Re: [PATCH v2 01/10] kvm: Restrict non-existing slot state transitions

[Alex Williamson]

On Tue, 2012-12-11 at 23:39 -0200, Marcelo Tosatti wrote:
> On Tue, Dec 11, 2012 at 11:29:09PM -0200, Marcelo Tosatti wrote:
> > On Mon, Dec 10, 2012 at 10:32:45AM -0700, Alex Williamson wrote:
> > > The API documentation states:
> > > 
> > >   When changing an existing slot, it may be moved in the guest
> > >   physical memory space, or its flags may be modified.
> > > 
> > > An "existing slot" requires a non-zero npages (memory_size).  The only
> > > transition we should therefore allow for a non-existing slot should be
> > > to create the slot, which includes setting a non-zero memory_size.  We
> > > currently allow calls to modify non-existing slots, which is pointless,
> > > confusing, and possibly wrong.
> > > 
> > > With this we know that the invalidation path of __kvm_set_memory_region
> > > is always for a delete or move and never for adding a zero size slot.
> > > 
> > > Signed-off-by: Alex Williamson 
> > > ---
> > >  virt/kvm/kvm_main.c |9 +++--
> > >  1 file changed, 7 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> > > index 6e8fa7e..e426704 100644
> > > --- a/virt/kvm/kvm_main.c
> > > +++ b/virt/kvm/kvm_main.c
> > > @@ -753,10 +753,15 @@ int __kvm_set_memory_region(struct kvm *kvm,
> > >   new.npages = npages;
> > >   new.flags = mem->flags;
> > >  
> > > - /* Disallow changing a memory slot's size. */
> > > + /*
> > > +  * Disallow changing a memory slot's size or changing anything about
> > > +  * zero sized slots that doesn't involve making them non-zero.
> > > +  */
> > >   r = -EINVAL;
> > >   if (npages && old.npages && npages != old.npages)
> > >   goto out_free;
> > > + if (!npages && !old.npages)
> > > + goto out_free;
> > 
> > /* General sanity checks */
> > if (mem->memory_size & (PAGE_SIZE - 1))
> > goto out;
> > if (mem->guest_phys_addr & (PAGE_SIZE - 1))
> > goto out;
> > 
> > if (mem->guest_phys_addr + mem->memory_size < mem->guest_phys_addr)
> > goto out;
> > 
> > If mem->memory_size is zero, then check above fails. 
> 
> Err, no read a "<=" while writing that.

;)  Thanks for the double check,

Alex

> > If mem->memory_size > 0, it must be at least PAGE_SIZE, in which case 
> > npages == 1.
> > 
> > Which means the code does not allow changes to non-existing slots.
> > Yes?
> > 



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH v2 01/10] kvm: Restrict non-existing slot state transitions

[Marcelo Tosatti]

On Mon, Dec 10, 2012 at 10:32:45AM -0700, Alex Williamson wrote:
> The API documentation states:
> 
>   When changing an existing slot, it may be moved in the guest
>   physical memory space, or its flags may be modified.
> 
> An "existing slot" requires a non-zero npages (memory_size).  The only
> transition we should therefore allow for a non-existing slot should be
> to create the slot, which includes setting a non-zero memory_size.  We
> currently allow calls to modify non-existing slots, which is pointless,
> confusing, and possibly wrong.
> 
> With this we know that the invalidation path of __kvm_set_memory_region
> is always for a delete or move and never for adding a zero size slot.
> 
> Signed-off-by: Alex Williamson 
> ---
>  virt/kvm/kvm_main.c |9 +++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> index 6e8fa7e..e426704 100644
> --- a/virt/kvm/kvm_main.c
> +++ b/virt/kvm/kvm_main.c
> @@ -753,10 +753,15 @@ int __kvm_set_memory_region(struct kvm *kvm,
>   new.npages = npages;
>   new.flags = mem->flags;
>  
> - /* Disallow changing a memory slot's size. */
> + /*
> +  * Disallow changing a memory slot's size or changing anything about
> +  * zero sized slots that doesn't involve making them non-zero.
> +  */
>   r = -EINVAL;
>   if (npages && old.npages && npages != old.npages)
>   goto out_free;
> + if (!npages && !old.npages)
> + goto out_free;

/* General sanity checks */
if (mem->memory_size & (PAGE_SIZE - 1))
goto out;
if (mem->guest_phys_addr & (PAGE_SIZE - 1))
goto out;

if (mem->guest_phys_addr + mem->memory_size < mem->guest_phys_addr)
goto out;

If mem->memory_size is zero, then check above fails. 
If mem->memory_size > 0, it must be at least PAGE_SIZE, in which case 
npages == 1.

Which means the code does not allow changes to non-existing slots.
Yes?

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH v2 01/10] kvm: Restrict non-existing slot state transitions

[Marcelo Tosatti]

On Tue, Dec 11, 2012 at 11:29:09PM -0200, Marcelo Tosatti wrote:
> On Mon, Dec 10, 2012 at 10:32:45AM -0700, Alex Williamson wrote:
> > The API documentation states:
> > 
> > When changing an existing slot, it may be moved in the guest
> > physical memory space, or its flags may be modified.
> > 
> > An "existing slot" requires a non-zero npages (memory_size).  The only
> > transition we should therefore allow for a non-existing slot should be
> > to create the slot, which includes setting a non-zero memory_size.  We
> > currently allow calls to modify non-existing slots, which is pointless,
> > confusing, and possibly wrong.
> > 
> > With this we know that the invalidation path of __kvm_set_memory_region
> > is always for a delete or move and never for adding a zero size slot.
> > 
> > Signed-off-by: Alex Williamson 
> > ---
> >  virt/kvm/kvm_main.c |9 +++--
> >  1 file changed, 7 insertions(+), 2 deletions(-)
> > 
> > diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> > index 6e8fa7e..e426704 100644
> > --- a/virt/kvm/kvm_main.c
> > +++ b/virt/kvm/kvm_main.c
> > @@ -753,10 +753,15 @@ int __kvm_set_memory_region(struct kvm *kvm,
> > new.npages = npages;
> > new.flags = mem->flags;
> >  
> > -   /* Disallow changing a memory slot's size. */
> > +   /*
> > +* Disallow changing a memory slot's size or changing anything about
> > +* zero sized slots that doesn't involve making them non-zero.
> > +*/
> > r = -EINVAL;
> > if (npages && old.npages && npages != old.npages)
> > goto out_free;
> > +   if (!npages && !old.npages)
> > +   goto out_free;
> 
> /* General sanity checks */
> if (mem->memory_size & (PAGE_SIZE - 1))
> goto out;
> if (mem->guest_phys_addr & (PAGE_SIZE - 1))
> goto out;
> 
> if (mem->guest_phys_addr + mem->memory_size < mem->guest_phys_addr)
> goto out;
> 
> If mem->memory_size is zero, then check above fails. 

Err, no read a "<=" while writing that.

> If mem->memory_size > 0, it must be at least PAGE_SIZE, in which case 
> npages == 1.
> 
> Which means the code does not allow changes to non-existing slots.
> Yes?
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH v2 01/10] kvm: Restrict non-existing slot state transitions

[Marcelo Tosatti]

On Tue, Dec 11, 2012 at 11:29:09PM -0200, Marcelo Tosatti wrote:
 On Mon, Dec 10, 2012 at 10:32:45AM -0700, Alex Williamson wrote:
  The API documentation states:
  
  When changing an existing slot, it may be moved in the guest
  physical memory space, or its flags may be modified.
  
  An existing slot requires a non-zero npages (memory_size).  The only
  transition we should therefore allow for a non-existing slot should be
  to create the slot, which includes setting a non-zero memory_size.  We
  currently allow calls to modify non-existing slots, which is pointless,
  confusing, and possibly wrong.
  
  With this we know that the invalidation path of __kvm_set_memory_region
  is always for a delete or move and never for adding a zero size slot.
  
  Signed-off-by: Alex Williamson alex.william...@redhat.com
  ---
   virt/kvm/kvm_main.c |9 +++--
   1 file changed, 7 insertions(+), 2 deletions(-)
  
  diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
  index 6e8fa7e..e426704 100644
  --- a/virt/kvm/kvm_main.c
  +++ b/virt/kvm/kvm_main.c
  @@ -753,10 +753,15 @@ int __kvm_set_memory_region(struct kvm *kvm,
  new.npages = npages;
  new.flags = mem-flags;
   
  -   /* Disallow changing a memory slot's size. */
  +   /*
  +* Disallow changing a memory slot's size or changing anything about
  +* zero sized slots that doesn't involve making them non-zero.
  +*/
  r = -EINVAL;
  if (npages  old.npages  npages != old.npages)
  goto out_free;
  +   if (!npages  !old.npages)
  +   goto out_free;
 
 /* General sanity checks */
 if (mem-memory_size  (PAGE_SIZE - 1))
 goto out;
 if (mem-guest_phys_addr  (PAGE_SIZE - 1))
 goto out;
 
 if (mem-guest_phys_addr + mem-memory_size  mem-guest_phys_addr)
 goto out;
 
 If mem-memory_size is zero, then check above fails. 

Err, no read a = while writing that.

 If mem-memory_size  0, it must be at least PAGE_SIZE, in which case 
 npages == 1.
 
 Which means the code does not allow changes to non-existing slots.
 Yes?
 
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH v2 01/10] kvm: Restrict non-existing slot state transitions

[Marcelo Tosatti]

On Mon, Dec 10, 2012 at 10:32:45AM -0700, Alex Williamson wrote:
 The API documentation states:
 
   When changing an existing slot, it may be moved in the guest
   physical memory space, or its flags may be modified.
 
 An existing slot requires a non-zero npages (memory_size).  The only
 transition we should therefore allow for a non-existing slot should be
 to create the slot, which includes setting a non-zero memory_size.  We
 currently allow calls to modify non-existing slots, which is pointless,
 confusing, and possibly wrong.
 
 With this we know that the invalidation path of __kvm_set_memory_region
 is always for a delete or move and never for adding a zero size slot.
 
 Signed-off-by: Alex Williamson alex.william...@redhat.com
 ---
  virt/kvm/kvm_main.c |9 +++--
  1 file changed, 7 insertions(+), 2 deletions(-)
 
 diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
 index 6e8fa7e..e426704 100644
 --- a/virt/kvm/kvm_main.c
 +++ b/virt/kvm/kvm_main.c
 @@ -753,10 +753,15 @@ int __kvm_set_memory_region(struct kvm *kvm,
   new.npages = npages;
   new.flags = mem-flags;
  
 - /* Disallow changing a memory slot's size. */
 + /*
 +  * Disallow changing a memory slot's size or changing anything about
 +  * zero sized slots that doesn't involve making them non-zero.
 +  */
   r = -EINVAL;
   if (npages  old.npages  npages != old.npages)
   goto out_free;
 + if (!npages  !old.npages)
 + goto out_free;

/* General sanity checks */
if (mem-memory_size  (PAGE_SIZE - 1))
goto out;
if (mem-guest_phys_addr  (PAGE_SIZE - 1))
goto out;

if (mem-guest_phys_addr + mem-memory_size  mem-guest_phys_addr)
goto out;

If mem-memory_size is zero, then check above fails. 
If mem-memory_size  0, it must be at least PAGE_SIZE, in which case 
npages == 1.

Which means the code does not allow changes to non-existing slots.
Yes?

--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH v2 01/10] kvm: Restrict non-existing slot state transitions

[Alex Williamson]

On Tue, 2012-12-11 at 23:39 -0200, Marcelo Tosatti wrote:
 On Tue, Dec 11, 2012 at 11:29:09PM -0200, Marcelo Tosatti wrote:
  On Mon, Dec 10, 2012 at 10:32:45AM -0700, Alex Williamson wrote:
   The API documentation states:
   
 When changing an existing slot, it may be moved in the guest
 physical memory space, or its flags may be modified.
   
   An existing slot requires a non-zero npages (memory_size).  The only
   transition we should therefore allow for a non-existing slot should be
   to create the slot, which includes setting a non-zero memory_size.  We
   currently allow calls to modify non-existing slots, which is pointless,
   confusing, and possibly wrong.
   
   With this we know that the invalidation path of __kvm_set_memory_region
   is always for a delete or move and never for adding a zero size slot.
   
   Signed-off-by: Alex Williamson alex.william...@redhat.com
   ---
virt/kvm/kvm_main.c |9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
   
   diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
   index 6e8fa7e..e426704 100644
   --- a/virt/kvm/kvm_main.c
   +++ b/virt/kvm/kvm_main.c
   @@ -753,10 +753,15 @@ int __kvm_set_memory_region(struct kvm *kvm,
 new.npages = npages;
 new.flags = mem-flags;

   - /* Disallow changing a memory slot's size. */
   + /*
   +  * Disallow changing a memory slot's size or changing anything about
   +  * zero sized slots that doesn't involve making them non-zero.
   +  */
 r = -EINVAL;
 if (npages  old.npages  npages != old.npages)
 goto out_free;
   + if (!npages  !old.npages)
   + goto out_free;
  
  /* General sanity checks */
  if (mem-memory_size  (PAGE_SIZE - 1))
  goto out;
  if (mem-guest_phys_addr  (PAGE_SIZE - 1))
  goto out;
  
  if (mem-guest_phys_addr + mem-memory_size  mem-guest_phys_addr)
  goto out;
  
  If mem-memory_size is zero, then check above fails. 
 
 Err, no read a = while writing that.

;)  Thanks for the double check,

Alex

  If mem-memory_size  0, it must be at least PAGE_SIZE, in which case 
  npages == 1.
  
  Which means the code does not allow changes to non-existing slots.
  Yes?
  



--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH v2 01/10] kvm: Restrict non-existing slot state transitions

[Alex Williamson]

The API documentation states:

When changing an existing slot, it may be moved in the guest
physical memory space, or its flags may be modified.

An "existing slot" requires a non-zero npages (memory_size).  The only
transition we should therefore allow for a non-existing slot should be
to create the slot, which includes setting a non-zero memory_size.  We
currently allow calls to modify non-existing slots, which is pointless,
confusing, and possibly wrong.

With this we know that the invalidation path of __kvm_set_memory_region
is always for a delete or move and never for adding a zero size slot.

Signed-off-by: Alex Williamson 
---
 virt/kvm/kvm_main.c |9 +++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 6e8fa7e..e426704 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -753,10 +753,15 @@ int __kvm_set_memory_region(struct kvm *kvm,
new.npages = npages;
new.flags = mem->flags;
 
-   /* Disallow changing a memory slot's size. */
+   /*
+* Disallow changing a memory slot's size or changing anything about
+* zero sized slots that doesn't involve making them non-zero.
+*/
r = -EINVAL;
if (npages && old.npages && npages != old.npages)
goto out_free;
+   if (!npages && !old.npages)
+   goto out_free;
 
/* Check for overlaps */
r = -EEXIST;
@@ -775,7 +780,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
r = -ENOMEM;
 
/* Allocate if a slot is being created */
-   if (npages && !old.npages) {
+   if (!old.npages) {
new.user_alloc = user_alloc;
new.userspace_addr = mem->userspace_addr;
 

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH v2 01/10] kvm: Restrict non-existing slot state transitions

[Alex Williamson]

The API documentation states:

When changing an existing slot, it may be moved in the guest
physical memory space, or its flags may be modified.

An existing slot requires a non-zero npages (memory_size).  The only
transition we should therefore allow for a non-existing slot should be
to create the slot, which includes setting a non-zero memory_size.  We
currently allow calls to modify non-existing slots, which is pointless,
confusing, and possibly wrong.

With this we know that the invalidation path of __kvm_set_memory_region
is always for a delete or move and never for adding a zero size slot.

Signed-off-by: Alex Williamson alex.william...@redhat.com
---
 virt/kvm/kvm_main.c |9 +++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 6e8fa7e..e426704 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -753,10 +753,15 @@ int __kvm_set_memory_region(struct kvm *kvm,
new.npages = npages;
new.flags = mem-flags;
 
-   /* Disallow changing a memory slot's size. */
+   /*
+* Disallow changing a memory slot's size or changing anything about
+* zero sized slots that doesn't involve making them non-zero.
+*/
r = -EINVAL;
if (npages  old.npages  npages != old.npages)
goto out_free;
+   if (!npages  !old.npages)
+   goto out_free;
 
/* Check for overlaps */
r = -EEXIST;
@@ -775,7 +780,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
r = -ENOMEM;
 
/* Allocate if a slot is being created */
-   if (npages  !old.npages) {
+   if (!old.npages) {
new.user_alloc = user_alloc;
new.userspace_addr = mem-userspace_addr;
 

--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/