[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v4 2/2] arm: proper ordering for correct execution of gic_update_one_lr and vgic_store_itargetsr

To: Stefano Stabellini <sstabellini@xxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Julien Grall <julien.grall@xxxxxxx>
Date: Thu, 16 Feb 2017 19:36:59 +0000
Cc: nd@xxxxxxx
Delivery-date: Thu, 16 Feb 2017 19:37:16 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>
Nodisclaimer: True
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99

Hi Stefano,

On 11/02/17 02:05, Stefano Stabellini wrote:

Concurrent execution of gic_update_one_lr and vgic_store_itargetsr can
result in the wrong pcpu being set as irq target, see
http://marc.info/?l=xen-devel&m=148218667104072.

To solve the issue, add barriers, remove an irq from the inflight
queue, only after the affinity has been set. On the other end, write the
new vcpu target, before checking GIC_IRQ_GUEST_MIGRATING and inflight.

Signed-off-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
---
 xen/arch/arm/gic.c     | 3 ++-
 xen/arch/arm/vgic-v2.c | 4 ++--
 xen/arch/arm/vgic-v3.c | 4 +++-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/xen/arch/arm/gic.c b/xen/arch/arm/gic.c
index a5348f2..bb52959 100644
--- a/xen/arch/arm/gic.c
+++ b/xen/arch/arm/gic.c
@@ -503,12 +503,13 @@ static void gic_update_one_lr(struct vcpu *v, int i)
              !test_bit(GIC_IRQ_GUEST_MIGRATING, &p->status) )
             gic_raise_guest_irq(v, irq, p->priority);
         else {
-            list_del_init(&p->inflight);
             if ( test_and_clear_bit(GIC_IRQ_GUEST_MIGRATING, &p->status) )
             {
                 struct vcpu *v_target = vgic_get_target_vcpu(v, irq);
                 irq_set_affinity(p->desc, cpumask_of(v_target->processor));
             }
+            smp_mb();
+            list_del_init(&p->inflight);

I don't understand why you remove from the inflight list afterwards. Ifyou do that you introduce that same problem as discussed in

<7a78c859-fa6f-ba10-b574-d8edd46ea934@xxxxxxx>

As long as the interrupt is routed to the pCPU runninggic_update_one_lr, the interrupt cannot fired because the interrupts aremasked. However, as soon as irq_set_affinity is called the interrupt mayfire on the other pCPU.

However, list_del_init is not atomic and not protected by any lock. Sovgic_vcpu_inject_irq may see a corrupted version of {p,n}->inflight.


Did I miss anything?

Cheers,

--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v4 2/2] arm: proper ordering for correct execution of gic_update_one_lr and vgic_store_itargetsr
  - From: Stefano Stabellini

References:
- [Xen-devel] [PATCH v4 1/2] arm: read/write rank->vcpu atomically
  - From: Stefano Stabellini
- [Xen-devel] [PATCH v4 2/2] arm: proper ordering for correct execution of gic_update_one_lr and vgic_store_itargetsr
  - From: Stefano Stabellini

Prev by Date: Re: [Xen-devel] [PATCH 1/3] fuzz/x86emul: avoid race in link farm rune
Next by Date: [Xen-devel] [xen-unstable test] 105840: tolerable FAIL - PUSHED
Previous by thread: Re: [Xen-devel] [PATCH v4 2/2] arm: proper ordering for correct execution of gic_update_one_lr and vgic_store_itargetsr
Next by thread: Re: [Xen-devel] [PATCH v4 2/2] arm: proper ordering for correct execution of gic_update_one_lr and vgic_store_itargetsr
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.