[LINUX] Various fixes for mmapping I/O and foreign memory pages.

First, auto-translate guests can use remap_pfn_range() rather than direct_remap_pfn_range(). This actually works better because remap_pfn_range() can legitimately assert VM_PFNMAP (this patch removes this flag for direct_remap_pfn_range(). There are various cleanups and fixes to the privcmd interface: 1. VMAs should be searched and used under the mmap semaphore 2. Mapping should be single shot (since cirect_remap_pfn_range() expects the PTEs to be empty when it is called). 3. Demand-fault population of the privcmd vma should be disallowed. 4. Various others, including a more thorough check of input args. Signed-off-by: Keir Fraser <keir@xensource.com>
author: kfraser@localhost.localdomain <kfraser@localhost.localdomain> 2006-10-09 10:56:17 +0100
committer: kfraser@localhost.localdomain <kfraser@localhost.localdomain> 2006-10-09 10:56:17 +0100
commit: 507cd504b6adfc413996aa77bc854dc9879e2b9c (patch)
tree: e55a77d39db31dae23be5d8bd51dbecc65f0312a
parent: e30cc6aed69eabd142b640c7a15298e1850a655e (diff)
download: xen-507cd504b6adfc413996aa77bc854dc9879e2b9c.tar.gz
xen-507cd504b6adfc413996aa77bc854dc9879e2b9c.tar.bz2
xen-507cd504b6adfc413996aa77bc854dc9879e2b9c.zip
3 files changed, 97 insertions, 69 deletions
diff --git a/linux-2.6-xen-sparse/arch/i386/mm/ioremap-xen.c b/linux-2.6-xen-sparse/arch/i386/mm/ioremap-xen.c
index 2fac26719c..640c74d67c 100644
--- a/linux-2.6-xen-sparse/arch/i386/mm/ioremap-xen.c
+++ b/linux-2.6-xen-sparse/arch/i386/mm/ioremap-xen.c
@@ -29,6 +29,8 @@ static int direct_remap_area_pte_fn(pte_t *pte,
 {
 	mmu_update_t **v = (mmu_update_t **)data;
 
+	BUG_ON(!pte_none(*pte));
+
 	(*v)->ptr = ((u64)pfn_to_mfn(page_to_pfn(pmd_page)) <<
 		     PAGE_SHIFT) | ((unsigned long)pte & ~PAGE_MASK);
 	(*v)++;
@@ -110,12 +112,14 @@ int direct_remap_pfn_range(struct vm_area_struct *vma,
 			   pgprot_t prot,
 			   domid_t  domid)
 {
-	/* Same as remap_pfn_range(). */
-	vma->vm_flags |= VM_IO | VM_RESERVED | VM_PFNMAP;
+	if (xen_feature(XENFEAT_auto_translated_physmap))
+		return remap_pfn_range(vma, address, mfn, size, prot);
 
 	if (domid == DOMID_SELF)
 		return -EINVAL;
 
+	vma->vm_flags |= VM_IO | VM_RESERVED;
+
 	vma->vm_mm->context.has_foreign_mappings = 1;
 
 	return __direct_remap_pfn_range(
diff --git a/linux-2.6-xen-sparse/drivers/xen/privcmd/privcmd.c b/linux-2.6-xen-sparse/drivers/xen/privcmd/privcmd.c
index a1c4b6f68e..73153bc3ca 100644
--- a/linux-2.6-xen-sparse/drivers/xen/privcmd/privcmd.c
+++ b/linux-2.6-xen-sparse/drivers/xen/privcmd/privcmd.c
@@ -100,10 +100,12 @@ static int privcmd_ioctl(struct inode *inode, struct file *file,
 	break;
 
 	case IOCTL_PRIVCMD_MMAP: {
-#define PRIVCMD_MMAP_SZ 32
 		privcmd_mmap_t mmapcmd;
-		privcmd_mmap_entry_t msg[PRIVCMD_MMAP_SZ];
+		privcmd_mmap_entry_t msg;
 		privcmd_mmap_entry_t __user *p;
+		struct mm_struct *mm = current->mm;
+		struct vm_area_struct *vma;
+		unsigned long va;
 		int i, rc;
 
 		if (!is_initial_xendomain())
@@ -113,47 +115,62 @@ static int privcmd_ioctl(struct inode *inode, struct file *file,
 			return -EFAULT;
 
 		p = mmapcmd.entry;
+		if (copy_from_user(&msg, p, sizeof(msg)))
+			return -EFAULT;
 
-		for (i = 0; i < mmapcmd.num;
-		     i += PRIVCMD_MMAP_SZ, p += PRIVCMD_MMAP_SZ) {
-			int j, n = ((mmapcmd.num-i)>PRIVCMD_MMAP_SZ)?
-				PRIVCMD_MMAP_SZ:(mmapcmd.num-i);
-
-			if (copy_from_user(&msg, p,
-					   n*sizeof(privcmd_mmap_entry_t)))
-				return -EFAULT;
-     
-			for (j = 0; j < n; j++) {
-				struct vm_area_struct *vma = 
-					find_vma( current->mm, msg[j].va );
-
-				if (!vma)
-					return -EINVAL;
-
-				if (msg[j].va > PAGE_OFFSET)
-					return -EINVAL;
-
-				if ((msg[j].va + (msg[j].npages << PAGE_SHIFT))
-				    > vma->vm_end )
-					return -EINVAL;
-
-				if ((rc = direct_remap_pfn_range(
-					vma,
-					msg[j].va&PAGE_MASK, 
-					msg[j].mfn, 
-					msg[j].npages<<PAGE_SHIFT, 
-					vma->vm_page_prot,
-					mmapcmd.dom)) < 0)
-					return rc;
-			}
+		down_read(&mm->mmap_sem);
+
+		vma = find_vma(mm, msg.va);
+		rc = -EINVAL;
+		if (!vma || (msg.va != vma->vm_start) || vma->vm_private_data)
+			goto mmap_out;
+
+		/* Mapping is a one-shot operation per vma. */
+		vma->vm_private_data = (void *)1;
+
+		va = vma->vm_start;
+
+		for (i = 0; i < mmapcmd.num; i++, p++) {
+			rc = -EFAULT;
+			if (copy_from_user(&msg, p, sizeof(msg)))
+				goto mmap_out;
+
+			/* Do not allow range to wrap the address space. */
+			rc = -EINVAL;
+			if ((msg.npages > (INT_MAX >> PAGE_SHIFT)) ||
+			    ((unsigned long)(msg.npages << PAGE_SHIFT) >= -va))
+				goto mmap_out;
+
+			/* Range chunks must be contiguous in va space. */
+			if ((msg.va != va) ||
+			    ((msg.va+(msg.npages<<PAGE_SHIFT)) > vma->vm_end))
+				goto mmap_out;
+
+			if ((rc = direct_remap_pfn_range(
+				vma,
+				msg.va & PAGE_MASK, 
+				msg.mfn, 
+				msg.npages << PAGE_SHIFT, 
+				vma->vm_page_prot,
+				mmapcmd.dom)) < 0)
+				goto mmap_out;
+
+			p++;
+			va += msg.npages << PAGE_SHIFT;
 		}
-		ret = 0;
+
+		rc = 0;
+
+	mmap_out:
+		up_read(&mm->mmap_sem);
+		ret = rc;
 	}
 	break;
 
 	case IOCTL_PRIVCMD_MMAPBATCH: {
 		privcmd_mmapbatch_t m;
-		struct vm_area_struct *vma = NULL;
+		struct mm_struct *mm = current->mm;
+		struct vm_area_struct *vma;
 		xen_pfn_t __user *p;
 		unsigned long addr, mfn;
 		int i;
@@ -161,37 +178,33 @@ static int privcmd_ioctl(struct inode *inode, struct file *file,
 		if (!is_initial_xendomain())
 			return -EPERM;
 
-		if (copy_from_user(&m, udata, sizeof(m))) {
-			ret = -EFAULT;
-			goto batch_err;
-		}
+		if (copy_from_user(&m, udata, sizeof(m)))
+			return -EFAULT;
 
-		if (m.dom == DOMID_SELF) {
-			ret = -EINVAL;
-			goto batch_err;
-		}
+		if ((m.num <= 0) || (m.num > (INT_MAX >> PAGE_SHIFT)))
+			return -EINVAL;
 
-		vma = find_vma(current->mm, m.addr);
-		if (!vma) {
-			ret = -EINVAL;
-			goto batch_err;
-		}
+		down_read(&mm->mmap_sem);
 
-		if (m.addr > PAGE_OFFSET) {
-			ret = -EFAULT;
-			goto batch_err;
+		vma = find_vma(mm, m.addr);
+		if (!vma ||
+		    (m.addr != vma->vm_start) ||
+		    ((m.addr + (m.num<<PAGE_SHIFT)) != vma->vm_end) ||
+		    vma->vm_private_data) {
+			up_read(&mm->mmap_sem);
+			return -EINVAL;
 		}
 
-		if ((m.addr + (m.num<<PAGE_SHIFT)) > vma->vm_end) {
-			ret = -EFAULT;
-			goto batch_err;
-		}
+		/* Mapping is a one-shot operation per vma. */
+		vma->vm_private_data = (void *)1;
 
 		p = m.arr;
 		addr = m.addr;
 		for (i = 0; i < m.num; i++, addr += PAGE_SIZE, p++) {
-			if (get_user(mfn, p))
+			if (get_user(mfn, p)) {
+				up_read(&mm->mmap_sem);
 				return -EFAULT;
+			}
 
 			ret = direct_remap_pfn_range(vma, addr & PAGE_MASK,
 						     mfn, PAGE_SIZE,
@@ -200,15 +213,8 @@ static int privcmd_ioctl(struct inode *inode, struct file *file,
 				put_user(0xF0000000 | mfn, p);
 		}
 
+		up_read(&mm->mmap_sem);
 		ret = 0;
-		break;
-
-	batch_err:
-		printk("batch_err ret=%d vma=%p addr=%lx "
-		       "num=%d arr=%p %lx-%lx\n", 
-		       ret, vma, (unsigned long)m.addr, m.num, m.arr,
-		       vma ? vma->vm_start : 0, vma ? vma->vm_end : 0);
-		break;
 	}
 	break;
 
@@ -221,10 +227,27 @@ static int privcmd_ioctl(struct inode *inode, struct file *file,
 }
 
 #ifndef HAVE_ARCH_PRIVCMD_MMAP
+static struct page *privcmd_nopage(struct vm_area_struct *vma,
+				   unsigned long address,
+				   int *type)
+{
+	return NOPAGE_SIGBUS;
+}
+
+static struct vm_operations_struct privcmd_vm_ops = {
+	.nopage = privcmd_nopage
+};
+
 static int privcmd_mmap(struct file * file, struct vm_area_struct * vma)
 {
+	/* Unsupported for auto-translate guests. */
+	if (xen_feature(XENFEAT_auto_translated_physmap))
+		return -ENOSYS;
+
 	/* DONTCOPY is essential for Xen as copy_page_range is broken. */
 	vma->vm_flags |= VM_RESERVED | VM_IO | VM_DONTCOPY;
+	vma->vm_ops = &privcmd_vm_ops;
+	vma->vm_private_data = NULL;
 
 	return 0;
 }
diff --git a/linux-2.6-xen-sparse/mm/memory.c b/linux-2.6-xen-sparse/mm/memory.c
index 1a63339203..827a0a37a4 100644
--- a/linux-2.6-xen-sparse/mm/memory.c
+++ b/linux-2.6-xen-sparse/mm/memory.c
@@ -390,7 +390,7 @@ struct page *vm_normal_page(struct vm_area_struct *vma, unsigned long addr, pte_
 
 	if (vma->vm_flags & VM_PFNMAP) {
 		unsigned long off = (addr - vma->vm_start) >> PAGE_SHIFT;
-		if ((pfn == vma->vm_pgoff + off) || !pfn_valid(pfn))
+		if (pfn == vma->vm_pgoff + off)
 			return NULL;
 		if (!is_cow_mapping(vma->vm_flags))
 			return NULL;
@@ -405,7 +405,8 @@ struct page *vm_normal_page(struct vm_area_struct *vma, unsigned long addr, pte_
 	 * Remove this test eventually!
 	 */
 	if (unlikely(!pfn_valid(pfn))) {
-		print_bad_pte(vma, pte, addr);
+		if (!(vma->vm_flags & VM_RESERVED))
+			print_bad_pte(vma, pte, addr);
 		return NULL;
 	}
author	kfraser@localhost.localdomain <kfraser@localhost.localdomain>	2006-10-09 10:56:17 +0100
committer	kfraser@localhost.localdomain <kfraser@localhost.localdomain>	2006-10-09 10:56:17 +0100
commit	507cd504b6adfc413996aa77bc854dc9879e2b9c (patch)
tree	e55a77d39db31dae23be5d8bd51dbecc65f0312a
parent	e30cc6aed69eabd142b640c7a15298e1850a655e (diff)
download	xen-507cd504b6adfc413996aa77bc854dc9879e2b9c.tar.gz xen-507cd504b6adfc413996aa77bc854dc9879e2b9c.tar.bz2 xen-507cd504b6adfc413996aa77bc854dc9879e2b9c.zip