Re: [Xen-devel] [PATCH v2] domctl: fix IRQ permission granting/revocation
On Fri, 2014-12-12 at 10:24 +, Jan Beulich wrote:
> Commit 545607eb3c ("x86: fix various issues with handling guest IRQs")
> wasn't really consistent in one respect: The granting of access to an
> IRQ shouldn't assume the pIRQ->IRQ translation to be the same in both
> domains. In fact it is wrong to assume that a translation is already/
> still in place at the time access is being granted/revoked.
>
> What is wanted is to translate the incoming pIRQ to an IRQ for
> the invoking domain (as the pIRQ is the only notion the invoking
> domain has of the IRQ), and grant the subject domain access to
> the resulting IRQ.
>
> Signed-off-by: Jan Beulich
Acked-by: Ian Campbell
> ---
> v2: Also fix initial range check to use current->domain, adjust code
> structure, and extend description (all requested by Ian). Along
> the lines of the first mentioned change, also pass the Xen IRQ
> number to the XSM hook (confirmed okay by Daniel).
> Note that I would hope for this to make unnecessary Stefano's proposed
> tools side change
> http://lists.xenproject.org/archives/html/xen-devel/2014-12/msg00160.html.
>
> --- a/xen/common/domctl.c
> +++ b/xen/common/domctl.c
> @@ -982,18 +982,21 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe
>
> case XEN_DOMCTL_irq_permission:
> {
> -unsigned int pirq = op->u.irq_permission.pirq;
> +unsigned int pirq = op->u.irq_permission.pirq, irq;
> int allow = op->u.irq_permission.allow_access;
>
> -if ( pirq >= d->nr_pirqs )
> +if ( pirq >= current->domain->nr_pirqs )
> +{
> ret = -EINVAL;
> -else if ( !pirq_access_permitted(current->domain, pirq) ||
> - xsm_irq_permission(XSM_HOOK, d, pirq, allow) )
> +break;
> +}
> +irq = pirq_access_permitted(current->domain, pirq);
> +if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) )
> ret = -EPERM;
> else if ( allow )
> -ret = pirq_permit_access(d, pirq);
> +ret = irq_permit_access(d, irq);
> else
> -ret = pirq_deny_access(d, pirq);
> +ret = irq_deny_access(d, irq);
> }
> break;
>
> --- a/xen/include/xen/iocap.h
> +++ b/xen/include/xen/iocap.h
> @@ -28,22 +28,11 @@
> #define irq_access_permitted(d, i) \
> rangeset_contains_singleton((d)->irq_caps, i)
>
> -#define pirq_permit_access(d, i) ({ \
> -struct domain *d__ = (d); \
> -int i__ = domain_pirq_to_irq(d__, i); \
> -i__ > 0 ? rangeset_add_singleton(d__->irq_caps, i__)\
> -: -EINVAL; \
> -})
> -#define pirq_deny_access(d, i) ({ \
> -struct domain *d__ = (d); \
> -int i__ = domain_pirq_to_irq(d__, i); \
> -i__ > 0 ? rangeset_remove_singleton(d__->irq_caps, i__)\
> -: -EINVAL; \
> -})
> #define pirq_access_permitted(d, i) ({ \
> struct domain *d__ = (d); \
> -rangeset_contains_singleton(d__->irq_caps, \
> -domain_pirq_to_irq(d__, i));\
> +int irq__ = domain_pirq_to_irq(d__, i); \
> +irq__ > 0 && irq_access_permitted(d__, irq__) \
> +? irq__ : 0;\
> })
>
> #endif /* __XEN_IOCAP_H__ */
>
>
>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH v2] domctl: fix IRQ permission granting/revocation
On Fri, 2014-12-12 at 11:03 +, Jan Beulich wrote:
> >>> On 12.12.14 at 11:49, wrote:
> > On 12/12/14 10:24, Jan Beulich wrote:
> >> Commit 545607eb3c ("x86: fix various issues with handling guest IRQs")
> >> wasn't really consistent in one respect: The granting of access to an
> >> IRQ shouldn't assume the pIRQ->IRQ translation to be the same in both
> >> domains. In fact it is wrong to assume that a translation is already/
> >> still in place at the time access is being granted/revoked.
> >>
> >> What is wanted is to translate the incoming pIRQ to an IRQ for
> >> the invoking domain (as the pIRQ is the only notion the invoking
> >> domain has of the IRQ), and grant the subject domain access to
> >> the resulting IRQ.
> >>
> >> Signed-off-by: Jan Beulich
> >
> > Should domain_pirq_to_irq() be using 0 as its default invalid value,
> > rather than -1? irq 0 is a real irq and could plausibly be wanted to be
> > passed through to a guest.
>
> Not on x86. If another architecture would ever need this, I think
> we'd need to audit all current users of domain_pirq_to_irq() before
> doing such a change.
FWIW on ARM (at least the versions we support, i.e. with the generic IRQ
controller) IRQ0 is an SGI (what x86 would call an IPI). It seems
unlikely we'd want to pass one of those through...
Ian.
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH v2] domctl: fix IRQ permission granting/revocation
>>> On 12.12.14 at 11:49, wrote:
> On 12/12/14 10:24, Jan Beulich wrote:
>> Commit 545607eb3c ("x86: fix various issues with handling guest IRQs")
>> wasn't really consistent in one respect: The granting of access to an
>> IRQ shouldn't assume the pIRQ->IRQ translation to be the same in both
>> domains. In fact it is wrong to assume that a translation is already/
>> still in place at the time access is being granted/revoked.
>>
>> What is wanted is to translate the incoming pIRQ to an IRQ for
>> the invoking domain (as the pIRQ is the only notion the invoking
>> domain has of the IRQ), and grant the subject domain access to
>> the resulting IRQ.
>>
>> Signed-off-by: Jan Beulich
>
> Should domain_pirq_to_irq() be using 0 as its default invalid value,
> rather than -1? irq 0 is a real irq and could plausibly be wanted to be
> passed through to a guest.
Not on x86. If another architecture would ever need this, I think
we'd need to audit all current users of domain_pirq_to_irq() before
doing such a change.
Jan
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH v2] domctl: fix IRQ permission granting/revocation
On 12/12/14 10:24, Jan Beulich wrote:
> Commit 545607eb3c ("x86: fix various issues with handling guest IRQs")
> wasn't really consistent in one respect: The granting of access to an
> IRQ shouldn't assume the pIRQ->IRQ translation to be the same in both
> domains. In fact it is wrong to assume that a translation is already/
> still in place at the time access is being granted/revoked.
>
> What is wanted is to translate the incoming pIRQ to an IRQ for
> the invoking domain (as the pIRQ is the only notion the invoking
> domain has of the IRQ), and grant the subject domain access to
> the resulting IRQ.
>
> Signed-off-by: Jan Beulich
Should domain_pirq_to_irq() be using 0 as its default invalid value,
rather than -1? irq 0 is a real irq and could plausibly be wanted to be
passed through to a guest.
~Andrew
> ---
> v2: Also fix initial range check to use current->domain, adjust code
> structure, and extend description (all requested by Ian). Along
> the lines of the first mentioned change, also pass the Xen IRQ
> number to the XSM hook (confirmed okay by Daniel).
> Note that I would hope for this to make unnecessary Stefano's proposed
> tools side change
> http://lists.xenproject.org/archives/html/xen-devel/2014-12/msg00160.html.
>
> --- a/xen/common/domctl.c
> +++ b/xen/common/domctl.c
> @@ -982,18 +982,21 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe
>
> case XEN_DOMCTL_irq_permission:
> {
> -unsigned int pirq = op->u.irq_permission.pirq;
> +unsigned int pirq = op->u.irq_permission.pirq, irq;
> int allow = op->u.irq_permission.allow_access;
>
> -if ( pirq >= d->nr_pirqs )
> +if ( pirq >= current->domain->nr_pirqs )
> +{
> ret = -EINVAL;
> -else if ( !pirq_access_permitted(current->domain, pirq) ||
> - xsm_irq_permission(XSM_HOOK, d, pirq, allow) )
> +break;
> +}
> +irq = pirq_access_permitted(current->domain, pirq);
> +if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) )
> ret = -EPERM;
> else if ( allow )
> -ret = pirq_permit_access(d, pirq);
> +ret = irq_permit_access(d, irq);
> else
> -ret = pirq_deny_access(d, pirq);
> +ret = irq_deny_access(d, irq);
> }
> break;
>
> --- a/xen/include/xen/iocap.h
> +++ b/xen/include/xen/iocap.h
> @@ -28,22 +28,11 @@
> #define irq_access_permitted(d, i) \
> rangeset_contains_singleton((d)->irq_caps, i)
>
> -#define pirq_permit_access(d, i) ({ \
> -struct domain *d__ = (d); \
> -int i__ = domain_pirq_to_irq(d__, i); \
> -i__ > 0 ? rangeset_add_singleton(d__->irq_caps, i__)\
> -: -EINVAL; \
> -})
> -#define pirq_deny_access(d, i) ({ \
> -struct domain *d__ = (d); \
> -int i__ = domain_pirq_to_irq(d__, i); \
> -i__ > 0 ? rangeset_remove_singleton(d__->irq_caps, i__)\
> -: -EINVAL; \
> -})
> #define pirq_access_permitted(d, i) ({ \
> struct domain *d__ = (d); \
> -rangeset_contains_singleton(d__->irq_caps, \
> -domain_pirq_to_irq(d__, i));\
> +int irq__ = domain_pirq_to_irq(d__, i); \
> +irq__ > 0 && irq_access_permitted(d__, irq__) \
> +? irq__ : 0;\
> })
>
> #endif /* __XEN_IOCAP_H__ */
>
>
>
>
> ___
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
[Xen-devel] [PATCH v2] domctl: fix IRQ permission granting/revocation
Commit 545607eb3c ("x86: fix various issues with handling guest IRQs")
wasn't really consistent in one respect: The granting of access to an
IRQ shouldn't assume the pIRQ->IRQ translation to be the same in both
domains. In fact it is wrong to assume that a translation is already/
still in place at the time access is being granted/revoked.
What is wanted is to translate the incoming pIRQ to an IRQ for
the invoking domain (as the pIRQ is the only notion the invoking
domain has of the IRQ), and grant the subject domain access to
the resulting IRQ.
Signed-off-by: Jan Beulich
---
v2: Also fix initial range check to use current->domain, adjust code
structure, and extend description (all requested by Ian). Along
the lines of the first mentioned change, also pass the Xen IRQ
number to the XSM hook (confirmed okay by Daniel).
Note that I would hope for this to make unnecessary Stefano's proposed
tools side change
http://lists.xenproject.org/archives/html/xen-devel/2014-12/msg00160.html.
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -982,18 +982,21 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe
case XEN_DOMCTL_irq_permission:
{
-unsigned int pirq = op->u.irq_permission.pirq;
+unsigned int pirq = op->u.irq_permission.pirq, irq;
int allow = op->u.irq_permission.allow_access;
-if ( pirq >= d->nr_pirqs )
+if ( pirq >= current->domain->nr_pirqs )
+{
ret = -EINVAL;
-else if ( !pirq_access_permitted(current->domain, pirq) ||
- xsm_irq_permission(XSM_HOOK, d, pirq, allow) )
+break;
+}
+irq = pirq_access_permitted(current->domain, pirq);
+if ( !irq || xsm_irq_permission(XSM_HOOK, d, irq, allow) )
ret = -EPERM;
else if ( allow )
-ret = pirq_permit_access(d, pirq);
+ret = irq_permit_access(d, irq);
else
-ret = pirq_deny_access(d, pirq);
+ret = irq_deny_access(d, irq);
}
break;
--- a/xen/include/xen/iocap.h
+++ b/xen/include/xen/iocap.h
@@ -28,22 +28,11 @@
#define irq_access_permitted(d, i) \
rangeset_contains_singleton((d)->irq_caps, i)
-#define pirq_permit_access(d, i) ({ \
-struct domain *d__ = (d); \
-int i__ = domain_pirq_to_irq(d__, i); \
-i__ > 0 ? rangeset_add_singleton(d__->irq_caps, i__)\
-: -EINVAL; \
-})
-#define pirq_deny_access(d, i) ({ \
-struct domain *d__ = (d); \
-int i__ = domain_pirq_to_irq(d__, i); \
-i__ > 0 ? rangeset_remove_singleton(d__->irq_caps, i__)\
-: -EINVAL; \
-})
#define pirq_access_permitted(d, i) ({ \
struct domain *d__ = (d); \
-rangeset_contains_singleton(d__->irq_caps, \
-domain_pirq_to_irq(d__, i));\
+int irq__ = domain_pirq_to_irq(d__, i); \
+irq__ > 0 && irq_access_permitted(d__, irq__) \
+? irq__ : 0;\
})
#endif /* __XEN_IOCAP_H__ */
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
