Xen project Mailing List

Re: [PATCH 1/2] xen/arm: Convert runstate address during hypcall

To: Stefano Stabellini <sstabellini@xxxxxxxxxx>

From: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>

Date: Fri, 12 Jun 2020 08:13:33 +0000

Accept-language: en-GB, en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jmuVIUdtNApXqzcE2Mpd2ddkUfC/c6IBk8nU/VC/09k=; b=iYJN72fX3EoC8w6+kvcHcvTG15pNG/xcdxV1es7GhbFvlUn8bSW/vN5XZSkpatO2kgpW9DpBh2KvWK0HGXFycvL07pknVCqekdq2wcfG/q7PLl3NkSKwDT2liOBUFKzH52gzlvMO9VQr4K8wmspwky34Y39FjREYZXEqTMjaXt1bIwq2bdTuPtXXVB57B3xRz+DJFE7+jLLL+NPEtSV5iL3TEeMaWQYNdRbZYqBkC4Ct2scbhKhC+V2KMYC+KCS2yI54v0n/TN/+I3AKnKQODCEThrnA3FQm90cFX2M8HPKFnbo2Lzy09C9OEcm0mEJlzwE5RwdDWM1fMWsGuQzFiw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CADSmU/zxgAyW9gxqbMoiQueWxWm0pPp6FRx+uO3eX586YniTh1HoN1b36U2j7ioYUT1/6/j2Ckx2eSp8HUAusdyFe70yqAFbGOiGPPhOG5vsU6fbtYHcsbutIYOjlFFISVNilEWsSPZyEqS2998VwPuf7woL4OA7hVGVuxhm/BN+2SArqvhQITtFtO8FLBOsDxhwiGlOZ0qbLWxnRaCZt+xykhademe1w/O4hVtlay0R3zAnzONcJlVPKWDnyQz+eJ+4yZQAYTLD4Z6+94BOnOICOWMJnIdcZA1u65jiVJIspSzKevOwNoR7Fy4vR1O1gx06g4HxxD3biCFO/T2vQ==

Authentication-results-original: kernel.org; dkim=none (message not signed) header.d=none;kernel.org; dmarc=none action=none header.from=arm.com;

Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Wei Liu <wl@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, nd <nd@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Julien Grall <julien.grall.oss@xxxxxxxxx>

Delivery-date: Fri, 12 Jun 2020 08:13:49 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Nodisclaimer: true

Original-authentication-results: kernel.org; dkim=none (message not signed) header.d=none;kernel.org; dmarc=none action=none header.from=arm.com;

Thread-index: AQHWP+e0l1aGgjLKI0+XFOOVnv/iZKjTuR6AgAACMICAAActAIAADWwAgABcfQCAAHaFAA==

Thread-topic: [PATCH 1/2] xen/arm: Convert runstate address during hypcall

> On 12 Jun 2020, at 02:09, Stefano Stabellini <sstabellini@xxxxxxxxxx> wrote: > > On Thu, 11 Jun 2020, Julien Grall wrote: >> Hi Stefano, >> >> On 11/06/2020 19:50, Stefano Stabellini wrote: >>> On Thu, 11 Jun 2020, Julien Grall wrote: >>>>>> + return -EINVAL; >>>>>> } >>>>>> >>>>>> - __copy_to_guest(runstate_guest(v), &runstate, 1); >>>>>> + v->arch.runstate_guest.page = page; >>>>>> + v->arch.runstate_guest.offset = offset; >>>>>> + >>>>>> + spin_unlock(&v->arch.runstate_guest.lock); >>>>>> + >>>>>> + return 0; >>>>>> +} >>>>>> + >>>>>> + >>>>>> +/* Update per-VCPU guest runstate shared memory area (if registered). >>>>>> */ >>>>>> +static void update_runstate_area(struct vcpu *v) >>>>>> +{ >>>>>> + struct vcpu_runstate_info *guest_runstate; >>>>>> + void *p; >>>>>> + >>>>>> + spin_lock(&v->arch.runstate_guest.lock); >>>>>> >>>>>> - if ( guest_handle ) >>>>>> + if ( v->arch.runstate_guest.page ) >>>>>> { >>>>>> - runstate.state_entry_time &= ~XEN_RUNSTATE_UPDATE; >>>>>> + p = __map_domain_page(v->arch.runstate_guest.page); >>>>>> + guest_runstate = p + v->arch.runstate_guest.offset; >>>>>> + >>>>>> + if ( VM_ASSIST(v->domain, runstate_update_flag) ) >>>>>> + { >>>>>> + v->runstate.state_entry_time |= XEN_RUNSTATE_UPDATE; >>>>>> + guest_runstate->state_entry_time |= XEN_RUNSTATE_UPDATE; >>>>> >>>>> I think that this write to guest_runstate should use write_atomic or >>>>> another atomic write operation. >>>> >>>> I thought about suggesting the same, but guest_copy_* helpers may not >>>> do a single memory write to state_entry_time. >>>> What are you trying to prevent with the write_atomic()? >>> >>> I am thinking that without using an atomic write, it would be (at least >>> theoretically) possible for a guest to see a partial write to >>> state_entry_time, which is not good. >> >> It is already the case with existing implementation as Xen may write byte by >> byte. So are you suggesting the existing code is also buggy? > > Writing byte by byte is a different case. That is OK. In that case, the > guest could see the state after 3 bytes written and it would be fine and > consistent. If this hadn't been the case, then yes, the existing code > would also be buggy. > > So if we did the write with a memcpy, it would be fine, no need for > atomics: > > memcpy(&guest_runstate->state_entry_time, > &v->runstate.state_entry_time, > XXX); > > > The |= case is different: GCC could implement it in any way it likes, > including going through a zero-write to any of the bytes in the word, or > doing an addition then a subtraction. GCC doesn't make any guarantees. > If we want guarantees we need to use atomics. Wouldn’t that require all accesses to state_entry_time to use also atomic operations ? In this case we could not propagate the changes to a guest without changing the interface itself. As the copy time needs to be protected, the write barriers are there to make sure that during the copy the bit is set and that when we unset it, the copy is done. I added for this purpose a barrier after the memcpy to make sure that when/if we unset the bit the copy has already been done. Cheers Bertrand

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.