xsm/flask: remove page-to-domain lookups from XSM hooks

Doing a reverse lookup from MFN to its owning domain is redundant with
the internal checks Xen does on pages. Change the checks to operate
directly on the domain owning the pages for normal memory; MMIO areas
are still checked with security_iomem_sid.

This fixes a hypervisor crash when a domU attempts to map an MFN that
is free in Xen's heap: the XSM hook is called before the validity
check, and page_get_owner returns garbage when called on these
pages. While explicitly checking for such pages using
page_get_owner_and_reference is a possible solution, this ends up
duplicating parts of get_page_from_l1e.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

1 files changed, 3 insertions, 3 deletions

diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index 5d35342251..4836fc0f67 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -243,7 +243,7 @@ static int dummy_schedop_shutdown (struct domain *d1, struct domain *d2)
     return 0;
 }
 
-static int dummy_memory_pin_page(struct domain *d, struct page_info *page)
+static int dummy_memory_pin_page(struct domain *d1, struct domain *d2, struct page_info *page)
 {
     return 0;
 }
@@ -418,7 +418,7 @@ static int dummy_shadow_control (struct domain *d, uint32_t op)
     return 0;
 }
 
-static int dummy_getpageframeinfo (struct page_info *page)
+static int dummy_getpageframeinfo (struct domain *d)
 {
     return 0;
 }
@@ -554,7 +554,7 @@ static int dummy_mmu_normal_update (struct domain *d, struct domain *t,
     return 0;
 }
 
-static int dummy_mmu_machphys_update (struct domain *d, unsigned long mfn)
+static int dummy_mmu_machphys_update (struct domain *d, struct domain *f, unsigned long mfn)
 {
     return 0;
 }