_ops[i].dev_bus_addr; + else + unmap[0].dev_bus_addr = 0; + + if (kmap_ops) { + kmap_ops[i].status = GNTST_general_error; + unmap[1].host_addr = kmap_ops[i].host_addr, + unmap[1].handle = kmap_ops[i].handle; + kmap_ops[i].handle = ~0; + if (kmap_ops[i].flags & GNTMAP_device_map) + unmap[1].dev_bus_addr = kmap_ops[i].dev_bus_addr; + else + unmap[1].dev_bus_addr = 0; } + + /* + * Pre-populate both status fields, to be recognizable in + * the log message below. + */ + unmap[0].status = 1; + unmap[1].status = 1; + + rc = HYPERVISOR_grant_table_op(GNTTABOP_unmap_grant_ref, + unmap, 1 + !!kmap_ops); + if (rc || unmap[0].status != GNTST_okay || + unmap[1].status != GNTST_okay) + pr_err_once("gnttab unmap failed: rc=%d st0=%d st1=%d\n", + rc, unmap[0].status, unmap[1].status); } out: