lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f0f6c83f7d38a24234203849e116516ab7ac32f7.camel@linux.ibm.com>
Date:   Fri, 27 Jan 2023 19:15:22 +0100
From:   Janis Schoetterl-Glausch <scgl@...ux.ibm.com>
To:     Janosch Frank <frankja@...ux.ibm.com>,
        Christian Borntraeger <borntraeger@...ux.ibm.com>,
        Claudio Imbrenda <imbrenda@...ux.ibm.com>,
        Heiko Carstens <hca@...ux.ibm.com>,
        Vasily Gorbik <gor@...ux.ibm.com>,
        Alexander Gordeev <agordeev@...ux.ibm.com>
Cc:     David Hildenbrand <david@...hat.com>,
        Jonathan Corbet <corbet@....net>, kvm@...r.kernel.org,
        linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-kselftest@...r.kernel.org, linux-s390@...r.kernel.org,
        Paolo Bonzini <pbonzini@...hat.com>,
        Shuah Khan <shuah@...nel.org>,
        Sven Schnelle <svens@...ux.ibm.com>
Subject: Re: [PATCH v6 12/14] KVM: s390: Extend MEM_OP ioctl by storage key
 checked cmpxchg

On Thu, 2023-01-26 at 17:10 +0100, Janosch Frank wrote:
> On 1/25/23 22:26, Janis Schoetterl-Glausch wrote:
> > User space can use the MEM_OP ioctl to make storage key checked reads
> > and writes to the guest, however, it has no way of performing atomic,
> > key checked, accesses to the guest.
> > Extend the MEM_OP ioctl in order to allow for this, by adding a cmpxchg
> > op. For now, support this op for absolute accesses only.
> > 
> > This op can be use, for example, to set the device-state-change
> 
> s/use/used/
> 
> > indicator and the adapter-local-summary indicator atomically.
> > 
> > Signed-off-by: Janis Schoetterl-Glausch <scgl@...ux.ibm.com>
> > ---
> [...]
> > +/**
> > + * cmpxchg_guest_abs_with_key() - Perform cmpxchg on guest absolute address.
> > + * @kvm: Virtual machine instance.
> > + * @gpa: Absolute guest address of the location to be changed.
> > + * @len: Operand length of the cmpxchg, required: 1 <= len <= 16. Providing a
> > + *       non power of two will result in failure.
> > + * @old_addr: Pointer to old value. If the location at @gpa contains this value,
> > + *            the exchange will succeed. After calling cmpxchg_guest_abs_with_key()
> > + *            *@..._addr contains the value at @gpa before the attempt to
> > + *            exchange the value.
> > + * @new: The value to place at @gpa.
> > + * @access_key: The access key to use for the guest access.
> > + * @success: output value indicating if an exchange occurred.
> > + *
> > + * Atomically exchange the value at @gpa by @new, if it contains *@....
> > + * Honors storage keys.
> > + *
> > + * Return: * 0: successful exchange
> > + *         * a program interruption code indicating the reason cmpxchg could
> > + *           not be attempted
> 
> Nit:
>  >0: a program interruption code...
> 
> 
> > + *         * -EINVAL: address misaligned or len not power of two
> > + *         * -EAGAIN: transient failure (len 1 or 2)
> > + *         * -EOPNOTSUPP: read-only memslot (should never occur)
> > + */
> > +int cmpxchg_guest_abs_with_key(struct kvm *kvm, gpa_t gpa, int len,
> > +			       __uint128_t *old_addr, __uint128_t new,
> > +			       u8 access_key, bool *success)
> > +{
> > +	gfn_t gfn = gpa >> PAGE_SHIFT;
> 
>   gpa_to_gfn()?

Yes.
> 
> > +	struct kvm_memory_slot *slot = gfn_to_memslot(kvm, gfn);
> > +	bool writable;
> > +	hva_t hva;
> > +	int ret;
> > +
> > +	if (!IS_ALIGNED(gpa, len))
> > +		return -EINVAL;
> > +
> > +	hva = gfn_to_hva_memslot_prot(slot, gfn, &writable);
> > +	if (kvm_is_error_hva(hva))
> > +		return PGM_ADDRESSING;
> > +	/*
> > +	 * Check if it's a read-only memslot, even though that cannot occur
> > +	 * since those are unsupported.
> > +	 * Don't try to actually handle that case.
> > +	 */
> > +	if (!writable)
> > +		return -EOPNOTSUPP;
> > +
> > +	hva += offset_in_page(gpa);
> 
> Hmm if we don't use a macro to generate these then I'd add an explanation:
> 
> cmpxchg_user_key() is a macro that is dependent on the type of "old" so 
> there's no deduplication possible without further macros.

Can do.
Btw. I could move the other two statements out of the switch by using a union of old values,
memcmp and memcpy, but I think that would be less readable.

> 
> > +	switch (len) {
> > +	case 1: {
> > +		u8 old;
> > +
> > +		ret = cmpxchg_user_key((u8 *)hva, &old, *old_addr, new, access_key);
> > +		*success = !ret && old == *old_addr;
> > +		*old_addr = old;
> > +		break;
> > +	}
> > +	case 2: {
> > +		u16 old;
> > +
> > +		ret = cmpxchg_user_key((u16 *)hva, &old, *old_addr, new, access_key);
> > +		*success = !ret && old == *old_addr;
> > +		*old_addr = old;
> > +		break;
> > +	}
> > +	case 4: {
> > +		u32 old;
> > +
> > +		ret = cmpxchg_user_key((u32 *)hva, &old, *old_addr, new, access_key);
> > +		*success = !ret && old == *old_addr;
> > +		*old_addr = old;
> > +		break;
> > +	}
> > +	case 8: {
> > +		u64 old;
> > +
> > +		ret = cmpxchg_user_key((u64 *)hva, &old, *old_addr, new, access_key);
> > +		*success = !ret && old == *old_addr;
> > +		*old_addr = old;
> > +		break;
> > +	}
> > +	case 16: {
> > +		__uint128_t old;
> > +
> > +		ret = cmpxchg_user_key((__uint128_t *)hva, &old, *old_addr, new, access_key);
> > +		*success = !ret && old == *old_addr;
> > +		*old_addr = old;
> > +		break;
> > +	}
> > +	default:
> > +		return -EINVAL;
> > +	}
> > +	mark_page_dirty_in_slot(kvm, slot, gfn);
> 
> Is that needed if we failed the store?

Indeed it isn't.

[...]

Powered by blists - more mailing lists