Xen project Mailing List

Re: [Xen-devel] Rats nest with domain pirq initialisation

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Wed, 5 Sep 2018 13:39:18 +0100

Autocrypt: addr=andrew.cooper3@xxxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBFLhNn8BEADVhE+Hb8i0GV6mihnnr/uiQQdPF8kUoFzCOPXkf7jQ5sLYeJa0cQi6Penp VtiFYznTairnVsN5J+ujSTIb+OlMSJUWV4opS7WVNnxHbFTPYZVQ3erv7NKc2iVizCRZ2Kxn srM1oPXWRic8BIAdYOKOloF2300SL/bIpeD+x7h3w9B/qez7nOin5NzkxgFoaUeIal12pXSR Q354FKFoy6Vh96gc4VRqte3jw8mPuJQpfws+Pb+swvSf/i1q1+1I4jsRQQh2m6OTADHIqg2E ofTYAEh7R5HfPx0EXoEDMdRjOeKn8+vvkAwhviWXTHlG3R1QkbE5M/oywnZ83udJmi+lxjJ5 YhQ5IzomvJ16H0Bq+TLyVLO/VRksp1VR9HxCzItLNCS8PdpYYz5TC204ViycobYU65WMpzWe LFAGn8jSS25XIpqv0Y9k87dLbctKKA14Ifw2kq5OIVu2FuX+3i446JOa2vpCI9GcjCzi3oHV e00bzYiHMIl0FICrNJU0Kjho8pdo0m2uxkn6SYEpogAy9pnatUlO+erL4LqFUO7GXSdBRbw5 gNt25XTLdSFuZtMxkY3tq8MFss5QnjhehCVPEpE6y9ZjI4XB8ad1G4oBHVGK5LMsvg22PfMJ ISWFSHoF/B5+lHkCKWkFxZ0gZn33ju5n6/FOdEx4B8cMJt+cWwARAQABzSlBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPsLBegQTAQgAJAIbAwULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAUCWKD95wIZAQAKCRBlw/kGpdefoHbdD/9AIoR3k6fKl+RFiFpyAhvO 59ttDFI7nIAnlYngev2XUR3acFElJATHSDO0ju+hqWqAb8kVijXLops0gOfqt3VPZq9cuHlh IMDquatGLzAadfFx2eQYIYT+FYuMoPZy/aTUazmJIDVxP7L383grjIkn+7tAv+qeDfE+txL4 SAm1UHNvmdfgL2/lcmL3xRh7sub3nJilM93RWX1Pe5LBSDXO45uzCGEdst6uSlzYR/MEr+5Z JQQ32JV64zwvf/aKaagSQSQMYNX9JFgfZ3TKWC1KJQbX5ssoX/5hNLqxMcZV3TN7kU8I3kjK mPec9+1nECOjjJSO/h4P0sBZyIUGfguwzhEeGf4sMCuSEM4xjCnwiBwftR17sr0spYcOpqET ZGcAmyYcNjy6CYadNCnfR40vhhWuCfNCBzWnUW0lFoo12wb0YnzoOLjvfD6OL3JjIUJNOmJy RCsJ5IA/Iz33RhSVRmROu+TztwuThClw63g7+hoyewv7BemKyuU6FTVhjjW+XUWmS/FzknSi dAG+insr0746cTPpSkGl3KAXeWDGJzve7/SBBfyznWCMGaf8E2P1oOdIZRxHgWj0zNr1+ooF /PzgLPiCI4OMUttTlEKChgbUTQ+5o0P080JojqfXwbPAyumbaYcQNiH1/xYbJdOFSiBv9rpt TQTBLzDKXok86M7BTQRS4TZ/ARAAkgqudHsp+hd82UVkvgnlqZjzz2vyrYfz7bkPtXaGb9H4 Rfo7mQsEQavEBdWWjbga6eMnDqtu+FC+qeTGYebToxEyp2lKDSoAsvt8w82tIlP/EbmRbDVn 7bhjBlfRcFjVYw8uVDPptT0TV47vpoCVkTwcyb6OltJrvg/QzV9f07DJswuda1JH3/qvYu0p vjPnYvCq4NsqY2XSdAJ02HrdYPFtNyPEntu1n1KK+gJrstjtw7KsZ4ygXYrsm/oCBiVW/OgU g/XIlGErkrxe4vQvJyVwg6YH653YTX5hLLUEL1NS4TCo47RP+wi6y+TnuAL36UtK/uFyEuPy wwrDVcC4cIFhYSfsO0BumEI65yu7a8aHbGfq2lW251UcoU48Z27ZUUZd2Dr6O/n8poQHbaTd 6bJJSjzGGHZVbRP9UQ3lkmkmc0+XCHmj5WhwNNYjgbbmML7y0fsJT5RgvefAIFfHBg7fTY/i kBEimoUsTEQz+N4hbKwo1hULfVxDJStE4sbPhjbsPCrlXf6W9CxSyQ0qmZ2bXsLQYRj2xqd1 bpA+1o1j2N4/au1R/uSiUFjewJdT/LX1EklKDcQwpk06Af/N7VZtSfEJeRV04unbsKVXWZAk uAJyDDKN99ziC0Wz5kcPyVD1HNf8bgaqGDzrv3TfYjwqayRFcMf7xJaL9xXedMcAEQEAAcLB XwQYAQgACQUCUuE2fwIbDAAKCRBlw/kGpdefoG4XEACD1Qf/er8EA7g23HMxYWd3FXHThrVQ HgiGdk5Yh632vjOm9L4sd/GCEACVQKjsu98e8o3ysitFlznEns5EAAXEbITrgKWXDDUWGYxd pnjj2u+GkVdsOAGk0kxczX6s+VRBhpbBI2PWnOsRJgU2n10PZ3mZD4Xu9kU2IXYmuW+e5KCA vTArRUdCrAtIa1k01sPipPPw6dfxx2e5asy21YOytzxuWFfJTGnVxZZSCyLUO83sh6OZhJkk b9rxL9wPmpN/t2IPaEKoAc0FTQZS36wAMOXkBh24PQ9gaLJvfPKpNzGD8XWR5HHF0NLIJhgg 4ZlEXQ2fVp3XrtocHqhu4UZR4koCijgB8sB7Tb0GCpwK+C4UePdFLfhKyRdSXuvY3AHJd4CP 4JzW0Bzq/WXY3XMOzUTYApGQpnUpdOmuQSfpV9MQO+/jo7r6yPbxT7CwRS5dcQPzUiuHLK9i nvjREdh84qycnx0/6dDroYhp0DFv4udxuAvt1h4wGwTPRQZerSm4xaYegEFusyhbZrI0U9tJ B8WrhBLXDiYlyJT6zOV2yZFuW47VrLsjYnHwn27hmxTC/7tvG3euCklmkn9Sl9IAKFu29RSo d5bD8kMSCYsTqtTfT6W4A3qHGvIDta3ptLYpIAOD2sY3GYq2nf3Bbzx81wZK14JdDDHUX2Rs 6+ahAA==

Cc: Xen-devel <xen-devel@xxxxxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>

Delivery-date: Wed, 05 Sep 2018 12:40:07 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Openpgp: preference=signencrypt

On 05/09/18 13:25, Jan Beulich wrote: >>>> On 05.09.18 at 14:04, <andrew.cooper3@xxxxxxxxxx> wrote: >> On 05/09/18 08:24, Jan Beulich wrote: >>>>>> On 04.09.18 at 20:44, <andrew.cooper3@xxxxxxxxxx> wrote: >>>> On 13/08/18 11:01, Andrew Cooper wrote: >>>>> This is in preparation to set up d->max_cpus and d->vcpu[] in >>>>> domain_create(), >>>>> and allow later parts of domain construction to have access to the values. >>>>> >>>>> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> >>>>> --- >>>>> CC: Jan Beulich <JBeulich@xxxxxxxx> >>>>> CC: Stefano Stabellini <sstabellini@xxxxxxxxxx> >>>>> CC: Julien Grall <julien.grall@xxxxxxx> >>>>> CC: Wei Liu <wei.liu2@xxxxxxxxxx> >>>>> --- >>>>> xen/common/domain.c | 34 +++++++++++++++++----------------- >>>>> 1 file changed, 17 insertions(+), 17 deletions(-) >>>>> >>>>> diff --git a/xen/common/domain.c b/xen/common/domain.c >>>>> index be51426..0c44f27 100644 >>>>> --- a/xen/common/domain.c >>>>> +++ b/xen/common/domain.c >>>>> @@ -322,6 +322,23 @@ struct domain *domain_create(domid_t domid, >>>>> else >>>>> d->guest_type = guest_type_pv; >>>>> >>>>> + if ( !is_hardware_domain(d) ) >>>>> + d->nr_pirqs = nr_static_irqs + extra_domU_irqs; >>>>> + else >>>>> + d->nr_pirqs = extra_hwdom_irqs ? nr_static_irqs + >> extra_hwdom_irqs >>>>> + : arch_hwdom_irqs(domid); >>>>> + if ( d->nr_pirqs > nr_irqs ) >>>>> + d->nr_pirqs = nr_irqs; >>>>> + >>>>> + radix_tree_init(&d->pirq_tree); >>>>> + } >>>>> + >>>>> + if ( (err = arch_domain_create(d, config)) != 0 ) >>>>> + goto fail; >>>>> + init_status |= INIT_arch; >>>>> + >>>>> + if ( !is_idle_domain(d) ) >>>>> + { >>>>> watchdog_domain_init(d); >>>>> init_status |= INIT_watchdog; >>>>> >>>>> @@ -352,16 +369,6 @@ struct domain *domain_create(domid_t domid, >>>> Between these two hunks is: >>>> >>>> d->iomem_caps = rangeset_new(d, "I/O Memory", >> RANGESETF_prettyprint_hex); >>>> d->irq_caps = rangeset_new(d, "Interrupts", 0); >>>> >>>> which is important, because it turns out that x86's >>>> arch_domain_destroy() depends on d->irq_caps already being initialised. >>> Moving this up looks reasonable to me. "Simple" initialization can >>> certainly be done early (i.e. before arch_domain_create()), don't >>> you think? >> No - that defeats the purpose of making the destroy path idempotent. >> For us to remove the max_vcpus hypercall, _domain_destroy() must be >> capable of correctly cleaning up a domain from any state of >> initialisation, including if the relevant init calls haven't been made yet. > I agree up to here. > >> These rangeset_new() calls cannot move earlier than the first action >> which might fail (which is the XSM init call to get the security label >> correct). > But I must be overlooking something crucial here: If _domain_destroy() > was idempotent, how does it matter at what point the rangesets get > initialized? _domain_destroy() is idempotent (for the very small quantity of state it currently looks after). The problem is that arch_domain_destroy() is not idempotent, and needs needs to become so, and moving the rangeset_new() calls as you originally suggested is not a fix for arch_domain_destroy()'s idempotency bug. > >>>> The path which blows up is: >>>> >>>> arch_domain_destroy() >>>> free_domain_pirqs() >>>> unmap_domain_pirq() >>>> irq_deny_access() >>>> rangeset_remove_singleton((d)->irq_caps, i) >>> But what IRQ do we find to unmap here? There can't be any that have >>> been mapped, when ->irq_caps is still NULL. IOW I don't currently see >>> how domain_pirq_to_irq() would legitimately return a positive value at >>> this point in time, yet that's what guards the calls to unmap_domain_pirq(). >> It is pirq 2 which explodes, which is the first of the redundant pirq >> structures allocated for legacy routing. >> >> I'm not sure I understand this code well enough to comment on why >> domain_pirq_to_irq() returns a positive value at this point, but I'm >> going to go out on a limb and suggest it might be related to our >> unnecessary(?) preallocation. > I've meanwhile considered this as the reason, too. And iirc the > pre-allocation is because guests (including Dom0) bypass some of > the setup they would do for non-legacy IRQs. This may have been > just a XenoLinux (mis)behavior, but even then I'm not convinced > we could easily alter things. Bypass which setup? One way or another they have to bind the irq before it can be used, so I still don't see why any structure preallocation is needed. (Reservation of legacy irq numbers, perahps.) ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.