Xen project Mailing List

Re: [PATCH v4 02/11] vpci: cancel pending map/unmap on vpci removal

From: Oleksandr Andrushchenko <Oleksandr_Andrushchenko@xxxxxxxx>

Date: Thu, 18 Nov 2021 09:32:50 +0000

Accept-language: en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=v3Q05aaD6d6aRKdufVlG1cq8/91qZuyaHzj40U6mZ34=; b=GWkGpsSLkUviOKcE8s+t3RPgJYZXpLiebHfhlKj9nhpeMy+s4+PBgbil0Bsieqz4bpFuh+lmlYq9OlOv8yB4Mn8+1VRuIFEg5SlIIb4CyGcrjpRd7uG4cmVXAq73T0573LmpaY3oIb2giODn18LKcSqDwLAsK2cxB0G51NoUoDmNUnaYB42X5BBHapXx1yTZty7sqnosPtwFZHGTpbmysgFq4z3N8FDLC+cTBBwH6Us4YgEZ/BTDW4icy40HrU3cwoE32SmRxzPlHYs8Y2ljrx90e9/ABaysTs5ZKbqVL7AE5MdXKd2TU0mOks2Or9FDCjXUZ/EK2ohR0eRC4Q5deQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q+OLJXVQIfDmajoPiQTxdJZMNGOf1rraCC45rt/wbrxu8AuTrrxed/ss66/3QzXKKiE36O36dx58QWa0CCxYK6TKYL6j99/DIhlTazg0h82K3YByfpm/lXUfeJl1X1C4pEzsf1GFIiyeKaYU/5cBakBBfXPsqDEQUIQy6WomVaI/ROvv62U+zCzk/+1oGXWWvwhtv9LIlUBteMfood+NsoIRLzK0Nl+5H7PrS6TvpeZVT3NiSMPxcW3v+PYozUQCbZ1wptGByOVCllSwrfXpBTHj4SUMaWlmtWIxI5yaIUFohSYRBuIOxaP2VjLpbAO6v8eOpcQuwXF+aF24R7/xqA==

Cc: "julien@xxxxxxx" <julien@xxxxxxx>, "sstabellini@xxxxxxxxxx" <sstabellini@xxxxxxxxxx>, Oleksandr Tyshchenko <Oleksandr_Tyshchenko@xxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Artem Mygaiev <Artem_Mygaiev@xxxxxxxx>, "andrew.cooper3@xxxxxxxxxx" <andrew.cooper3@xxxxxxxxxx>, "george.dunlap@xxxxxxxxxx" <george.dunlap@xxxxxxxxxx>, "paul@xxxxxxx" <paul@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Rahul Singh <rahul.singh@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "roger.pau@xxxxxxxxxx" <roger.pau@xxxxxxxxxx>, Oleksandr Andrushchenko <Oleksandr_Andrushchenko@xxxxxxxx>

Delivery-date: Thu, 18 Nov 2021 09:33:08 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHX0hJIYALl/D9fL0OD6N0XGDJh2awHdhMAgAGHTYCAAA1EAIAABOkAgAAF6YCAAATnAA==

Thread-topic: [PATCH v4 02/11] vpci: cancel pending map/unmap on vpci removal

On 18.11.21 11:15, Jan Beulich wrote: > On 18.11.2021 09:54, Oleksandr Andrushchenko wrote: >> On 18.11.21 10:36, Jan Beulich wrote: >>> On 18.11.2021 08:49, Oleksandr Andrushchenko wrote: >>>> On 17.11.21 10:28, Jan Beulich wrote: >>>>> On 05.11.2021 07:56, Oleksandr Andrushchenko wrote: >>>>>> From: Oleksandr Andrushchenko <oleksandr_andrushchenko@xxxxxxxx> >>>>>> >>>>>> When a vPCI is removed for a PCI device it is possible that we have >>>>>> scheduled a delayed work for map/unmap operations for that device. >>>>>> For example, the following scenario can illustrate the problem: >>>>>> >>>>>> pci_physdev_op >>>>>> pci_add_device >>>>>> init_bars -> modify_bars -> defer_map -> >>>>>> raise_softirq(SCHEDULE_SOFTIRQ) >>>>>> iommu_add_device <- FAILS >>>>>> vpci_remove_device -> xfree(pdev->vpci) >>>>>> >>>>>> leave_hypervisor_to_guest >>>>>> vpci_process_pending: v->vpci.mem != NULL; v->vpci.pdev->vpci == >>>>>> NULL >>>>>> >>>>>> For the hardware domain we continue execution as the worse that >>>>>> could happen is that MMIO mappings are left in place when the >>>>>> device has been deassigned >>>>>> >>>>>> For unprivileged domains that get a failure in the middle of a vPCI >>>>>> {un}map operation we need to destroy them, as we don't know in which >>>>>> state the p2m is. This can only happen in vpci_process_pending for >>>>>> DomUs as they won't be allowed to call pci_add_device. >>>>>> >>>>>> Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@xxxxxxxx> >>>>> Thinking about it some more, I'm not convinced any of this is really >>>>> needed in the presented form. >>>> The intention of this patch was to handle error conditions which are >>>> abnormal, e.g. when iommu_add_device fails and we are in the middle >>>> of initialization. So, I am trying to cancel all pending work which might >>>> already be there and not to crash. >>> Only Dom0 may be able to prematurely access the device during "add". >>> Yet unlike for DomU-s we generally expect Dom0 to be well-behaved. >>> Hence I'm not sure I see the need for dealing with these. >> Probably I don't follow you here. The issue I am facing is Dom0 >> related, e.g. Xen was not able to initialize during "add" and thus >> wanted to clean up the leftovers. As the result the already >> scheduled work crashes as it was not neither canceled nor interrupted >> in some safe manner. So, this sounds like something we need to take >> care of, thus this patch. > But my point was the question of why there would be any pending work > in the first place in this case, when we expect Dom0 to be well-behaved. I am not saying Dom0 misbehaves here. This is my real use-case (as in the commit message): pci_physdev_op pci_add_device init_bars -> modify_bars -> defer_map -> raise_softirq(SCHEDULE_SOFTIRQ) iommu_add_device <- FAILS vpci_remove_device -> xfree(pdev->vpci) leave_hypervisor_to_guest vpci_process_pending: v->vpci.mem != NULL; v->vpci.pdev->vpci == NULL So, this made me implement the patch. Then we decided that it is also possible that other vCPUs may also have some pending work and I agreed that this is a good point and we want to remove all pending work for all vCPUs. So, if you doubt the patch and we still have the scenario above, what would you suggest in order to make sure we do not crash? > Jan > Thank you, Oleksandr

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.