[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v5 08/22] xen/arm: ITS: Add virtual ITS commands support

Hi Vijay,

On 27/07/15 12:11, vijay.kilari@xxxxxxxxx wrote:
> From: Vijaya Kumar K <Vijaya.Kumar@xxxxxxxxxxxxxxxxxx>
> 
> Add Virtual ITS command processing support to Virtual ITS driver
> 
> Signed-off-by: Vijaya Kumar K <Vijaya.Kumar@xxxxxxxxxxxxxxxxxx>
> ---
> v5: - Rename vgic_its_*() to vits_*()

The changelog seems very small compared to the amount of discussion we
had on v4.

> v4: - Use helper function to read from command queue
>     - Add MOVALL
>     - Removed check for entry in device in domain RB-tree
> ---
>  xen/arch/arm/vgic-v3-its.c    |  392 
> +++++++++++++++++++++++++++++++++++++++++
>  xen/include/asm-arm/gic-its.h |   13 ++
>  2 files changed, 405 insertions(+)
> 
> diff --git a/xen/arch/arm/vgic-v3-its.c b/xen/arch/arm/vgic-v3-its.c
> index 60f8332..dfa3435 100644
> --- a/xen/arch/arm/vgic-v3-its.c
> +++ b/xen/arch/arm/vgic-v3-its.c
> @@ -30,8 +30,27 @@
>  #include <asm/gic.h>
>  #include <asm/vgic.h>
>  #include <asm/gic-its.h>
> +#include <asm/atomic.h>
>  #include <xen/log2.h>
>  
> +#define DEBUG_ITS

As said on v4, you should directly do "// #define DEBUG_ITS" rather than
changing this line again in patch #10.

> +
> +#ifdef DEBUG_ITS
> +# define DPRINTK(fmt, args...) dprintk(XENLOG_DEBUG, fmt, ##args)
> +#else
> +# define DPRINTK(fmt, args...) do {} while ( 0 )
> +#endif
> +
> +#ifdef DEBUG_ITS
> +static void dump_cmd(its_cmd_block *cmd)
> +{
> +    printk("VITS:CMD[0] = 0x%lx CMD[1] = 0x%lx CMD[2] = 0x%lx CMD[3] = 
> 0x%lx\n",
> +           cmd->bits[0], cmd->bits[1], cmd->bits[2], cmd->bits[3]);
> +}
> +#else
> +static void dump_cmd(its_cmd_block *cmd) { do {} while ( 0 ); }

The do {} while (0) is not necessary in

> +#endif

[..]

> +static int vits_process_mapvi(struct vcpu *v, struct vgic_its *vits,
> +                              its_cmd_block *virt_cmd)
> +{
> +    struct vitt entry;
> +    struct domain *d = v->domain;
> +    uint8_t vcol_id, cmd;
> +    uint32_t vid, dev_id, event;
> +
> +    vcol_id = virt_cmd->mapvi.col;
> +    vid = virt_cmd->mapvi.phy_id;
> +    cmd = virt_cmd->mapvi.cmd;
> +    dev_id = virt_cmd->mapvi.devid;
> +
> +    DPRINTK("%pv: vITS: MAPVI: dev 0x%"PRIx32" vcol %"PRId32" vid 
> %"PRId32"\n",

You are using the wrong PRI* for vcol. It's an uint8_t not int32_t. If
PRIu8 doesn't exist please introduce it.

I'm sure I will miss some in all the patches. Please review all the
PRId32 you added and use the correct one.

[..]

> +static int vits_process_movi(struct vcpu *v, struct vgic_its *vits,
> +                             its_cmd_block *virt_cmd)
> +{
> +    struct vitt entry;
> +    struct domain *d = v->domain;
> +    uint32_t dev_id, event;
> +    uint8_t vcol_id;
> +
> +    vcol_id = virt_cmd->movi.col;
> +    event = virt_cmd->movi.event;
> +    dev_id = virt_cmd->movi.devid;
> +
> +    DPRINTK("%pv vITS: MOVI: dev_id 0x%"PRIx32" vcol %"PRId32" event 
> %"PRId32"\n",

vcol PRIu8
event PRIu32

[..]

> +static int vits_process_clear(struct vcpu *v, struct vgic_its *vits,
> +                              its_cmd_block *virt_cmd)
> +{
> +    /* Ignored */
> +    DPRINTK("%pv: vITS: CLEAR: dev_id 0x%"PRIx32" id %"PRId32"\n",

id PRIu32

> +             v, virt_cmd->clear.devid, virt_cmd->clear.event);
> +
> +    return 0;
> +}
> +
> +static int vits_process_invall(struct vcpu *v, struct vgic_its *vits,
> +                               its_cmd_block *virt_cmd)
> +{
> +    /* Ignored */
> +    DPRINTK("%pv: vITS: INVALL: vCID %"PRId32"\n", v, virt_cmd->invall.col);

vCID PRIu8

> +
> +    return 0;
> +}
> +
> +static int vits_process_int(struct vcpu *v, struct vgic_its *vits,
> +                            its_cmd_block *virt_cmd)
> +{
> +    uint32_t event, dev_id ;
> +
> +    event = virt_cmd->int_cmd.cmd;
> +    dev_id = virt_cmd->int_cmd.devid;
> +
> +    DPRINTK("%pv: vITS: INT: Device 0x%"PRIx32" id %"PRId32"\n",

id PRIu32

> +            v, dev_id, event);
> +
> +    /* TODO: Inject LPI */

Done in a follow-up patch I guess?

> +
> +    return 0;
> +}
> +
> +static int vits_add_device(struct vcpu *v, struct vgic_its *vits,
> +                           its_cmd_block *virt_cmd)
> +{
> +    struct domain *d = v->domain;
> +    struct vdevice_table dt_entry;
> +    uint32_t dev_id = virt_cmd->mapd.devid;
> +
> +    DPRINTK("%pv: vITS:Add dev 0x%"PRIx32" ipa = 0x%"PRIx64" size 
> %"PRId32"\n",

size PRIu32

[..]

> +static int vits_process_mapc(struct vcpu *v, struct vgic_its *vits,
> +                             its_cmd_block *virt_cmd)
> +{
> +    uint8_t vcol_id;
> +    uint64_t vta = 0;
> +
> +    vcol_id = virt_cmd->mapc.col;
> +    vta = virt_cmd->mapc.ta;
> +
> +    DPRINTK("%pv: vITS: MAPC: vCID %"PRId32" vTA 0x%"PRIx64" valid 
> %"PRId32"\n",
> +            v, vcol_id, vta, virt_cmd->mapc.valid);
> +

On v4, I only asked to do the check on vta only when the mapc.valid = 1.
The one the collection ID should not have been dropped. Without it a
malicious guest can provide an invalid collection ID which will result
to access outside the array and may crash Xen.

So please re-add this check.

[..]

> +static int vits_read_virt_cmd(struct vcpu *v, struct vgic_its *vits,
> +                              its_cmd_block *virt_cmd)
> +{
> +    paddr_t maddr;
> +    struct domain *d = v->domain;
> +    int ret;
> +
> +    ASSERT(spin_is_locked(&vits->lock));
> +
> +    if ( !(vits->cmd_base & GITS_CBASER_VALID) )
> +    {
> +        dprintk(XENLOG_G_ERR, "%pv: vITS: Invalid CBASER\n", v);
> +        return 0;
> +    }
> +
> +    /* CMD Q can be more than 1 page. Map only page that is required */

"Map only the page..."

> +    maddr = (vits->cmd_base & MASK_4K) + atomic_read(&vits->cmd_read);
> +
> +    DPRINTK("%pv: vITS: Mapping CMD Q maddr 0x%"PRIx64" read 0x%"PRIx32"\n",
> +            v, maddr, atomic_read(&vits->cmd_read));
> +
> +    ret = vits_access_guest_table(d, maddr, (void *)virt_cmd,
> +                                  sizeof(its_cmd_block), 0);
> +    if ( ret )
> +    {
> +        dprintk(XENLOG_G_ERR,
> +                "%pv: vITS: Failed to get command page @page 0x%"PRIx32"\n",
> +                v, atomic_read(&vits->cmd_read));
> +        return -EINVAL;
> +    }
> +
> +    /* No command queue is created by vits to check on Q full */
> +    atomic_add(sizeof(its_cmd_block), &vits->cmd_read);
> +    if ( atomic_read(&vits->cmd_read) == vits->cmd_qsize )
> +    {
> +         DPRINTK("%pv: vITS: Reset read @ 0x%"PRIx32" qsize 0x%"PRIx64"\n",
> +                 v, atomic_read(&vits->cmd_read), vits->cmd_qsize);
> +
> +         atomic_set(&vits->cmd_read, 0);
> +    }
> +
> +    return 0;
> +}
> +
> +int vits_process_cmd(struct vcpu *v, struct vgic_its *vits)

Either put a static, if not use outside this file, or add the
declaration in the header.

> +{
> +    its_cmd_block virt_cmd;
> +
> +    ASSERT(spin_is_locked(&vits->lock));
> +
> +    do {
> +        if ( vits_read_virt_cmd(v, vits, &virt_cmd) )
> +            goto err;
> +        if ( vits_parse_its_command(v, vits, &virt_cmd) )
> +            goto err;
> +    } while ( vits->cmd_write != atomic_read(&vits->cmd_read) );
> +
> +    DPRINTK("%pv: vITS: read @ 0x%"PRIx32" write @ 0x%"PRIx64"\n",
> +            v, atomic_read(&vits->cmd_read),
> +            vits->cmd_write);
> +
> +    return 1;
> +err:
> +    dprintk(XENLOG_G_ERR, "%pv: vITS: Failed to process guest cmd\n", v);
> +    domain_crash_synchronous();
> +
> +    return 0;
> +}
> +
> +int vits_domain_init(struct domain *d)

Ditto.

> +{
> +    struct vgic_its *vits;
> +    int i;
> +
> +    d->arch.vgic.vits = xzalloc(struct vgic_its);
> +    if ( !d->arch.vgic.vits )
> +        return -ENOMEM;
> +
> +    vits = d->arch.vgic.vits;
> +
> +    spin_lock_init(&vits->lock);
> +
> +    vits->collections = xzalloc_array(struct its_collection, nr_cpu_ids);

The number of collection for a domain is based on the number of VCPUs
owned by him (see d->max_vcpus).
Furthermore, you are allocating to few collection, the number of
collection should at least be max_vcpus + 1.

You've introduced vits_get_max_collections in a latter patch (see #10).
Please use it here.

> +    if ( !vits->collections )
> +    {
> +        xfree(d->arch.vgic.vits);
> +        return -ENOMEM;

It's not neccesary to take care of free what you allocated here. When a
domain is destroyed the domain_vgic_free will be called to free
everything correctly.

Although that means that you need to introduce a vits_domain_free, which
is in anycase mandatory. I'd like to see it within this patch.

> +    }
> +
> +    for ( i = 0; i < nr_cpu_ids; i++ )
> +        vits->collections[i].target_address = ~0UL;
> +
> +    return 0;
> +}
> +
>  /*
>   * Local variables:
>   * mode: C
> diff --git a/xen/include/asm-arm/gic-its.h b/xen/include/asm-arm/gic-its.h
> index 66be53a..cdb786c 100644
> --- a/xen/include/asm-arm/gic-its.h
> +++ b/xen/include/asm-arm/gic-its.h
> @@ -21,6 +21,8 @@
>  #include <asm/gic_v3_defs.h>
>  #include <xen/rbtree.h>
>  
> +#define MASK_4K                         0xfffffffff000UL

If you name the macro MASK_4K this should go in xen/sizes.h and not in
the gic-its.h. Although on v4 [1], Ian suggested to rename into
GITS_CBASER_PA_MASK which IHMO would be better.

Regards,

Regards,

[1] http://lists.xen.org/archives/html/xen-devel/2015-07/msg03032.html

-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.