Xen project Mailing List

Re: [Xen-devel] [PATCH v2 5/6] x86/smp: use a dedicated scratch cpumask in send_IPI_mask

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Tue, 18 Feb 2020 15:43:00 +0100

Authentication-results: esa3.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=roger.pau@xxxxxxxxxx; spf=Pass smtp.mailfrom=roger.pau@xxxxxxxxxx; spf=None smtp.helo=postmaster@xxxxxxxxxxxxxxx

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Wei Liu <wl@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Sander Eikelenboom <linux@xxxxxxxxxxxxxx>

Delivery-date: Tue, 18 Feb 2020 14:43:13 +0000

Ironport-sdr: jbw9lTlNEJ36pxlvY8/BebDCqgnlcguPrHH37JoSbReCBlXZ/zLohIC7Udug2OJvgAV4ZbvRoW W/neBG7TAIq54TkhAl931/OHX6S9OaE+Q8JBp/LsXXQ/8DwqkMDLZdtx0kq+3uY2oPHBR2W+hL sywLVzrpbxBId86hPA/Kpx/LugysBgEuK7Zjje14BzHhdrbU5Q+c7RnoniuYFy/cMtWGGFF39a R+4krLyQwAYQdRraHLH+zapFLCQltVvlwaZi10SjonY3DcIZoGO/WS7IW/7TFEzRIvrSmZzLL2 GOg=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Tue, Feb 18, 2020 at 01:29:56PM +0000, Andrew Cooper wrote: > On 18/02/2020 11:46, Roger Pau Monné wrote: > > On Tue, Feb 18, 2020 at 11:35:37AM +0000, Andrew Cooper wrote: > >> > >> On 18/02/2020 11:22, Roger Pau Monné wrote: > >>> On Tue, Feb 18, 2020 at 11:21:12AM +0000, Andrew Cooper wrote: > >>>> On 18/02/2020 11:10, Roger Pau Monné wrote: > >>>>> On Tue, Feb 18, 2020 at 10:53:45AM +0000, Andrew Cooper wrote: > >>>>>> On 17/02/2020 18:43, Roger Pau Monne wrote: > >>>>>>> @@ -67,7 +68,20 @@ static void send_IPI_shortcut(unsigned int > >>>>>>> shortcut, int vector, > >>>>>>> void send_IPI_mask(const cpumask_t *mask, int vector) > >>>>>>> { > >>>>>>> bool cpus_locked = false; > >>>>>>> - cpumask_t *scratch = this_cpu(scratch_cpumask); > >>>>>>> + cpumask_t *scratch = this_cpu(send_ipi_cpumask); > >>>>>>> + unsigned long flags; > >>>>>>> + > >>>>>>> + if ( in_mc() || in_nmi() ) > >>>>>>> + { > >>>>>>> + /* > >>>>>>> + * When in #MC or #MNI context Xen cannot use the per-CPU > >>>>>>> scratch mask > >>>>>>> + * because we have no way to avoid reentry, so do not use > >>>>>>> the APIC > >>>>>>> + * shorthand. > >>>>>>> + */ > >>>>>>> + alternative_vcall(genapic.send_IPI_mask, mask, vector); > >>>>>>> + return; > >>>>>> The set of things you can safely do in an NMI/MCE handler is small, and > >>>>>> does not include sending IPIs. (In reality, if you're using x2apic, it > >>>>>> is safe to send an IPI because there is no risk of clobbering ICR2 > >>>>>> behind your outer context's back). > >>>>>> > >>>>>> However, if we escalate from NMI/MCE context into crash context, then > >>>>>> anything goes. In reality, we only ever send NMIs from the crash path, > >>>>>> and that is not permitted to use a shorthand, making this code dead. > >>>>> This was requested by Jan, as safety measure > >>>> That may be, but it doesn't mean it is correct. If execution ever > >>>> enters this function in NMI/MCE context, there is a real, > >>>> state-corrupting bug, higher up the call stack. > >>> Ack, then I guess we should just BUG() here if ever called from #NMI > >>> or #MC context? > >> Well. There is a reason I suggested removing it, and not using BUG(). > >> > >> If NMI/MCE context escalates to crash context, we do need to send NMIs. > >> It won't be this function specifically, but it will be part of the > >> general IPI infrastructure. > >> > >> We definitely don't want to get into the game of trying to clobber each > >> of the state variables, so the only thing throwing BUG()'s around in > >> this area will do is make the crash path more fragile. > > I see, panicking in such context will just clobber the previous crash > > happened in NMI/MC context. > > > > So you would rather keep the current version of falling back to the > > usage of the non-shorthand IPI sending routine instead of panicking? > > > > What about: > > > > if ( in_mc() || in_nmi() ) > > { > > /* > > * When in #MC or #MNI context Xen cannot use the per-CPU scratch mask > > * because we have no way to avoid reentry, so do not use the APIC > > * shorthand. The only IPI that should be sent from such context > > * is a #NMI to shutdown the system in case of a crash. > > */ > > if ( vector == APIC_DM_NMI ) > > alternative_vcall(genapic.send_IPI_mask, mask, vector); > > else > > BUG(); > > > > return; > > } > > How do you intent to test it? > > It might be correct now[*] but it doesn't protect against someone > modifying code, violating the constraint, and this going unnoticed > because the above codepath will only be entered in exceptional > circumstances. Sods law says that code inside that block is first going > to be tested in a customer environment. > > ASSERT()s would be less bad, but any technical countermeasures, however > well intentioned, get in the way of the crash path functioning when it > matters most. OK, so what about: if ( in_mc() || in_nmi() ) { bool x2apic = current_local_apic_mode() == APIC_MODE_X2APIC; unsigned int icr2; /* * When in #MC or #MNI context Xen cannot use the per-CPU scratch mask * because we have no way to avoid reentry, so do not use the APIC * shorthand. The only IPI that should be sent from such context * is a #NMI to shutdown the system in case of a crash. */ ASSERT(vector == APIC_DM_NMI); if ( !x2apic ) icr2 = apic_read(APIC_ICR2); alternative_vcall(genapic.send_IPI_mask, mask, vector); if ( !x2apic ) apic_write(APIC_ICR2, icr2); return; } I'm unsure as to whether the assert is actually helpful, but would like to settle this before sending a new version. Thanks, Roger. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.