[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 1/3] gnttab: adjust pin count overflow checks
- To: Jan Beulich <jbeulich@xxxxxxxx>
- From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- Date: Fri, 15 Jan 2021 13:35:45 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jh/ie4wExGZVzIDDal44t3IzmhYqhBBuosAuVk4NoGk=; b=jEcyBtH3zMUpYk8OoBxYIgmguJ97embqZZRBNucFQ6NxfBaUrUy5nh0sbfNvdUUikpIcZYJTDVVnuxDE3mKkczVaIQWwT4dsGBL1UowGWXO+DHDfmmqJBYo5D6Q0Gzioq+KEYK2frVHu5qSF3wFL27goz1NVo3B43hvF8Tf3vdRs5neDrvBjO49neV2vaPf3psXiffa/D7bwx+FaTQwoTHaGPE9wuVfW5YdWxhnwH9LtyMc+LVJjSeXohKOp1oq5Am4dHk0+EhOCp+gg7iEiFZSTQXPic4MgZaGmHQtMsVjhqSyqJX4OPH6wMQNXxSAtBWH5rIP9b6UWFGkzhdNjQw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZhcMO32IYTgGAPnOgP0lihAkuAVt5W5c0I/+4NpwcUdMIgqoSsSJktaMu7zskEQw8CUTMqUNgN01VfxCCs08O4zWNfX/+mCACPjcwhAg8u4QGI/aMVYMXp1sQztiVS8BebiSYq6vPlK0EUBLjMOTTv+L/doswl3sKGOyVDac3u2nH9ioWXeXn90aMUXOcnQr5RHspT6RtRphU1JokwkWAuzTpRp+zjoQALlpzIp87g99Zcm7AX8VSd7AZiopLfB70QheYXiOl/YoXzGsPnlMKTD8bt3qXihzv+JU56/8XJ6t1pJD66I8beWua/4J8orVqpkS1pucHvJNfF0BNskHjA==
- Authentication-results: esa5.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
- Cc: George Dunlap <george.dunlap@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Fri, 15 Jan 2021 13:36:22 +0000
- Ironport-sdr: 6ekvtz4Lpci2mjB2qvHEiUfs6eXU+DqYNO7LzuCfz5aE2dg52SIJCHtGR6o8aAi11+FqpShxbT XGfpMb4C7fKG6E0U+BjNF65JR69QL0HqWQ8xA00v5IWSLwk8rtZnSi70sF4ruek+mxnI+l3MRj QVgaCJRqArniSdrBH52Ahft7iO8y69L+/arpNtcc+yHgCLUUipa31zFar7ScBF8fvRDzfOeAmj K9q702tdFAYBlu2THXHq8bqbabhIgdcGjZNmGnTB3qbal6GdjKKSOQHzz1IZCaRrMHWZzxSXgM umc=
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 15/01/2021 13:26, Jan Beulich wrote:
> On 15.01.2021 14:09, Andrew Cooper wrote:
>> On 14/01/2021 15:23, Jan Beulich wrote:
>>> @@ -1052,19 +1063,19 @@ map_grant_ref(
>>> shah = shared_entry_header(rgt, ref);
>>> act = active_entry_acquire(rgt, ref);
>>>
>>> - /* Make sure we do not access memory speculatively */
>>> - status = evaluate_nospec(rgt->gt_version == 1) ? &shah->flags
>>> - : &status_entry(rgt, ref);
>>> -
>>> /* If already pinned, check the active domid and avoid refcnt
>>> overflow. */
>>> if ( act->pin &&
>>> ((act->domid != ld->domain_id) ||
>>> - (act->pin & 0x80808080U) != 0 ||
>>> + (act->pin & (pin_incr << (GNTPIN_cntr_width - 1))) ||
>> This, I'm afraid, is not an improvement. What we want is:
>>
>> #define GNTPIN_overflow_mask 0x80808080U
>>
>> The reason for checking all at once is defence in depth (not strictly
>> necessary, but also not a problem),
> How is this not a problem? There is absolutely no reason to
> reject a request just because some unrelated field may be
> about to overflow. In fact I now think that I didn't even
> leverage the full potential - the "act->pin != old_pin" check
> could also be relaxed this way, I think. Just that it sits on
> a path we probably don't really care about very much.
Hmm - I see your point. I'd missed the fact that a previous operation
could leave this timebomb waiting for us. (Probably wants a note to
this effect in the commit message).
However we go about fixing it, "pin_incr << (GNTPIN_cntr_width - 1)" is
too obscure IMO. Perhaps all we need is a
#define GNTPIN_overflow_mask(x) ((x) << (GNTPIN_cntr_width - 1))
but it does occur to me that this logic only works to being with when
pin_incr is strictly 1 in the relevant bytes.
~Andrew
|