[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/3] gnttab: adjust pin count overflow checks

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
From: Jan Beulich <jbeulich@xxxxxxxx>
Date: Fri, 15 Jan 2021 15:21:58 +0100
Cc: George Dunlap <george.dunlap@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Fri, 15 Jan 2021 14:22:19 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 15.01.2021 14:35, Andrew Cooper wrote:
> On 15/01/2021 13:26, Jan Beulich wrote:
>> On 15.01.2021 14:09, Andrew Cooper wrote:
>>> On 14/01/2021 15:23, Jan Beulich wrote:
>>>> @@ -1052,19 +1063,19 @@ map_grant_ref(
>>>>      shah = shared_entry_header(rgt, ref);
>>>>      act = active_entry_acquire(rgt, ref);
>>>>  
>>>> -    /* Make sure we do not access memory speculatively */
>>>> -    status = evaluate_nospec(rgt->gt_version == 1) ? &shah->flags
>>>> -                                                 : &status_entry(rgt, 
>>>> ref);
>>>> -
>>>>      /* If already pinned, check the active domid and avoid refcnt 
>>>> overflow. */
>>>>      if ( act->pin &&
>>>>           ((act->domid != ld->domain_id) ||
>>>> -          (act->pin & 0x80808080U) != 0 ||
>>>> +          (act->pin & (pin_incr << (GNTPIN_cntr_width - 1))) ||
>>> This, I'm afraid, is not an improvement.  What we want is:
>>>
>>> #define GNTPIN_overflow_mask 0x80808080U
>>>
>>> The reason for checking all at once is defence in depth (not strictly
>>> necessary, but also not a problem),
>> How is this not a problem? There is absolutely no reason to
>> reject a request just because some unrelated field may be
>> about to overflow. In fact I now think that I didn't even
>> leverage the full potential - the "act->pin != old_pin" check
>> could also be relaxed this way, I think. Just that it sits on
>> a path we probably don't really care about very much.
> 
> Hmm - I see your point.  I'd missed the fact that a previous operation
> could leave this timebomb waiting for us.  (Probably wants a note to
> this effect in the commit message).

I've added half a sentence.

> However we go about fixing it, "pin_incr << (GNTPIN_cntr_width - 1)" is
> too obscure IMO.  Perhaps all we need is a
> 
> #define GNTPIN_overflow_mask(x) ((x) << (GNTPIN_cntr_width - 1))
> 
> but it does occur to me that this logic only works to being with when
> pin_incr is strictly 1 in the relevant bytes.

Perhaps

#define GNTPIN_overflow_mask(x) ({ \
    ASSERT(!((x) & ~(GNTPIN_hstw_inc | GNTPIN_hstr_inc | \
                     GNTPIN_devw_inc | GNTPIN_devr_inc))); \
    (x) << (GNTPIN_cntr_width - 1); \
})

? And maybe name the whole thing e.g. GNTPIN_incr2oflow_mask()
to clarify the input is an increment (which I personally take
to mean consisting of only values of 1, but I realize views
may vary)?

Jan

Follow-Ups:
- Re: [PATCH 1/3] gnttab: adjust pin count overflow checks
  - From: Andrew Cooper

References:
- [PATCH 0/3] gnttab: pin count related adjustments & more
  - From: Jan Beulich
- [PATCH 1/3] gnttab: adjust pin count overflow checks
  - From: Jan Beulich
- Re: [PATCH 1/3] gnttab: adjust pin count overflow checks
  - From: Andrew Cooper
- Re: [PATCH 1/3] gnttab: adjust pin count overflow checks
  - From: Jan Beulich
- Re: [PATCH 1/3] gnttab: adjust pin count overflow checks
  - From: Andrew Cooper

Prev by Date: Re: [PATCH v2 0/7] Rid W=1 warnings in Ethernet
Next by Date: Re: [PATCH 1/3] gnttab: adjust pin count overflow checks
Previous by thread: Re: [PATCH 1/3] gnttab: adjust pin count overflow checks
Next by thread: Re: [PATCH 1/3] gnttab: adjust pin count overflow checks
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.